JP7771006B2 - Data processing path management system and data processing path management method - Google Patents

Description

The present invention relates to an information processing system that manages Internet of Things (IoT) devices such as sensor devices and actuators, and collects and controls data from the IoT devices. In particular, the present invention relates to an IoT system that handles a huge number of IoT devices. Note that hereinafter, IoT devices will be referred to simply as devices.

Recently, with the spread of fifth-generation mobile communications systems (5G), there have been advances in communication speeds, capacity increases, enhanced security through the use of slicing, and Quality of Service (QoS) guarantees. In addition, the number of IoT devices is rapidly increasing, leading to an expansion of automated control and monitoring of various devices and equipment.

The first characteristic of IoT systems is access from a large number of devices. Furthermore, the services provided are diversifying, and the devices are also diverse. Therefore, it is desirable for IoT systems to be able to support services with different security requirements and devices with different vulnerability levels.

Patent document 1 discloses a method for calculating a terminal's vulnerability score and performing access control based on the vulnerability score when connecting to a secure network.

JP 2019-83478 A

IoT systems that connect via external networks are constantly exposed to attacks, and devices require continuous updates to protect against vulnerabilities. In particular, for services such as autonomous driving, robust security for communication routes and information processing resources is necessary to prevent equipment malfunctions.

In Patent Document 1, access to a secure network is determined based on a vulnerability score calculated for each device. While this protects system resources, it does not take into consideration the convenience of system users. Older devices that cannot be protected from vulnerabilities will not be able to connect, which could require a large number of devices to be updated all at once. Furthermore, access control is limited to two options: connectable or not, and processing for devices after connection is uniform, making it difficult to respond to the vulnerability level of each individual device.

The present invention was made in light of this background, and one objective of the present invention is to provide technology that ensures security in IoT systems, improves user convenience, and facilitates the management of large numbers of devices.

A preferred aspect of the present invention is a data processing path management system that controls the data processing paths for an information processing system that includes an information processing resource and a data transmission/reception path, and is equipped with a function for the information processing resource to receive data via the data transmission/reception path from a device connected via a network, and a function for the information processing resource to provide a service using the information processing resource, wherein the information processing resource and data transmission/reception path are logically or physically divided into multiple data processing paths, and each data processing path has a different security function configured, and wherein the information processing device manages security requirement information that associates the required security functions with combinations of the service and the device attributes, and selects the data processing path based on the security requirement information.

Another preferred aspect of the present invention is a data processing path management method for controlling a data processing path in an information processing system that includes an information processing resource and a data transmission/reception path, and is equipped with a function for the information processing resource to receive data via the data transmission/reception path from a device connected via a network and a function for providing a service by the information processing resource, wherein the information processing resource and the data transmission/reception path are logically or physically divided into multiple data processing paths, and each data processing path has a different security function configured, in which an information processing device manages security requirement information that associates the required security functions with combinations of the service and device vulnerability information, which is an attribute of the device, and selects the data processing path based on the security requirement information.

We can provide technology that ensures security in IoT systems, improves user convenience, and simplifies the management of large numbers of devices.

1 is a block diagram showing a schematic configuration of an information processing system. FIG. 2 is a block diagram illustrating an example of a data processing path. FIG. 1 is a block diagram showing an example of an information processing device that can be used as a component of an information processing system. FIG. 2 is a functional block diagram showing an overview of functions and data of the integrated management device. FIG. 2 is a functional block diagram showing an overview of functions and data of a device management apparatus. FIG. 10 is a table illustrating an example of attribute information data of a device. FIG. 2 is a functional block diagram showing an overview of functions and data of the data processing path management device. FIG. 10 is a table illustrating an example of data processing path attribute information data. FIG. 10 is a table showing an example of service status information data of a device. FIG. 2 is a functional block diagram showing an overview of functions and data of the service management device. FIG. 10 is a table showing an example of security requirement information data. FIG. 2 is a functional block diagram showing an overview of the functions and data of the security device. FIG. 10 is a table illustrating an example of setting information data. FIG. 1 is a functional block diagram showing an overview of the functions and data of an IoT device GW. FIG. 2 is a functional block diagram showing an overview of functions and data of a data storage device. FIG. 2 is a functional block diagram showing an overview of functions and data of the data processing device. FIG. 2 is a functional block diagram showing an overview of functions and data of an application device. FIG. 10 is an image diagram showing an example of a management screen. FIG. 10 is an image diagram showing an example of a management screen for data processing paths. FIG. 10 is an image diagram showing an example of a management screen for data processing paths. FIG. 10 is an image diagram showing an example of a management screen for data processing paths. FIG. 10 is an image diagram illustrating an example of a service management screen. FIG. 10 is an image diagram illustrating an example of a service management screen. FIG. 10 is an image diagram illustrating an example of a service management screen. FIG. 10 is an image diagram showing an example of a device management screen. FIG. 10 is an image diagram showing an example of a device management screen. FIG. 10 is an image diagram showing an example of a device management screen. FIG. 10 is an image diagram showing an example of a management screen of the security device. FIG. 10 is an image diagram showing an example of a management screen of the security device. FIG. 10 is a sequence diagram illustrating message processing. FIG. 10 is a sequence diagram showing a process of moving a data processing path. 10 is a flowchart showing a route movement process in the integrated management device. 10 is a flowchart illustrating a route movement process in the device. FIG. 10 is a sequence diagram showing a route movement process based on a service request from a device. 10 is a flowchart showing a process of reviewing a data path in response to an update of a security requirement of a service. FIG. 10 is an image diagram showing an example of a data processing path change screen. 10 is a flowchart illustrating a process for a device when an abnormality is detected. 10 is a flowchart showing processing on a data processing path when a large amount of abnormality is detected. 10 is a flowchart showing a process of evacuating normal devices when a large number of abnormalities are detected;

The following describes an embodiment of the present invention based on the drawings. However, the present invention should not be interpreted as being limited to the description of the embodiment shown below. Those skilled in the art will readily understand that the specific configuration can be modified without departing from the spirit or intent of the present invention.

In the configuration of the embodiments described below, the same parts or parts with similar functions are designated by the same reference numerals in different drawings, and duplicate descriptions may be omitted.

When there are multiple elements with the same or similar functions, they may be described using the same reference numeral with different subscripts. However, when there is no need to distinguish between multiple elements, the subscripts may be omitted.

In this specification, terms such as "first," "second," and "third" are used to identify components and do not necessarily limit the number, order, or content. Furthermore, numbers used to identify components are used context-specifically, and numbers used in one context do not necessarily indicate the same configuration in another context. Furthermore, this does not prevent a component identified by a certain number from also fulfilling the function of a component identified by another number.

The position, size, shape, range, etc. of each component shown in the drawings, etc. may not represent the actual position, size, shape, range, etc. in order to facilitate understanding of the invention. Therefore, the present invention is not necessarily limited to the position, size, shape, range, etc. disclosed in the drawings, etc.

The publications, patents, and patent applications cited herein are incorporated by reference in their entirety into this specification.

In this specification, elements referred to in the singular include the plural unless the context clearly indicates otherwise.

In one embodiment, an information processing system is disclosed that includes one or more information processing resources and one or more data transmission/reception paths, and has the function of receiving data from one or more devices connected via a network and the function of providing services to the devices. The information processing resources and data transmission/reception paths are logically or physically divided into one or more data processing paths, and each data processing path has a function of managing the data transmission/reception path and information processing resources, and different security functions set for each data processing path.

A representative example described in the embodiments is a data processing path management method for controlling data processing paths in an information processing system that includes information processing resources and data transmission/reception paths, and is equipped with the functions of the information processing resources receiving data via the data transmission/reception paths from devices connected via a network and providing services using the information processing resources, in which the information processing resources and data transmission/reception paths are divided into multiple data processing paths and different security functions are set for each data processing path. This method manages security requirement information that associates the required security functions with combinations of service and device vulnerability information, and selects a data processing path based on the security requirement information.

Data processing paths can be dynamically selected and changed while the information processing system is running. For example, using an integrated management device and a data processing path management device, the integrated management device instructs the data processing path management device on the data processing path it has selected, and the data processing path management device performs switching processing to switch from the first data processing path to the second data processing path.

In a specific example, the system also manages data processing path attribute information that associates available security functions with data processing paths, and device attribute information that associates vulnerability information with available services for devices. Triggered by a change in at least one of the device attribute information, data processing path attribute information, and security requirement information, the system selects a data processing path based on the security requirement information and switches the data processing path used by the device.

The first embodiment will be described using Figures 1 to 27. In this embodiment, an example will be described in which information is collected from multiple devices and services are provided in an information processing system 101 having multiple information processing devices.

In this embodiment, the data transmission/reception paths and information processing resources between the device and the information processing system are logically or physically separated into one or more paths. The data processing path includes and manages one or more separated data transmission/reception paths and one or more information processing resources. In addition, different security functions are installed for each data processing path. Data collection from the device and service provision to the device are performed using a data processing path that matches the device's vulnerabilities and the service's security requirements.

Figure 1 shows an example of the schematic configuration of an information processing system 101 in this embodiment. In this example, the information processing system 101 is constructed on a cloud 117. The information processing system 101 includes, for example, an IoT device gateway (GW) 111, an integrated management device 102, a device management device 103, a data processing path management device 104, a service management device 105, a security device 106, a data storage device 107, a data processing device 108, and an application device 109, and is connected to devices 114 via the Internet 112 and a carrier network (hereinafter referred to as carrier NW) 113.

The IoT device GW 111 (hereinafter referred to as IoT device GW), integrated management device 102, device management device 103, data processing path management device 104, service management device 105, security device 106, data storage device 107, data processing device 108, and application device 109 are connected via a communication network 110.

The information processing system 101 sends and receives data to and from the device 114 via the IoT device gateway 111, and performs various processes and services based on the received data. Note that this configuration is merely an example, and instead of the Internet 112 or the carrier network 113, for example, a dedicated line, optical fiber, a LAN (Local Area Network), or a WAN (Wide Area Network) may be used. Furthermore, the information processing system 101 does not necessarily need to be configured on the cloud, and may also be configured in an on-premises environment.

Devices 114 are IoT devices such as sensors and actuators with communication capabilities, and include temperature sensors, vibration sensors, motion sensors, network cameras, factory equipment, refrigeration units, and automobiles. Alternatively, the sensor and actuator functions may be separated from the communication functions, and assets 115 such as various sensors, actuators, network cameras, factory equipment, refrigeration units, and automobiles may be connected to devices 114 wirelessly or via a wired connection, with devices 114 transmitting and receiving data between assets 115 and the information processing system 101.

In addition, in cooperation with functions provided by the telecommunications carrier, the carrier network 113 may implement device connection destination address restrictions 116.

The IoT device GW111 is the communication destination of the device 114 and has a message relay function such as an MQTT (Message Queuing Telemetry Transport) broker, and relays the sending and receiving of data between the device 114 and the information processing system 101.

The integrated management device 102 has a user interface, accepts instructions from the system administrator, and manages the entire information processing system 101 in accordance with a preset program. It also registers services provided by the information processing system 101 and registers data processing paths through operation by the administrator. It also receives service provision requests from devices 114 and issues instructions to move the devices 114 to data processing paths appropriate for the requested services. It also receives notifications of device abnormalities from the security device 106 and issues instructions such as processing the abnormal device and evacuating normal devices. It also has a function to instruct operations on the SIM (Subscriber Identity Module) used by the device (restricting the destination IP address, limiting communication speeds, suspending the SIM, etc.) through cooperation with the carrier collaboration function.

The device management device 103 has functions such as registering and deleting devices 114, and manages information such as the type and vulnerabilities of registered devices 114, services that can be provided to devices 114, and attribute information such as assets 115 connected to devices 114. It also issues instructions to devices 114 to fix vulnerabilities (for example, firmware updates or the application of security patches).

The data processing path management device 104 manages the data transmission and reception paths between the information processing system 101 and the devices 114, as well as the information processing resources and security functions set for each data processing path. It also manages the service status of the devices 114 using each data processing path, including the services being used, the status of the devices 114 (e.g., moving along a path), and the presence or absence of abnormalities.

The service management device 105 manages the security requirements of the services provided by the information processing system 101 and selects, for each service, a data processing path that meets the security requirements.

The security device 106 provides security functions such as anomaly detection and intrusion prevention, detects anomalies in the data received from the device 114, and notifies the integrated management device 102.

The data storage device 107 stores the data received from the device 114.

The data processing device 108 performs formatting and statistical processing of the data received from the device 114.

The application device 109 provides services to the device 114. For example, in the case of a data collection service, the application device 109 collects and stores data from the device 114. The stored data may be transmitted to a customer's data center, for example, each time data is received, periodically, or in accordance with instructions. In a temperature control service, for example, the application device 109 receives temperature information sensed by the asset 115 or device 114, and transmits instructions to the device 114, such as increasing or decreasing the air conditioning intensity, based on the difference between a preset target temperature and the received temperature. In an autonomous driving service, for example, the application device 109 is equipped with AI for autonomous driving, and the AI analyzes information from the device 114 and transmits control information to the device 114.

Figure 2 shows an example of using multiple data processing paths (201-A to 201-C). In the example of Figure 2, devices using a data collection service use data processing paths 201-A and 201-B. Data processing path 201-A accommodates devices 114 for which vulnerability countermeasures have not been implemented and is equipped with a security device 106 with an intrusion prevention function as a security measure. Data processing path 201-B accommodates devices 114 for which vulnerability countermeasures have been implemented. Data processing path 201-C accommodates devices 114 that are being remotely controlled. Data processing path 201-C implements destination address restrictions 116 in cooperation with the carrier function to prevent unauthorized external access to devices 114 that are being remotely controlled. Devices 114 also move between data processing paths 201 depending on the service they use. For example, if a device 114 that is accommodated in data processing path 201-B and using a data collection service switches to using a remote control service, the device 114 moves to data processing path 201-C.

In Figure 2, three data processing paths 201-A to 201-C are shown as an example, but the number of data processing paths 201 may be more or less than three. Furthermore, one data processing path 201 may be used by multiple services, or one service may use multiple data processing paths 201 depending on the vulnerability level of the device 114. Furthermore, the destination address restriction 116 can provide a secure communication path by blocking external communications not only for devices 114 currently being remotely controlled, but also for older devices 114 for which security support has expired, for example.

Figure 3 shows an example of the hardware configuration of an information processing device that can be used as each of the integrated management device 102, device management device 103, data processing path management device 104, service management device 105, security device 106, data storage device 107, data processing device 108, and application device 109. As shown in Figure 3, the information processing device 3000 includes, for example, a processor 3001, a main memory device 3002, an auxiliary memory device 3003, an input device 3004, an output device 3005, and a communication device 3006. These are connected to each other so that they can communicate with each other via communication means such as a bus (not shown).

The processor 3001 is configured using, for example, a CPU (Central Processing Unit) or an MPU (Micro Processing Unit). The processor 3001 reads and executes computer programs stored in the main memory device 3002, thereby realizing various functions of the integrated management device 102, the device management device 103, the data processing path management device 104, the service management device 105, the security device 106, the data storage device 107, the data processing device 108, and the application device 109. The main memory device 3002 is a device that stores computer programs and data, and is, for example, a ROM (Read Only Memory), a RAM (Random Access Memory), or a non-volatile semiconductor memory.

The auxiliary storage device 3003 is, for example, a hard disk drive, an SSD (Solid State Drive), an optical storage medium (e.g., a CD (Compact Disc) and a DVD (Digital Versatile Disc)), a storage system, an IC card (Integrated Circuit Card), an SD memory card, or other storage medium read/write device, as well as a storage area of a cloud server. The computer programs and data stored in the auxiliary storage device 3003 are read into the main storage device 3002 as needed. The input device 3004 is, for example, a keyboard, a mouse, a touch panel, a card reader, a voice input device, etc. The output device 3005 is a user interface that provides the user with various information such as processing progress and processing results. The output device 305 is, for example, a screen display device (i.e., a liquid crystal monitor, LCD (Liquid Crystal Display), or a graphic card, etc.), an audio output device (i.e., a speaker, etc.), a printing device, etc. Note that, for example, the information processing device 3000 may input and output information to and from another device via the communication device 3006.

The communication device 3006 is a wired or wireless communication interface that enables communication with other devices via communication means such as a LAN or the Internet. The communication device 3006 is, for example, a NIC (Network Interface Card), a wireless communication module, a USB (Universal Serial Bus) module, or a serial communication module.

Note that while Figure 3 shows an example hardware configuration when each device is implemented using a physical machine, each device may be implemented using various methods, such as a physical machine, a virtual machine, or a container. Furthermore, multiple devices may be implemented on the same physical machine using technologies such as a virtual machine or container. Furthermore, when using the cloud, devices may be implemented using managed services provided by a cloud provider. Furthermore, although each device is described as a separate device in this embodiment, the functions of multiple devices may be combined into a single device. Furthermore, the functions of one device may be implemented by another device. Furthermore, there may be multiple devices of each type. Similarly, the IoT device GW 111 may be implemented using various methods, such as a physical machine, a virtual machine, a container, or a managed service. Furthermore, the number of IoT device GWs 111 is not limited to three and may be more or less than three. In this specification, unless otherwise specified, the numbers are not limited to the numbers stated, and may be more or less than the stated numbers.

Figure 4 shows the main functions of the integrated management device 102 and the main information recorded by the integrated management device 102. The integrated management device 102 has a user interface function 401, a carrier collaboration function 402, an alert processing function 403, and a device processing function 404, and records resource information 405.

Resource information 405 records information about resources managed by the information processing system 101 (e.g., access destination information for the device management device 103, data processing path management device 104, service management device 105, security device 106, data storage device 107, data processing device 108, application device 109, IoT device GW 111, etc.). Resource information 405 stores records having fields for, for example, resource name and access destination (e.g., Uniform Resource Locator (URL)).

Figure 5 shows the main functions of the device management device 103 and the main information recorded by the device management device 103. The device management device 103 has a device registration function 501 and a vulnerability management function 502, and records device attribute information 503.

The device registration function 501 registers the input information in the device attribute information 503. The vulnerability management function 502 performs security management for the devices 114 registered in the device attribute information 503 and updates the device attribute information 503. Details of the vulnerability management function 502 will be explained from Figure 29 onwards.

Figure 6 shows an example of device attribute information 503. Device attribute information 503 stores records with items such as device ID 601, SIM ID 602, device type 603, vulnerability level 604 (e.g., protection registration 605, firmware version 606, and security patch 607), available services 608, and assets 609. Protection registration 605 indicates, for example, that the device is an older model that cannot support the latest firmware or security patches, and therefore requires device protection through destination address restrictions.

Figure 7 shows the main functions of the data processing path management device 104 and the main information recorded by the data processing path management device 104. The data processing path management device 104 has a data processing path registration function 701 and a data processing path management function 702, and records data processing path attribute information 703 and device service status information 704.

The data processing path registration function 701 registers, deletes, and updates data processing paths in the data processing path attribute information 703. The data processing path management function 702 manages the service status of the device 114 by recording, updating, and referencing the device service status information 704, and upon receiving instructions from the integrated management device 102, transmits various instructions to the device 114 via the IoT device GW 111.

Figure 8 shows an example of data processing path attribute information 703. Data recorded by each device included in the information processing system 101 is recorded, for example, in table format. The data processing path attribute information 703 stores records having items such as a data processing path identifier 801, an IoT device gateway 802, a data processing device 803, a path status 804, security functions 805, an expected use 806, and a priority 807.

The IoT device GW 802 and data processing device 803 record the identifier and access destination information of each device. The path status 804 indicates whether or not there is an abnormality in the data processing path 201. The security function 805 indicates the security function provided by the data processing path 201. In this embodiment, intrusion prevention, abnormality detection, and connection destination address restrictions are provided, but this is not limited to these. Further security functions such as monitoring the utilization rate of the IoT device GW 111 and data processing device 108 may also be provided. Furthermore, there may be multiple data processing paths 201 with the same attributes.

Figure 9 shows an example of device service status information 704. The device service status information 704 stores records with items such as a device ID 901, a service in use 902, a data processing path 903, a device status (e.g., data processing path switching in progress) 904, and whether or not an abnormality has occurred 905.

Figure 10 shows the main functions of the service management device 105 and the main information stored by the service management device 105. The service management device 105 has a service registration function 1001 and a data processing path selection function 1002, and records security requirement information 1003.

Figure 11 shows an example of security requirement information 1003. The security requirement information 1003 stores records with items such as service ID 1101, service name 1102, device attributes 1103, required security functions 1107, and available data processing paths 1108. The device attributes 1103 further include detailed items such as device registration 1104, device type 1105, and vulnerability level 1106 (e.g., protected device registration, firmware version, security patch, etc.).

Required security functions 1107 specify the required security functions 1107 for each combination of service and device attributes 1103. Available data processing paths 1108 record data processing paths 201 that have security functions that match the required security functions 1107.

In this example, the service ID 1101 and service name 1102 are recorded separately, but it is not necessary to use both as long as the service can be uniquely identified. Device registered 1104 indicates that the device is registered in the device management apparatus 103. A case where a device is not registered corresponds to, for example, a case where a service application is installed on a personal smartphone or the like and a service is received from the information processing system 101 without being registered in the device management apparatus 103.

Figure 12 shows the main functions of the security device 106 and the main information recorded by the security device 106. The security device 106 has a data reception function 1201, an anomaly detection function 1202, an intrusion prevention function 1203, an alert function 1204, and a management function 1205, and records configuration information 1206.

Figure 13 shows an example of setting information 1206. Setting information 1206 records items such as data processing path 1301, security function 1302, input 1303, output 1304, and analysis method, etc. 1305.

Data processing path 1301 records the identifier of the data processing path 201 on which the security function is installed, and security function 1302 records intrusion prevention or anomaly detection. Input 1303 records the identifier of the device from which the data to be analyzed was obtained, or access information. Output 1304 records the identifier of the device to which the data is output, or access information, in cases where the intrusion prevention function is used. Analysis method 1305 records the analysis method to be used when multiple analysis methods are provided.

Note that a single security device may provide both anomaly detection and intrusion prevention functions. Also, a single security device may provide security functions for two or more data processing paths. Also, two or more security devices may provide anomaly detection and intrusion prevention functions for one data processing path.

Figure 14 shows the main functions of the IoT device GW111 and the main information recorded by the IoT device GW111. The IoT device GW111 has a device registration function 1401, a data relay function 1402, and a device authentication function 1403, and records device information 1404. The device information 1404 records, for example, the device ID of the device that uses the IoT device GW111 and information for authentication thereof.

Figure 15 shows the main functions of the data storage device 107 and the main information recorded by the data storage device 107. The data storage device 107 has a data writing function 1501, a data reading function 1502, and a data deletion function 1503, and records received data information 1504. The received data information 1504 records, for example, the device ID, received data, and the date and time of reception in association with each other.

Figure 16 shows the main functions of the data processing device 108 and the main information recorded by the data processing device 108. The data processing device 108 has a data receiving function 1601, a data transmitting function 1602, a data shaping function 1603, and a statistical processing function 1604, and records service information 1605. The data shaping function 1603 and the statistical processing function 1604 may have multiple methods. The service information 1605 records, for example, the required data shaping method and statistical processing method for each service.

Figure 17 shows the main functions of the application device 109 and the main information recorded by the application device 109. The application device 109 has a data reception function 1701, a data transmission function 1702, and a data processing function 1703, and records received data information 1704. The received data information 1704 records, for example, a device ID, received data, and the date and time of reception in association with each other.

The communication network 110 is a wireless or wired network that enables data transfer between devices. If multiple devices are implemented on the same physical machine, data transfer may also be within the same physical machine.

Figure 18 shows an example of a management screen 1801 displayed by the user interface function 401 of the integrated management device 102. The management screen 1801 includes menus 1802, such as system status, data processing paths, services, devices, and security functions, and selecting each menu item displays its details screen 1803.

The user interface function 401 accesses the data processing path management device 104, service management device 105, device management device 103, and security device 106 according to the selected menu, and displays various setting screens. Management screen 1801 is an example where the system status is selected from the menu, and the user interface function 401 queries the data processing path management function 702 of the data processing path management device 104 about the presence or absence of abnormalities in the data processing path, and displays the results. Furthermore, when an alert is received from the alert issuance function of the security device 106, the alert processing function 403 may display the presence or absence of an alert and the processing results.

Figures 19A-C show an example of a data processing path setting screen. Figure 19A is an example of a setting screen displayed when a data processing path is selected on the management screen 1801. When a data processing path is selected, the user interface function 401 accesses the data processing path management device 104 and displays a data processing path list screen 1901 provided by the data processing path registration function 701. The data processing path registration function 701 displays a list 1902 of data processing paths registered based on the data processing path attribute information 703. From this screen, the administrator can call up a new data processing path registration screen 1908, call up a registered data processing path editing screen 1912, delete a data processing path, and edit the priority order, and then press the save button 1906 to save the updated information, or press the cancel button 1907 to cancel the update of the registered information.

Figure 19B shows an example of a new data processing path registration screen displayed on the management screen 1801. By pressing the new registration button 1903 in the data processing path list 1902, the screen transitions to the new data processing path registration screen 1908. The administrator enters the path name, the IoT device GW to be used, and information about the data processing device (e.g., identifier or URL) in the information input table 1909. Furthermore, the administrator enters the presence or absence of security functions provided by the data processing path (intrusion prevention, anomaly detection, and destination address restrictions in the example shown in this figure), as well as the expected use, and presses the save button 1910. The data processing path registration function 701 reflects the entered information in the data processing path attribute information 703. Furthermore, if there are any duplicate path names, this is pointed out.

Figure 19C shows an example of a data processing path editing screen displayed on the management screen 1801. On the data processing path list screen 1901, a data processing path is selected from the data processing path list 1902 and the edit button 1904 is pressed to transition to the data processing path editing screen 1912. The administrator corrects the changes in the information input table 1913 and presses the save button 1914. The data processing path registration function 701 reflects the input information in the data processing path attribute information 703.

On the data processing path list screen 1901, by selecting a data processing path from the data processing path list 1902 and pressing the delete button 1905 for the selected row, the data processing path registration function 701 deletes the information for the selected data processing path from the data processing path attribute information 703. When deleting a data processing path, the data processing path registration function 701 queries the data processing path management function 702 to check whether there are any devices using the data processing path to be deleted, and if there are any services and devices in use, displays on the operation screen that these services and devices are in use, and may also display an operation screen for reconfirming the deletion of the data processing path or for inputting processing for the services and devices in use.

In this embodiment, it is assumed that the creation and connection settings of the IoT device GW 111, data processing device 108, and security device 106 are performed in advance. To register and edit a data processing path, the attributes set for each data processing path are entered and recorded in the data processing path attribute information 703. The same applies to deleting a data processing path, and the resources of each device are released after the data processing path is deleted.

Furthermore, in this embodiment, intrusion prevention, anomaly detection, and destination address restrictions are shown as examples of security functions, but these are not limited to these, and there may be multiple methods of intrusion prevention and anomaly detection. Also, different security functions may be configured, such as firewalls, resource monitoring, and DDoS countermeasures.

Figures 20A-C show examples of service setting screens. Figure 20A is an example of the details screen 1803 that is displayed when a service is selected on the management screen 1801. When a service is selected, the user interface function 401 accesses the service management device 105 and displays the registered service list screen 2001 provided by the service registration function 1001 on the details screen 1803. The service registration function 1001 displays a list 2002 of registered services based on the security requirement information 1003. The administrator can use this screen to register new services, edit registered services, and delete services.

Figure 20B shows an example of a new service registration screen displayed on the management screen 1801. Pressing the new service registration button 2003 on the registered service list screen 2001 transitions to a new service registration screen 2006.

The administrator enters the service name 2007 and enters the device attributes and required security functions in the information input table 2008. In cases where the required security functions differ depending on the device attributes, the administrator presses the add row button 2010 to add a row and selects the required security functions for each device attribute. After entering the device attributes and required security functions, the administrator presses the data path selection button 2011, which causes the data processing path selection function 1002 to query the data processing path management function 702 and select a data processing path equipped with the required security functions.

If there are multiple data processing paths that match the conditions, they may be selected based on priority. Also, if the priorities are the same, multiple data processing paths may be selected as available data processing paths. When the administrator presses the Save button 2012, the service registration function 1001 reflects the entered information in the security requirement information 1003. At this time, the service registration function 1001 may automatically create a service ID.

In addition, if there is no data processing route that meets the required security functions, the available data processing route column will indicate that there is no data processing route that matches the conditions. If there is no available data processing route, the administrator must either create a new data processing route that has the required security functions, or add security functions to an existing data processing route. Alternatively, the administrator may discontinue providing the service.

Figure 20C shows an example of the service editing screen displayed on the management screen 1801. On the registered service list screen 2001, select a service and press the edit button 2004 to transition to the service editing screen 2014.

When the administrator modifies the changes in the information input table 2016 and presses the data path selection button 2019, the data processing path selection function 1002 selects and sets an available processing path. When the administrator presses the save button 2020, the service registration function 1001 reflects the entered information in the security requirement information 1003.

By selecting a service on the registered service list screen 2001 and pressing the delete button 2005 for the selected row, the service registration function 1001 deletes the information for the selected service from the security requirement information 1003. When deleting a service, the service registration function 1001 queries the data processing path management function 702 to check whether there are any devices using the service to be deleted, and if there are any devices in use, it may display on the management screen that the devices in use exist, and display a screen for reconfirming the deletion of the service or for inputting processing for the devices in use.

Figures 21A-C show examples of device registration screens. Figure 21A is an example of a details screen 1803 that is displayed when a device is selected on the management screen 1801. When a device is selected, the user interface function 401 accesses the device management device 103 and data processing path management device 104, and displays a registered device list screen 2101 based on the device attribute information 503 and device service status information 704.

Administrators can use this screen to register new devices, edit registered devices, and delete devices. They can also narrow down the devices displayed based on the data processing path, services in use, and whether or not there are any abnormalities. They may also be able to filter by device type and vulnerability level.

Figure 21B shows an example of a new device registration screen displayed on the management screen 1801. Pressing the Add Device button 2103 on the registered device list screen 2101 transitions to a new device registration screen 2106.

The administrator may register information such as device IDs individually using the information input table 2107, or may register devices in bulk by writing information for one or more devices in a file and selecting and loading the file in which the device information is registered. By entering device information on the new device registration screen 2106 and pressing the save button 2108, the device registration function 501 reflects the entered information in the device attribute information 503. Note that if a device ID has already been registered or if a duplicate device ID exists among the newly registered devices, the device registration function 501 may display the duplicate device ID and request the administrator to change the device ID.

Information other than the device ID may be set later. Furthermore, a reporting function may be placed in the device to determine the device type and vulnerability level, and the device registration function 501 may modify the device attribute information 503 based on reports from the device. Furthermore, the device registration function 501 sends the device ID of a newly registered device to the data processing path management function 702. The data processing path management function 702 reflects the received device ID in the device's service status information 704. Furthermore, when a new device ID is added to the device's service status information, the data processing path registers path 0 for the initial connection.

Figure 21C is an example of a device editing screen displayed on the management screen 1801. On the registered device list screen 2101, one or more devices are selected from the registered device list 2102, and the edit button 2104 is pressed to transition to the device editing screen 2109. When the administrator corrects the information in the information input table 2110 and presses the save button 2111, the device registration function 501 reflects the entered information in the device attribute information 503.

Figures 22A-B show examples of security function settings screens. Figure 22A is an example of the details screen 1803 that is displayed when security is selected on the management screen 1801. When security is selected, the user interface function 401 displays a security device list screen 2201. The user interface function 401 accesses the security device 106 based on the information in the resource information 405, and displays a security device list 2202 that associates the security device identifier with the data processing path on which the security device is installed.

Figure 22B is an example of a security device settings screen 2203. This screen is accessed by selecting a security device from the security device list 2202 on the security device list screen 2201. On the security device settings screen 2203, for example, the data processing path supported by the security device, the security functions it provides, the source of the data to be analyzed, the output destination of the analyzed data, and the analysis method are set in the information input table 2204. The input and output include the identifier of the target device or access information for the target device.

Note that the setting screens and setting methods shown in Figures 18 to 22 are examples and are not limited to this format, and the setting method is not limited to table format. For example, various settings can be made by accessing each device using SSH (secure shell), or by using a method provided by a cloud vendor, for example.

Figure 23 shows an example of a message processing sequence. Note that although the Internet 112 is omitted from this sequence, the Internet 112 is located between the carrier network 113 and the IoT device gateway 111 and relays messages. Here, messages refer to user data and control data sent from the device 114.

The device 114 sends a connection request (S2301) to the IoT device GW 111 belonging to the data processing path 201 to be used. The carrier network 113 sends the received connection request to the IoT device GW 111 (S2302). The device authentication function 1403 verifies the received authentication information (S2303) and sends the authentication result to the device 114 (S2304). The carrier network 113 sends the received authentication result to the device 114 (S2305). If the authentication is successful (yes in S2306), the device 114 establishes a communication session with the IoT device GW 111 (S2309). If the authentication is unsuccessful (no in S2306), an error is displayed on the device 114's operation screen, etc. (S2307), and the process ends (S2308).

The authentication process (S2303) and the establishment of the communication session (S2309) are performed using a method that is appropriate for the communication protocol being used. A common authentication method is, for example, PKI (Public Key Infrastructure). By distributing a device certificate to each device 114 in advance and registering a root certificate for verifying the validity of the device certificate in the IoT device GW 111, authentication using PKI can be used.

The device 114 sends messages such as sensed data (i.e., user data) and various requests (i.e., control data) to the IoT device GW via the carrier NW 113 (S2310). If the message is user data, the message may include the name and identifier of the service being used. The carrier NW 113 sends the received message to the IoT device GW 111 (S2311). The IoT device GW 111 sends the received message to the security device A 106 (S2312).

The intrusion prevention function 1203 verifies the received message, and if it detects an abnormality (yes in S2313), it discards the message (S2314) and issues an alert including the device ID and the type of abnormality to the integrated management device 102 (S2315). If no abnormality is detected (no in S2313), it sends a message to the data processing device 108 (S2316).

The data reception function 1601 of the data processing device 108 determines whether the message is user data or control data (S2317), and if it is a control message, the data transmission function transmits the received data to the integrated management device 102 (S2327). If it is user data, the data shaping function 1603 and statistical processing function perform data shaping and statistical processing according to a pre-specified method (S2318), and the data transmission function 1602 transmits the processed data to the data storage device 107 (S2319). The data shaping and statistical processing are used to shape the data into a form suitable for downstream applications and anomaly detection as necessary.

The data writing function 1501 of the data storage device 107 stores the received data in the received data information 1504 (S2320).

The data reception function 1201 of the security device B 106 periodically reads data from the data storage device 107 (S2321), the abnormality detection function 1202 analyzes the read data (S2323), and if an abnormality is detected (yes in S2324), the alert function 1204 notifies the integrated management device 102 of the ID of the device in which the abnormality was detected and the type of abnormality.

The data reception function 1701 of the application device 109 periodically reads data from the data storage device 107 (S2322) and performs processing set for each service (S2326). For example, in a service that remotely adjusts the temperature of a refrigeration device, the user data is sensed temperature data, and the data processing function 1703 compares the user data with the target temperature to instruct adjustment of the strength of the cool air. Although this adjustment instruction is not shown in the sequence, it is sent to the device 114 via the IoT device GW 111. Also, in the case of a data collection service, for example, the received data is recorded in received data information 1704.

The device 114 stores in advance a device certificate and access destination information for the IoT device GW 111 belonging to the data processing path 201 for initial connection, and connects to the IoT device GW 111 for initial connection when connecting for the first time. When connecting for the second time or later, it connects to the IoT device GW 111 that was used when the previous connection ended.

In addition, in the message processing sequence shown in Figure 23, with regard to the methods of sending and receiving messages and data between devices within the information processing system 101, the message and data acquisition methods described as pull type and push type may be changed from pull type to push type, or vice versa. When message and data acquisition is pull type, message and data reading settings are made on the receiving device, and when it is push type, message and data transmission settings are made on the sending device.

Furthermore, in data processing paths that do not have intrusion prevention functions, the processing performed by security device A106 is omitted. Similarly, in data processing paths 201 that do not perform anomaly detection, the processing performed by security device B106 is omitted. Furthermore, in data processing paths 201 that perform destination address restrictions, the carrier network checks the destination IP address, and communication with IP addresses other than those registered in advance is blocked.

In addition, the data processing device 108 may transmit the processed user data to the security device B 106 and the application device 109 without going through the data storage device 107.

Figure 24 shows an example of a sequence for moving a data processing path for device 114. The execution procedure for moving a data processing path from path 1 to path 2 will be explained using Figure 24. Note that this sequence is a processing sequence when the movement of device 114 is successful.

The device processing function 404 of the integrated management device 102 sends a path transfer instruction including the device ID of the processing target device 114 and the destination data processing path ID to the data processing path management device 104 (S2401).

The data processing path management function 702 of the data processing path management device 104 sends a path movement instruction to the IoT device GW 111 on path 1, including the device ID and access information for the movement destination (S2402), and updates the device's service status information 704 (S2407). Specifically, "Moving path" and the destination data processing path ID are recorded in the device status 904. The data processing path management function 702 also sends a device registration request including the device ID to the IoT device GW 111 on path 2, which is the movement destination (S2408). The IoT device GW 111 on path 2 registers the received device ID in the device information 1404 (S2409).

When the IoT device GW111 on path 1 receives the path change instruction, it sends a path change instruction to the device, including access information for the destination IoT device GW111 (S2403). The carrier network 113 sends the received path change instruction to the device 114 (S2404). The device 114 sends a request to disconnect the communication session established with the IoT device GW111 on path 1 (S2405), and the carrier network sends the received communication session disconnection request to the IoT device GW111 on path 1 (S2406). This disconnects the communication session between the device 114 and the IoT device GW111 on path 1.

Next, device 114 sends a connection request including authentication information to the new connection destination, IoT device GW 111 of path 2, via carrier network 113 (S2410). Carrier network 113 sends the received connection request to IoT device GW 111 of path 2 (S2411). The IoT device GW of path 2 verifies the authentication information (S2412) and sends the authentication result to device 114 via carrier network 113 (S2413). Carrier network 113 sends the received authentication result to device 114 (S2414).

If authentication is successful (yes in S2415), device 114 establishes a communication session with IoT device GW111 on path 2 (S2416). Next, device 114 sends a path movement end notification including the device ID to IoT device GW111 on path 2 via carrier NW113 (2417). Carrier NW113 then sends the received path movement end notification to IoT device GW111 on path 2 (S2418).

The IoT device GW111 on path 2 sends a path movement end notification including the device ID to the data processing device 108 (S2419). The data processing device 108 sends a path movement end notification to the integrated management device 102 (S2420). The device processing function 404 of the integrated management device 102 sends a path movement end notification (S2421) to the data processing path management device 104 (S2421). The data processing path management function 702 of the data processing path management device 104 sends a device deletion request including the device ID to the IoT device GW111 on path 1 (S2422) and updates the device service status information 704 (S2423). Specifically, the data processing path 903 is updated to path 2, and the device status 904 is updated to normal.

When the IoT device GW111 on route 1 receives the device deletion request, it deletes the device registration (S2424).

In the message processing sequence of Figure 23 and the data processing path migration processing sequence of Figure 24, the data processing path management function 702 sends a device registration request to the IoT device GW 111. However, if the IoT device GW 111 itself has the function of authenticating and automatically registering the device 114 when it is connected for the first time, for example, the device registration request (S2408) is not necessarily required.

Figure 25 is a flowchart showing an example of the data processing path migration processing flow in the integrated management device 102. The device processing function 404 instructs the data processing path management device 104 to move the path of the device 114 (S2502). When the device processing function 404 receives an end notification from the device 114 (yes in S2503), it notifies the data processing path management device 104 of the end of the path migration (S2504) and ends the processing (S2505).

If the device processing function 404 does not receive a completion notification (no in S2503) and receives a route relocation failure notification (yes in S2506), it notifies the data processing route management device 104 of the route relocation failure and that a switchback will be performed (S2507), and displays on the management screen that the relocation process has failed and the route has been switched back (S2508).

Also, if neither a route movement completion notification nor a route movement failure notification is received (no in S2506), the data processing route management device 104 is notified of the route movement processing failure (S2509), and the route movement processing failure and the connection switchback failure are displayed on the management screen (S2510).

Figure 26 is a flowchart showing an example of route change processing in device 114. When device 114 receives a route change instruction (S2601), it disconnects the currently connected session (S2602) and sends a connection request to the IoT device GW 111 on the destination data processing route (route 2 in this example) (S2603).

If the connection is permitted (yes in S2604), a communication session is established with the IoT device GW111 on route 2 (S2605), a route movement completion notification is sent (S2606), and the route movement process is terminated (S2607).

If connection is not permitted by the IoT device GW 111 on path 2 (no in S2604), the device 114 sends a connection request to the IoT device GW 111 on the original data processing path (path 1 in this example) (S2608), and upon obtaining permission to connect (yes in S2609), it establishes a communication session with the IoT device GW 111 on path 1 (S2610) and sends a path change failure notification (S2611).

Next, the route change failure and the current communication status (i.e., connected to route 1) are displayed (S2612). Also, if connection to route 1 is not permitted (no in S2609), the route change failure and the current communication status (i.e., no connection destination) are displayed (S2612).

The path migration process shown in Figures 24 to 26 allows devices to dynamically change their data processing paths.

Figure 27 shows an example of a service request processing sequence executed when a device changes services. The device 114 sends a service request including service identification information to the IoT device GW 111 of the currently used data processing path (path 1 in this example) via the carrier network 113 (S2701). The carrier network 113 then sends the received service request to the IoT device GW 111 of path 1 (S2702).

The IoT device gateway 111 on route 1 sends a service request including the service identification information to the integrated management device 102 via the data processing device 108 (not shown in this figure) (S2703).

The device processing function 404 of the integrated management device 102 acquires the attribute information 503 of the requesting device from the device management device 103 and the security requirement information 1003 of the requested service from the service management device 105 (S2704). Based on the acquired device attributes, the device processing function 404 checks whether the requested service is permitted for the requesting device. If permitted (yes in S2705), the device processing function 404 compares the vulnerability level 604 of the device 114 attribute with the vulnerability level 1106 of the device recorded in the security requirement information 1003. If the vulnerability level of the requesting device satisfies the security requirements of the service (yes in S2706), a data processing path is selected (S2707). Note that, for multiple data processing paths, if the vulnerability level of the device 114 satisfies the security requirements of the service, the data processing path with the highest priority is selected. If the priorities are the same, random selection may be performed. Next, the device processing function 404 determines that provision of the service is permitted (S2708).
If the device 114 is requesting an unauthorized service (no in S2705), and if the vulnerability level of the device does not meet the security requirements of the service in any of the data processing paths used by the service (no in S2706), the provision of the service is not permitted (S2709).

The device processing function 404 transmits the result of the service provision availability determination to the data processing path management device 104 (S2710), and the data processing path management device 104 transmits the received result of the service provision availability determination to the IoT device GW 111 on path 1 (S2711). The IoT device GW 111 on path 1 transmits the received result of the service provision availability determination to the device 114 via the carrier NW 113 (S2712). The carrier NW 113 transmits the received result of the service provision availability determination to the device 114 (S2713).

If the device 114 determines that the service can be provided (yes in S2714), it waits for instructions from the integrated management device 102 and performs data processing path migration processing (S2719). If the device 114 determines that the service can be provided (no in S2714), it notifies the operator by displaying a message on the screen or the like (S2715) and terminates processing (S2716).

If the result of the service provision determination is that the service is not permitted (no in S2717), the device processing function 404 terminates processing (S2718). If the result of the service provision determination is that the service is permitted (yes in S2717), the device processing function 404 performs route movement processing of the device 114 to the data processing route selected in step S2707 (S2719). Note that in cases where the route movement processing (S2719) is triggered by a service request from the device, as in this sequence, the device processing function 404 also transmits identification information of the service requested by the device 114 when sending a route movement completion notification (S2421) to the data processing route management device 104.

Next, in cases where a change to the destination address restriction is necessary (i.e., either Route 1 or Route 2 has a destination address restriction function) (yes in S2720), the carrier interoperation function 402 of the integrated management device 102 notifies the carrier of the SIM ID of the device 114 and the IP address information of the destination IoT device GW 111, and requests that the destination IP address restriction be started, canceled, or changed (S2721). For example, if the carrier provides an API for device management, the carrier interoperation function 402 uses the API to request that the destination IP address restriction in the carrier network be started, canceled, or changed. For example, the carrier's device management API receives the request and starts, cancels, or changes the destination IP address restriction for the target SIM.

In addition, when comparing the vulnerability level 604 of the device 114 with the device vulnerability level 1106 in the security requirements of the service, if the service can be received by registering the device 114 as a protected device, the device 114 may be temporarily registered as a protected device until the vulnerability is fixed.

Although omitted from the sequence diagram of Figure 27, in the case where asset 115 is connected to device 114, for example, a service request may be generated by an operator operating asset 115, the service request may be sent from asset 115 to device 114, and the service request received by device 114 may be sent to IoT device GW 111 on path 1.

In this embodiment, which is configured as described above, in an information processing system 101 connected to multiple devices 114, it is possible to dynamically and automatically select and use a data processing path 201 according to the combination of the vulnerability level 604 of the device 114 and the security requirement information 1003 of the service, and it is possible to use a data processing path 201 with appropriate security functions in response to changes in the device status (i.e., updates to vulnerability levels due to the implementation of security measures, and changes in the services used). This makes it possible to simplify the operation and management of even a large number of devices.

Furthermore, by using carrier functions to restrict destination IP addresses, it is possible to protect older devices that cannot be protected against vulnerabilities from external attacks. Furthermore, by blocking external connections when remotely controlling a device, it is possible to prevent unauthorized control from the outside, enabling even stronger protection for devices.

This example shows an example of the procedure for reviewing data processing paths in response to updates to service security requirements.

Figure 28 is a flowchart showing an example of the processing flow when reviewing the data processing path 201 in response to an update to the service security requirement information 1003.

The administrator selects the service to be edited from the registered service list screen 2001, edits the service's security requirements (i.e., device attributes 1103 and/or required security functions 1107) on the service edit screen 2014 (S2802), and presses the data path selection button 2019 to reselect the data processing path 201 (S2803).

Next, the data processing path management function 702 of the data processing path management device 104, triggered by the reselection of the data processing path, refers to the data processing path attribute information 703 to recalculate the data processing path for each device 114 (here, the data processing path selected by the recalculation is referred to as a data processing path candidate) (S2804), and extracts devices 114 that require a change in data processing path (S2805). Devices 114 that require a change in data processing path are devices 114 whose currently used data processing path 903 and a data processing path candidate differ in the device service status information 704, and devices 114 for which no data processing path candidate exists. Next, the data processing path management function 702 instructs devices 114 for which a data processing path candidate exists to move to the data processing path candidate (S2806).

Next, the data processing path management function 702 extracts, from the devices 114 for which no data processing path candidates exist, devices 114 that are using a service that can provide service to the protected device and that can be registered as a protected device (S2807), performs protected device registration (S2808), and instructs the device to move to the data processing path for the protected device (S2808). Note that whether or not a protected device can be registered is registered in advance in the device attribute information 503, for example, as a device attribute.

Next, the data processing path management function 702 instructs the device 114 that was unable to move its path to end the service and move to the path used for the initial connection (S2810), and ends the processing (S2811).

For example, the service registration function 1001 of the service management device 105 may periodically check information such as firmware and security patches provided by companies, and automatically update the security requirement information 1003 a certain period of time after the firmware and security patch are provided. Furthermore, for example, when an important security patch is released, the timing of updating the security requirement information 1003 may be advanced depending on the level of importance. Furthermore, the automatic update of the service's security requirement information 1003 may trigger a review process of the data processing path. This makes it possible to automatically review the data processing path of the device 114 and move the path when the service's security requirement information 1003 is updated.

Also, for example, when devices that require a change in data processing path are extracted in step S2805, a list of the extracted devices can be displayed on the management screen, allowing the administrator to confirm the list before proceeding with subsequent processing.

Figure 29 shows an example of a data processing path update screen 2901 when manually instructing a data processing path move. The data processing path management function 702 displays a list 2902 of devices 114 whose data processing paths require a move on the data processing path update screen. The administrator selects a device 114 and issues instructions for moving it to a data processing path candidate, registering it as a protected device, and terminating the service. For example, after selecting a device and registering it as a protected device, the administrator can press the data path reselection button to calculate a new data processing path and instruct the path move to the data processing path candidate.

Also, for example, it may be possible to select whether to automatically or manually review data processing paths associated with updates to service requirement information for each service. Furthermore, it may be possible to configure the system so that some of the process is performed automatically and the rest is performed manually, for example, by automatically moving paths for devices for which data processing path candidates exist and manually processing for devices for which no data processing path candidates exist. The automatic or manual setting for the data processing path review process may be registered when the service is registered or edited, and recorded in the security requirement information 1003.

The data processing path may also be reviewed in conjunction with vulnerability countermeasures for the device 114. The vulnerability management function 502 periodically checks information such as firmware and security patches provided by the company, and if firmware or security patches are provided, instructs the registered device 114 to update the firmware or apply the security patch. When the device 114 updates the firmware or applies a security patch in response to these instructions, it notifies the vulnerability management function 502 of the changed attributes, and the vulnerability management function 502 updates the device attribute information 503. The update of the device attribute information 503 triggers the data processing path management function 702 to review the data processing path for the device 114, and if a data processing path with a higher priority can be used, the path may be changed.

In addition, security functions may be added or removed from existing data processing paths. For example, in cases where an unknown attack has been detected and it is desired to strengthen anomaly detection functions across the entire information processing system, anomaly detection functions or intrusion prevention functions may be added to existing data processing paths. Furthermore, once security patches have been provided and applied to all devices in service, the added security functions may be removed to return to the original state.

Furthermore, for example, in cases where a data processing path is assigned to a specific service, when the security requirements of the service change, security functions of the data processing path may be added or removed to match the security requirements of the service.

In this embodiment, in response to updates to the device's vulnerability level, changes to the services used by the device, updates to the service's security requirements, changes to the information processing system's status, and the acquisition of new security information from external sources, the data processing path used by the device is reselected and moved to the reselected data processing path so as to satisfy the conditions required by the device attribute information 503, data processing path attribute information 703, device service status information 704, and security requirement information 1003 that reflect the changes.

According to this embodiment, the data processing path used by a device can be dynamically changed in response to updates to the service's security requirements and device vulnerability levels. It is also possible to change the security functions for the data processing path. This makes it possible to easily provide the necessary security functions in line with the service's security requirements and device vulnerabilities, even when providing services to a large number of devices.

This example shows processing for a device 114 in which an abnormality has been detected. The intrusion prevention function 1203 of the security device 106 analyzes, for example, messages sent and received between the IoT device GW 111 and the data processing device 108, and if an unauthorized or abnormal message is detected, deletes the message, and the alert function 1204 notifies the integrated management device 102 of the device ID and type of abnormality. The abnormality detection function 1202 analyzes, for example, data received from the device 114, and if an abnormality or abnormality is detected, the alert function 1204 notifies the integrated management device 102 of the device ID and type of abnormality. The content of the notification to the integrated management device 102 may include identification information for the asset 115.

One method for detecting anomalies and fraud is to match a message with a pre-registered signature and determine that it is fraudulent if a message matching the signature is detected. Other methods include detection methods using outlier detection and change point detection through machine learning, and anomaly detection methods using threshold judgment. It is also possible to select one or more items to analyze, such as the frequency of message reception, message size, or data value, and use these methods to detect anomalies. For example, a combination of these functions may be executed, with the intrusion prevention function 1203 detecting fraud by matching with a signature and the anomaly detection function 1202 performing change point detection or threshold detection.

Furthermore, the data processing path attribute information 703 and the service security requirement information 1003 list three examples of security functions: intrusion prevention, anomaly detection, and destination address restriction. However, by further detailing the security functions 805 and 1007, they may be recorded for each analysis method.

In addition, a data processing path may provide two or more analysis methods for intrusion prevention and anomaly detection. A service does not necessarily need to apply all of the anomaly detection methods provided by a data processing path, and may specify any analysis method required. The data processing path attribute information 703 records the security functions 805 that can be provided for each data processing path, and analysis is performed according to the required security functions 1007 specified in the service's security requirement information 1003. In addition, if the service has its own anomaly detection method, this may be used.

Furthermore, for example, a firewall may be installed in the IoT device GW 111, and measures against DDoS attacks may be implemented. Furthermore, for example, these security functions may be implemented using services provided by a cloud provider.

Figure 30 is a flowchart showing an example of the processing flow when an abnormality is detected.

When the alert processing function 403 of the integrated management device 102 receives an alert (S3001), it queries the data processing path management function 702 and obtains the name of the service being used by the device 114.

Next, if the service being used by the device 114 is in remote operation (yes in S3002), the alert processing function 403 instructs the device 114 to degrade remote operation (i.e., switch back to manual operation) (S3003).

Next, the alert processing function 403 analyzes the anomaly detection information (S3004), and if the detected anomaly is an increase in data volume, it sends an instruction to the device 114 to shut down communication with the asset 115 (S3005). Furthermore, if the detected anomaly is fraud detected by pattern matching using a signature (e.g., a virus, buffer overflow attack, SQL injection attack, cross-site scripting attack, etc.), the carrier collaboration function 402 uses an API provided by the carrier to shut down the SIM (S3006).

Next, the alert processing function 403 notifies the administrator of the occurrence of the abnormality (S3007). For example, the device ID, type of abnormality, and processing performed on the device may be displayed on the management screen 1801. This flowchart is an example of processing when an abnormality is detected, and different processing flows may be defined for each service, for example.

When an abnormality is detected, any action, such as data deletion, communication suspension, service degradation, service termination, SIM suspension, and speed restriction on the SIM, or a combination of these, may be performed on the device in question.

When an alert is received, the content of the alert can be displayed on the management screen 1801, and the administrator can manually instruct how to handle the device in which the abnormality was detected. Alternatively, automatic or manual processing can be selected in advance for each service, and the administrator can handle services that require individual handling.

In addition to sending alerts to the integrated management device 102, the alert function 1204 may also send alerts to the administrator's mobile device, for example, using email or an alert application.

According to this embodiment, processing can be performed automatically when an abnormality is detected in a device, facilitating the management and operation of a large number of devices. Furthermore, by allowing manual processing to be selected, flexible responses can be made to each service depending on the impact of the abnormality.

This example shows the processing that occurs when abnormalities are detected in a large number of devices within a certain period of time. When a large number of abnormal devices are detected in a data processing path, an available data processing path is reselected for normal devices currently using the data processing path, excluding the data processing path currently in use, based on the attributes of each normal device and the security requirements of the service, and the data processing path is then moved from the data processing path currently in use to the newly selected data processing path.

It also features a function to create a new data processing path and set the necessary security functions when a large number of abnormal devices are detected on the data processing path, and a function to move normal devices to the created data processing path.

Figure 31 is a flowchart showing an example of the processing flow for each data processing path when an abnormal device is detected.

When the number of abnormal devices detected within a certain period of time in each data processing path exceeds a predetermined threshold (S3101), the alert processing function 403 of the integrated management device 102 verifies whether there is a bias in the attributes of the abnormal devices (e.g., device type 603, firmware version 606, security patch 607, etc.) (S3102). For example, if there is a bias, such as many abnormalities detected in devices of a particular type, or abnormalities detected in devices with old firmware versions or devices with unupdated security patches (yes in S3102), the alert processing function 403 extracts devices with the same attributes as the devices in which many abnormalities were detected as candidate abnormal devices (S3103).

If the ratio of devices in which an abnormality has been detected and devices that are considered to be abnormal device candidates exceeds a predetermined threshold (yes in S3104), the alert processing function 403 performs a backup process for normal devices (i.e., devices that are neither abnormal devices nor abnormal device candidates) (S3105).

Next, the vulnerability management function 502 instructs the implementation of security measures for candidate abnormal devices for which security measures have not been implemented (old firmware version or security patch not applied). If a device for which security measures have been implemented has already been registered, the vulnerability level 604 in the device attribute information 503 is updated (S3106). The alert processing function 403 performs normal device evacuation processing for devices whose vulnerability level 604 has been updated due to the implementation of security measures and which are no longer candidate abnormal devices (S3107).

Figure 32 is a flowchart showing an example of the processing flow for saving a normal device. The data processing path selection function 1002 references the data processing path attribute information 703 and checks whether there is a data processing path that has security functions at the same level or higher than the data processing path being processed (i.e., has all the security functions that the data processing path being processed has) (S3202).

If a data processing path of the same level or higher exists (yes in S3202), the path is recalculated for each service, excluding the data processing path being processed (S3203), and the security requirement information 1003 is updated (S3203). Next, the data processing path management function 702 recalculates the data processing paths for the normal device group based on the security requirement information 1003 and the device attribute information 503 (S3204). Next, the alert processing function 403 instructs the normal device group to move to the candidate data processing path (S3205).

If there is no data processing path with security functions at the same level or higher than the data processing path being processed (no in S3202), the administrator creates a new data processing path and installs the necessary security functions (S3207). Next, the administrator registers the newly created data processing path (S3208) and instructs normal devices to move to the newly created data processing path (S3209).

To accommodate a large number of devices, in a system with two or more data processing paths with the same level of security functionality, step S3023 of this processing flow will return "yes," and normal devices can be automatically evacuated. It is also possible to perform the recalculation of the data processing path for normal devices (S3204) and the instruction to move the path to the normal device (S3205) in parallel for two or more devices, and then move the path sequentially starting with the device for which the recalculation has been completed.

Alternatively, a new data processing path may be established and all normal devices may be migrated to the newly established data processing path without checking (S3202) whether a data processing path has the same level of security functions as the target data processing path. Alternatively, while migrating normal devices that can use existing data processing paths, a new data processing path may be established in parallel, and normal devices that could not be migrated to the existing data processing path may be migrated to the newly established data processing path.

According to this embodiment, in an IoT system, security functions can be adjusted according to device vulnerabilities and service security requirements, ensuring system security and facilitating the management of a large number of devices. In particular, when an abnormality occurs in a large number of devices, it is possible to quickly evacuate normal devices, thereby preventing the abnormal devices from affecting normal devices.

The present invention has been specifically described above based on the embodiments, but the present invention is not limited to the above examples and can be modified in various ways without departing from the spirit of the invention. For example, the above embodiments have been described in detail to clearly explain the present invention, and the present invention is not necessarily limited to those that include all of the described configurations. Furthermore, some of the configurations of the above embodiments can be added to, deleted from, or replaced with other configurations.

Furthermore, the control and information lines in each diagram are those considered necessary for explanation, and do not necessarily show all control and information lines in the actual implementation. For example, it is safe to assume that in reality, almost all components are interconnected.

Furthermore, each of the above-mentioned embodiments may be implemented independently, or some or all of them may be combined and implemented.

In addition, in the above description, the components (for example, each function, database, and element step) are not necessarily essential unless specifically stated otherwise or considered clearly essential. Furthermore, each function, database, etc. may be provided in a device different from the device described in the embodiment. Furthermore, a different configuration from this embodiment may be used, such as dividing a function into separate devices for execution, or dividing and recording a database.

Furthermore, the data recorded by each information processing device may include more or fewer items than those shown in the examples. Furthermore, while a table notation is used as an example of each piece of data, this does not limit the method of recording each piece of data to a table format; data may be recorded in various ways, such as a list or chain. Furthermore, the recorded elements may be expressed in various forms, such as numbers, symbols, or mathematical formulas.

The above-described embodiment enables efficient data collection and control of IoT devices, resulting in less energy consumption, reduced carbon emissions, prevention of global warming, and contribution to the realization of a sustainable society.

101: Information processing system, 102: Integrated management device, 103: Device management device, 104: Data processing path management device, 105: Service management device, 106: Security device, 109: Application device, 111: IoT device gateway, 113: Carrier network, 114: Device, 115: Asset, 201: Data processing path

Claims (14)

A data processing path management system for an information processing system including an information processing resource and a data transmission/reception path, the system having a function for the information processing resource to receive data via the data transmission/reception path from a device connected via a network, and a function for providing a service by the information processing resource, the information processing resource and the data transmission/reception path being logically or physically divided into a plurality of data processing paths, and each of the data processing paths having a different security function, the system controlling the data processing path,
an information processing device manages security requirement information that associates the required security functions with combinations of the service and the device attributes, and selects the data processing path based on the security requirement information ;
A data processing path management device is provided,
the data processing path management device instructs the device to switch from a first data processing path to a second data processing path based on the selected data processing path;
Data processing route management system. the security requirement information includes vulnerability information of the device as an attribute of the device;
2. The data processing path management system according to claim 1 . managing data processing path attribute information that associates the available security functions with the data processing paths;
3. The data processing path management system according to claim 2 . managing device attribute information that associates the vulnerability information with the available services for the device;
selecting the data processing path based on the security requirement information when at least one of the device attribute information, the data processing path attribute information, and the security requirement information is changed;
4. The data processing path management system according to claim 3 . Equipped with an integrated management device,
When the number of abnormal devices detected within a certain period of time in any of the data processing paths exceeds a threshold, the integrated management device designates the data processing path as a target data processing path and extracts abnormal device candidates based on a bias in the attributes of the abnormal devices;
instructing the devices other than the abnormal device and the candidate abnormal device that use the target data processing path to switch to a data processing path other than the target data processing path;
5. The data processing path management system according to claim 4 . The integrated management device
selecting a data processing path other than the target data processing path from among data processing paths that can use all of the security functions that can be used by the target data processing path;
6. The data processing path management system according to claim 5 . The integrated management device
When the vulnerability information corresponding to the abnormal device candidate is updated in the device attribute information, an instruction is given to the abnormal device candidate to switch to a data processing path other than the target data processing path.
7. The data processing path management system according to claim 6 . A data processing path management method for an information processing system including an information processing resource and a data transmission/reception path, the information processing resource having a function of receiving data via the data transmission/reception path from a device connected via a network, and a function of providing a service by the information processing resource, the information processing resource and the data transmission/reception path being logically or physically divided into a plurality of data processing paths, and each of the data processing paths having a different security function, the method comprising:
the information processing device manages security requirement information that associates the necessary security functions with combinations of the service and vulnerability information of the device, which is an attribute of the device, and selects the data processing path based on the security requirement information;
Data processing path management method. the information processing device instructs the device to switch from the first data processing path to the second data processing path based on the selected data processing path;
9. The data processing path management method according to claim 8 . the information processing device manages data processing path attribute information that associates the available security functions with the data processing paths;
10. The data processing path management method according to claim 9 . an information processing device manages device attribute information that associates the vulnerability information with the available services for the device;
an information processing device, triggered by a change in at least one of the device attribute information, the data processing path attribute information, and the security requirement information, selecting the data processing path based on the security requirement information;
11. The data processing path management method according to claim 10 . When the number of abnormal devices detected within a certain period of time in any of the data processing paths exceeds a threshold, the information processing device designates the data processing path as a target data processing path, and extracts candidate abnormal devices based on a bias in the attributes of the abnormal devices;
an information processing device instructs the devices other than the abnormal device and the abnormal device candidate that use the target data processing path to switch to a data processing path other than the target data processing path;
12. The data processing path management method according to claim 11 . the information processing device selects a data processing path other than the target data processing path from among data processing paths that can use all of the security functions that can be used by the target data processing path;
13. The data processing path management method according to claim 12 . when the vulnerability information corresponding to the abnormal device candidate is updated in the device attribute information, the information processing device instructs the abnormal device candidate to perform a path change to switch to a data processing path other than the target data processing path.
14. The data processing path management method according to claim 13 .