[go: up one dir, main page]

WO2025009039A1 - Communication system, communication method, and communication program - Google Patents

Communication system, communication method, and communication program Download PDF

Info

Publication number
WO2025009039A1
WO2025009039A1 PCT/JP2023/024683 JP2023024683W WO2025009039A1 WO 2025009039 A1 WO2025009039 A1 WO 2025009039A1 JP 2023024683 W JP2023024683 W JP 2023024683W WO 2025009039 A1 WO2025009039 A1 WO 2025009039A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication
information
risk
determination
software
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/JP2023/024683
Other languages
French (fr)
Japanese (ja)
Inventor
泰典 和田
貴之 上原
拓也 南
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NTT Inc
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Priority to PCT/JP2023/024683 priority Critical patent/WO2025009039A1/en
Publication of WO2025009039A1 publication Critical patent/WO2025009039A1/en
Anticipated expiration legal-status Critical
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to a communication system, a communication method, and a communication program.
  • the operator checks the vulnerability information (e.g., attack source classification: network (NW)), checks the settings and operation of the device, and compares this information to confirm the risk of an attack being successful against the system.
  • vulnerability information e.g., attack source classification: network (NW)
  • risk assessment technology based on network configuration has the problem that the risk assessment does not take into account the impact of the actual communication operations of the devices.
  • the present invention has been made in consideration of the above, and aims to provide a communication system, a communication method, and a communication program that enable risk assessment based on the actual communication operation of the device.
  • the communication system is a communication system having an agent provided in a device to be judged and a judgment device that performs a risk judgment on the device to be judged, and the judgment device is characterized in that it functions as a judgment unit that performs a risk judgment on vulnerability information sent to the device to be judged based on the communication operation status of the device to be judged obtained via the agent.
  • the present invention makes it possible to assess risk based on the actual communication behavior of devices.
  • FIG. 1 is a diagram for explaining an overview of the process according to the embodiment.
  • FIG. 2 is a diagram illustrating a process flow according to the embodiment.
  • FIG. 3 is a diagram illustrating an example of a configuration of a communication system according to an embodiment.
  • FIG. 4 is a diagram showing an example of the configuration of the agent shown in FIG.
  • FIG. 5 is a diagram illustrating an example of the configuration of the determination device illustrated in FIG.
  • FIG. 6 is a diagram illustrating the communication information generation process.
  • FIG. 7A is a diagram illustrating an example of communication operation information generated in the communication information generation process.
  • FIG. 7B is a diagram illustrating an example of communication operation information generated in the communication information generation process.
  • FIG. 7C is a diagram illustrating an example of communication operation information generated in the communication information generation process.
  • FIG. 7D is a diagram illustrating an example of communication operation information generated in the communication information generation process.
  • FIG. 8 is a diagram illustrating a method for acquiring software information from process information.
  • FIG. 9 is a diagram illustrating a method for acquiring software information from process information.
  • FIG. 10 is a diagram illustrating the device information updating process.
  • FIG. 11A is a diagram for explaining the definition of the risk level generated in the device information updating process.
  • FIG. 11B is a diagram for explaining the definition of the risk level generated in the device information updating process.
  • FIG. 12 is a diagram illustrating an example of a data configuration of the device information.
  • FIG. 13 is a diagram illustrating the risk threshold setting process.
  • FIG. 14 is a diagram illustrating the risk determination process.
  • FIG. 15 is a diagram illustrating a specific example of the risk assessment process.
  • FIG. 16 is a diagram illustrating a specific example of the risk assessment process.
  • FIG. 17 is a flowchart showing the procedure of the communication information generation process.
  • FIG. 18 is a flowchart showing the procedure of the device information updating process.
  • FIG. 19 is a flowchart showing the processing procedure of the risk threshold setting process.
  • FIG. 20 is a flowchart showing the processing procedure of the risk determination process.
  • FIG. 21 is a diagram illustrating an example of a computer in which an agent and a determination device are realized by executing a program.
  • FIG. 1 is a diagram for explaining an outline of the process according to the embodiment. As shown in FIG. 1, four processes are executed in the embodiment.
  • a communication information generation process (first generation process), a device information updating process (second generation process), and a risk threshold setting process are executed in advance.
  • the communication information generation process acquires packets generated by the device to be assessed, acquires information on the software performing the communication, and updates communication operation information.
  • the device information updating process generates risk level information and registers the latest device information.
  • the risk threshold setting process sets a threshold for risk assessment (hereinafter referred to as the risk threshold). This ensures that the assessment device always holds the latest risk level information.
  • the determination device when it receives a vulnerability notification, it executes a risk determination process (determination process) for the vulnerability notification content. Note that in the risk determination process, if it determines that notification of the result of the determination is necessary, it executes a notification process to notify the determination result.
  • risk level information generated from the communication operation of the device is used for the judgment. Therefore, according to the embodiment, unlike conventional risk judgment techniques based on the network configuration, it is possible to make a risk judgment based on the actual communication operation of the device.
  • FIG. 2 is a diagram explaining the process flow of an embodiment.
  • communication information generation process is a process that is performed continuously.
  • Device information updating process is a process that is performed periodically.
  • Risk threshold setting process and risk assessment process are processes that are performed irregularly.
  • FIG 3 is a diagram showing an example of the configuration of the communication system according to an embodiment.
  • the communication system 100 includes a device 20 to be assessed for risk, a determination device 30 that performs risk assessment for the device 20, a vulnerability information distribution service 40 that is suspected of having communication vulnerabilities, an external server 50, and an internal server 60 that communicates with the device 20 to be assessed.
  • the vulnerability information distribution service 40 and the external server 50 can communicate with the assessment target device 20 via the Internet.
  • a firewall is provided between the device 20 to be judged and the Internet to protect the internal device from external attacks.
  • An agent 10 is provided in the device 20 to be judged. The agent 10 acquires the communication operation status of the device 20 to be judged. The agent 10 generates risk level information on a software basis based on the communication operation information of the device 20 to be judged, and registers it in the judgment device 30.
  • the determination device 30 performs risk determination for the vulnerability information sent to the device 20 to be determined based on the communication operation status of the device 20 to be determined acquired by the agent 10.
  • FIG. 4 is a diagram showing an example of the configuration of the agent 10 shown in Fig. 3.
  • the agent 10 is realized, for example, by loading a predetermined program into a computer or the like including a ROM (Read Only Memory), a RAM (Random Access Memory), a CPU (Central Processing Unit), etc., and having the CPU execute the predetermined program.
  • the agent 10 is also capable of communicating with other devices via a communication interface that is included in the device to be determined and that transmits and receives various information to and from other devices connected via a network or the like.
  • the agent 10 has a packet capture result 11, a communication behavior information DB 12, a packet capture acquisition unit 13, a software information acquisition unit 14, a communication behavior information generation unit 15, a risk level information generation unit 16, a device information generation unit 17, and a device information transmission unit 18.
  • the packet capture result 11 stores the packet capture acquired by the packet capture acquisition unit 13.
  • the communication action information DB12 stores the communication action information generated by the communication information generation process.
  • the packet capture acquisition unit 13 acquires packets generated in the device 20 to be determined.
  • the packet capture acquisition unit 13 captures packets generated by communication from inside to outside or communication from outside to inside.
  • the packet capture acquisition unit 13 stores the captured packets in the packet capture result 11.
  • the software information acquisition unit 14 acquires software information about the software that communicated the packet acquired by the packet capture acquisition unit 13 during the communication information generation process. If the captured packet does not have a known communication pattern, the software information acquisition unit 14 acquires software information about the software that communicated this packet. The software information acquisition unit 14 acquires software information on a software-by-software basis.
  • the communication operation information generating unit 15 generates communication operation information indicating the communication operation of the packet in the communication information generating process.
  • the communication operation information includes at least the software that performed the communication of the packet acquired by the packet capture acquiring unit 13.
  • the communication operation information generation unit 15 updates the last communication time of the communication operation information of this known communication pattern. If the packet captured by the packet capture acquisition unit 13 is not of a known communication pattern, the communication operation information generation unit 15 generates communication operation information for the communication of this packet based on the software information acquired by the software information acquisition unit 14. The communication operation information generation unit 15 generates communication operation information on a software basis.
  • the risk level information generating unit 16 uses the communication operation information in the device information updating process to generate risk level information based on the communication operation.
  • the risk level information generating unit 16 generates risk level information for each piece of software.
  • the risk level information generating unit 16 generates risk level information for software based on whether or not the software has had its communication information changed since the previous execution, and whether or not software that was not present during the previous execution has been added to the communication information.
  • the risk level information generating unit 16 generates risk level information for external communication and risk level information for internal communication. As described below, risk levels are defined, for example, in four stages, depending on the state of connectivity and communication operation.
  • the risk level information generating unit 16 updates the risk level of this software according to the communication status and communication operation status, and generates risk level information including the updated risk level. In addition, even if there is no software whose communication information has changed since the last time it was executed, if software that was not present at the last time it was executed has been added to the communication information, the risk level information generating unit 16 determines the risk level of the added software according to the communication status and communication operation status, and generates risk level information indicating the determined risk level.
  • the device information generating unit 17 generates the latest device information of the device 20 to be determined in the device information updating process.
  • the device information generating unit 17 registers device information in which software is associated with risk level information corresponding to the software in the determination device 30.
  • the device information has a configuration in which software identification information is associated with external communication risk level information and internal communication risk level information for each piece of software.
  • the device information transmission unit 18 transmits the latest device information of the device 20 to be determined, generated by the device information generation unit 17, to the determination device 30, and requests registration of the latest device information.
  • Fig. 5 is a diagram showing an example of the configuration of the determination device 30 shown in Fig. 3.
  • the determination device 30 is realized, for example, by loading a predetermined program into a computer or the like including a ROM, a RAM, a CPU, etc., and having the CPU execute the predetermined program.
  • the determination device 30 is capable of communicating with other devices via a communication interface that is included in the device to be determined and that transmits and receives various information to and from other devices connected via a network or the like.
  • the determination device 30 has a device information DB 31, risk threshold setting information 32, a device information registration unit 33, a risk threshold setting unit 34, a vulnerability information receiving unit 35, a risk determination unit 36, and a result notification unit 37.
  • the device information DB31 stores the device information sent from the agent 10.
  • Risk threshold setting information 32 is a DB that stores setting information for risk thresholds. Risk thresholds are set for both external and internal communications, and are expressed as risk level values.
  • the device information registration unit 33 receives device information sent from the agent 10 and stores it in the device information DB 31.
  • the risk threshold setting unit 34 accepts input of threshold information (risk threshold information) for risk judgment, including a risk threshold, and registers the risk threshold as risk threshold setting information 32 based on the input risk threshold information.
  • risk threshold is set by the operator for each of external communication and internal communication.
  • the vulnerability information receiving unit 35 receives vulnerability information sent from the vulnerability information distribution service 40.
  • the risk assessment unit 36 assesses the risk of the vulnerability information received by the vulnerability information receiving unit 35.
  • the risk assessment unit 36 performs risk assessment on the vulnerability information sent to the assessment target device 20 based on the communication operation state of the assessment target device 20 acquired by the agent 10.
  • the risk assessment unit 36 receives notification of the distribution of vulnerability information to the assessment target device 20, it assesses the risk of the vulnerability information based on the device information registered by the agent 10 and a preset threshold value (risk threshold) for risk assessment.
  • the risk threshold is set for each software for both external communication and internal communication.
  • the risk determination unit 36 determines the risk of the received vulnerability information based on the attack source classification of the vulnerability information, the risk level of the software corresponding to the vulnerability information, and the risk threshold.
  • the risk determination unit 36 determines the risk of the vulnerability information based on predetermined determination rules. For example, if the risk level is equal to or greater than the predetermined risk threshold, the risk determination unit 36 determines the risk to be high, and if the risk level is less than the predetermined risk threshold, the risk determination unit 36 determines the risk to be low.
  • the result notification unit 37 notifies the operator of the result of the risk assessment unit 36 depending on the degree of risk assessed by the risk assessment unit 36.
  • FIG. 6 is a diagram illustrating the communication information generation process.
  • the agent 10 captures and acquires packets generated in the device to be judged 20 ((1) in FIG. 6).
  • the agent 10 captures packets generated by internal communication, internal to external communication, or external to internal communication.
  • Internal communication includes communication from the device to be judged 20 to the host and communication from other hosts to the device to be judged.
  • the agent 10 acquires information about the software that communicated the packet ((2) in FIG. 6). If the packet is of a known communication pattern in the device 20 to be judged, the agent 10 updates the last communication time in the communication operation information for the corresponding known communication pattern ((3) in FIG. 6).
  • FIGS. 7-1 to 7-4 are diagrams illustrating an example of communication operation information generated in the communication information generation process.
  • four pieces of communication operation information are generated by the communication information generation process: external communication information (communication from outside to inside) of the device to be determined 20 (FIG. 7-1), external communication information (communication from inside to outside) of the device to be determined 20 (FIG. 7-2), internal communication information of the device to be determined 20 (communication from another host to the device to be determined 20) (FIG. 7-3), and internal communication information of the device to be determined 20 (communication from the device to be determined 20 to another host) (FIG. 7-4).
  • Each piece of information has the following fields: source IP (srcIP), source port (srcPort), destination IP (dstIP), destination port (dstPort), software name, and last communication time, and is constantly updated.
  • source IP srcIP
  • source port srcPort
  • destination IP dstIP
  • destination port dstPort
  • software information is obtained from process information, etc.
  • Software information is obtained from packet header information.
  • FIGS. 8 and 9 are diagrams explaining a method for acquiring software information from process information.
  • the agent 10 uses the information shown in FIG. 8 (listening port number, PID, executable file name) ((1) and (2) in FIG. 8) to identify the executable file of the process waiting for communication ((3) in FIG. 8).
  • a process in LISTEN is shown as an example, but even if the communication originates from the device 20 to be determined, software information can be obtained in the same way by referencing the information of the connection in the ESTABLISHED state. Note that if the executable file name is a command name, a process of referencing the actual file of the command is added.
  • the software name and version information can be obtained by referencing the package name that contains the executable file name ((1) in Figure 9), as shown in Figure 9.
  • Figure 9 shows an example that uses information from a package management system. Another method is to use the device's SBOM (Software Bill of Materials).
  • FIG. 10 is a diagram illustrating the device information updating process.
  • the agent 10 in the device information updating process, the agent 10 generates risk level information for the software based on whether or not the software has had its communication information changed since the previous execution of the device information updating process, and whether or not software that was not present in the previous execution of the process has been added to the communication information ((1) in FIG. 10).
  • the agent 10 generates the latest device information of the device 20 to be judged ((2) in FIG. 10).
  • the agent 10 transmits the generated latest device information of the device 20 to the judgment device 30 and requests registration of the latest device information ((3) in FIG. 10).
  • the device information updating process is a process that is performed periodically, the timing of its execution may be determined by the operator. For example, the timing of the device information updating process may be set to execute at one-minute intervals with an emphasis on updating the information, or to execute daily taking into account the load on the target device.
  • FIGS. 11-1 and 11-2 are diagrams explaining the definition of risk levels generated in the device information updating process.
  • the risk level definition is explained by providing the following items as risk level, destination IP address, protocol/destination port, connectivity/communication operation, and remarks. Note that the definition of risk level is not limited to the examples in FIG. 11-1 and FIG. 11-2, and may be freely defined by the operator.
  • Figure 11-1 shows the definition of risk levels for external communications
  • Figure 11-2 shows the definition of risk levels for internal communications
  • Figures 11-1 and 11-2 are examples in which risk is defined in increasing order as no communication possible, no communication, communication with a specific party, and communication with an unspecified party.
  • the risk is low because communication is not possible, and the risk level is "1.” If communication is possible or communication is unknown and there is no communication when the device is operating normally, the risk is low as long as the device to be judged 20 itself is operating normally, and the risk level is "2.” If communication is possible and the device to be judged communicates only with specific parties when operating normally, the risk is low as long as both the device to be judged 20 itself and the other party are operating normally, and the risk level is "3.” If communication is possible and communication is with unspecified parties, there is a possibility of risk, and the risk level is "4.”
  • the risk level information generating unit 16 determines whether there is software whose communication information has changed since the previous execution, and whether software that was not present at the previous execution has been added to the communication information. The risk level information generating unit 16 then refers to Figures 11-1 and 11-2 to determine the risk level of the software and generate risk level information.
  • the global IP address in Figure 11-1 may also include a local IP address (proxy, LB (Load Balancer), etc.) that relays communications with the outside world.
  • proxy proxy
  • LB Load Balancer
  • FIG. 12 is a diagram illustrating an example of the data configuration of device information.
  • the agent 10 registers device information having the configuration shown in FIG. 12 in the determination device 30.
  • the device information has items such as software name, risk level of external communication, and risk level of internal communication. Therefore, by registering this device information, the determination device 30 holds a set of software configuration information and risk level information based on communication operations.
  • FIG. 13 is a diagram illustrating the risk threshold setting process.
  • the determination device 30 accepts risk threshold information input by the operator and sets a threshold value (risk threshold) for risk determination ((1) in FIG. 13).
  • risk threshold is set to a risk level of "4" or higher for external communications and a risk level of "4" or higher for internal communications.
  • FIG. 14 is a diagram illustrating the risk determination process.
  • the determination device 30 When the determination device 30 receives vulnerability information sent from the vulnerability information distribution service 40 ((1) in FIG. 14), it determines the risk of the received vulnerability information ((2) in FIG. 14). If necessary, the determination device 30 notifies the operator of the result of the risk determination ((3) in FIG. 14).
  • FIG. 15 is a diagram explaining a specific example of risk assessment processing. As a premise, it is assumed that the risk threshold and device information described in box W1 (FIG. 15) are registered in the assessment device 30. In addition, in the example of FIG. 15, as shown in box W1, only vulnerability information corresponding to software that communicates with unspecified parties (risk level "4") is notified to the operator.
  • the judgment device 30 judges that the vulnerability information for the software "RRR” is low risk ((2) in FIG. 15). Since the judgment device 30 has determined that the vulnerability information for the software "RRR” is low risk, it judges that notification processing to the operator is unnecessary and does not notify the operator of the judgment result ((3) in FIG. 15).
  • the risk is determined to be high because the determination is not made based on the actual communication partner or communication operation, but in this embodiment, the risk can be determined to be low by making a determination based on the communication operation.
  • FIG. 16 is a diagram explaining a specific example of risk assessment processing. As a premise, it is assumed that the risk threshold and device information described in box W2 (FIG. 16) are registered in the assessment device 30. In addition, the example of FIG. 16 explains a case where, as shown in box W2, vulnerability information of communicating software (risk level "3" or higher) is notified regardless of whether the other party is unspecified or not.
  • the judgment device 30 judges that the vulnerability information for the software "RRR” is high risk ((2) in FIG. 16). Since the judgment device 30 has determined that the vulnerability information for the software "RRR” is high risk, it judges that notification processing to the operator is necessary and notifies the operator of the judgment result ((3) in FIG. 16).
  • FIG. 17 is a flowchart showing the procedure of the communication information generation process.
  • the agent 10 captures and acquires packets generated in the device 20 to be judged (step S1).
  • the agent 10 determines whether the captured packet is a known communication pattern (step S2).
  • step S2 If the captured packet is a known communication pattern (step S2: Yes), the agent 10 updates the last communication time of the communication operation information for the corresponding known communication pattern (step S3) and ends the communication information generation process for the captured packet.
  • step S2 If the captured packet does not have a known communication pattern (step S2: No), the agent 10 acquires information about the software that performed the communication of this packet (step S4). The agent 10 then generates communication operation information for that communication (step S5) and ends the communication information generation process for the captured packet.
  • FIG. 18 is a flowchart showing the procedure of the device information updating process.
  • the agent 10 determines whether there is any software whose communication information has changed since the last time it was executed (step S11).
  • step S11 If there is software whose communication information has changed since the last time it was executed (step S11: Yes), the agent 10 updates the risk level information of the software whose communication information has changed since the last time it was executed in accordance with the change in the communication information (step S12), and generates the latest device information for the device 20 to be assessed.
  • the agent 10 transmits the latest device information of the device 20 to be judged to the judgment device 30 (step S13).
  • the judgment device 30 registers the latest device information (step S14) and ends the device information updating process.
  • step S11 determines whether software that was not present during the previous execution has been added to the communication information (step S15).
  • step S15: No If software that was not present the last time the program was executed has not been added to the communication information (step S15: No), the device information update process ends.
  • step S15 if software that was not present at the time of the previous execution has been added to the communication information (step S15: Yes), the agent 10 generates risk level information for the software that has been added to the communication information (step S16).
  • the agent 10 transmits the latest device information of the device 20 to be determined to the determination device 30 (step S17).
  • the determination device 30 registers the latest device information (step S14) and ends the device information updating process.
  • FIG. 19 is a flowchart showing the processing procedure of the risk threshold setting process.
  • the determination device 30 accepts the input of risk threshold information (step S21) and registers risk threshold setting information 32 based on the input risk threshold information (step S22).
  • FIG. 20 is a flowchart showing the processing procedure of the risk determination process.
  • the determination device 30 When the determination device 30 receives vulnerability information sent from the vulnerability information distribution service 40 (step S31), it determines whether the attack source category of the received vulnerability information is a network (step S32).
  • step S32 If the attack source category of the received vulnerability information is NW (step S32: Yes), the determination device 30 determines whether the risk level of the software corresponding to the vulnerability information is equal to or greater than the risk threshold (step S33).
  • step S33 If the risk level of the software corresponding to the vulnerability information is equal to or greater than the risk threshold (step S33: Yes), the determination device 30 determines that the risk is high and notifies the operator (step S34).
  • step S33 If the risk level of the software corresponding to the vulnerability information is less than the risk threshold (step S33: No), the determination device 30 determines that the risk is low (step S35).
  • step S32: No If the attack source category of the received vulnerability information is not NW (step S32: No), after step S34 or step S35 is completed, the determination device 30 ends the risk determination process.
  • the determination device 30 performs risk determination for the vulnerability information transmitted to the determination target device 20, based on the actual communication operation state of the determination target device 20 acquired via the agent 10. Specifically, the determination device 30 performs risk determination for the determination target device 20, using risk level information generated by the agent 10 from the actual communication operation of the determination target device 20. Therefore, in the embodiment, risk determination based on the actual communication operation of the device is possible.
  • the agent 10 and the determination device 30 perform communication information generation processing, device information updating processing, and risk threshold setting processing in advance.
  • the determination device 30 always holds the latest risk level information.
  • the determination device 30 receives a vulnerability notification, it performs risk determination processing based on the latest risk level information, making it possible to perform risk determination quickly and appropriately.
  • Each component of the agent 10 and the determination device 30 is a functional concept, and does not necessarily have to be physically configured as shown in the figure.
  • the specific form of distribution and integration of the functions of the agent 10 and the determination device 30 is not limited to that shown in the figure, and all or part of them can be functionally or physically distributed or integrated in any unit depending on various loads, usage conditions, etc.
  • each process performed by the agent 10 and the determination device 30 may be realized, in whole or in part, by a CPU, a GPU (Graphics Processing Unit), and a program analyzed and executed by the CPU and GPU. Furthermore, each process performed by the agent 10 and the determination device 30 may be realized as hardware using wired logic.
  • [program] 21 is a diagram showing an example of a computer in which an agent 10 and a determination device 30 are realized by executing a program.
  • the computer 1000 has, for example, a memory 1010 and a CPU 1020.
  • the computer 1000 also has a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These components are connected by a bus 1080.
  • the memory 1010 includes a ROM 1011 and a RAM 1012.
  • the ROM 1011 stores a boot program such as a BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • the hard disk drive interface 1030 is connected to a hard disk drive 1090.
  • the disk drive interface 1040 is connected to a disk drive 1100.
  • a removable storage medium such as a magnetic disk or optical disk is inserted into the disk drive 1100.
  • the serial port interface 1050 is connected to a mouse 1110 and a keyboard 1120, for example.
  • the video adapter 1060 is connected to a display 1130, for example.
  • the hard disk drive 1090 stores, for example, an OS (Operating System) 1091, application programs 1092, program modules 1093, and program data 1094. That is, the programs that define the processes of the agent 10 and the determination device 30 are implemented as program modules 1093 in which code executable by the computer 1000 is written.
  • the program modules 1093 are stored, for example, in the hard disk drive 1090.
  • the program modules 1093 for executing processes similar to the functional configurations of the agent 10 and the determination device 30 are stored in the hard disk drive 1090.
  • the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
  • the setting data used in the processing of the above-mentioned embodiment is stored as program data 1094, for example, in memory 1010 or hard disk drive 1090.
  • the CPU 1020 reads the program module 1093 or program data 1094 stored in memory 1010 or hard disk drive 1090 into RAM 1012 as necessary and executes it.
  • the program module 1093 and program data 1094 may not necessarily be stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like.
  • the program module 1093 and program data 1094 may be stored in another computer connected via a network (such as a LAN (Local Area Network), WAN (Wide Area Network)).
  • the program module 1093 and program data 1094 may then be read by the CPU 1020 from the other computer via the network interface 1070.
  • Agent 11 Packet capture result 12 Communication operation information DB REFERENCE SIGNS LIST 13 Packet capture acquisition unit 14 Software information acquisition unit 15 Communication operation information generation unit 16 Risk level information generation unit 17 Device information generation unit 18 Device information transmission unit 20 Judgment target device 30 Judgment device 31 Device information DB 32 Risk threshold setting information 33 Device information registration unit 34 Risk threshold setting unit 35 Vulnerability information receiving unit 36 Risk determination unit 37 Result notification unit 40 Vulnerability information distribution service 50 External server 60 Internal server

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

A communication system (100) includes: an agent (10) that is provided in an assessment target apparatus (20); and an assessment device (30) that carries out risk assessment for the assessment target apparatus (20). The assessment device (30) includes an assessment unit for carrying out, on the basis of the operation state of communication by the assessment target apparatus (20) acquired via the agent (10), risk assessment pertaining to vulnerability information transmitted to the assessment target apparatus (20).

Description

通信システム、通信方法及び通信プログラムCOMMUNICATION SYSTEM, COMMUNICATION METHOD, AND COMMUNICATION PROGRAM

 本発明は、通信システム、通信方法及び通信プログラムに関する。 The present invention relates to a communication system, a communication method, and a communication program.

 従来の脆弱性管理業務では、機器に関する脆弱性通知を受け、運用者が脆弱性情報を確認し(攻撃元区分:ネットワーク(NW)など)、運用者が機器の設定と動作を確認し、これらの情報を突合し、システムに対して攻撃が成立するリスクを確認する。 In conventional vulnerability management work, when a vulnerability notification is received about a device, the operator checks the vulnerability information (e.g., attack source classification: network (NW)), checks the settings and operation of the device, and compares this information to confirm the risk of an attack being successful against the system.

株式会社富士通システムズ・イースト, “脆弱性可視化サービスを提供開始 業界初のネットワークセキュリティリスク診断サービス”, 2016年7月20日, [令和5年5月26日検索],インターネット<URL:https://pr.fujitsu.com/jp/news/grp-archives/feast/feast20160720-1.html>Fujitsu Systems East Ltd., "Introducing vulnerability visualization service: Industry's first network security risk diagnosis service", July 20, 2016, [Retrieved May 26, 2023], Internet <URL: https://pr.fujitsu.com/jp/news/grp-archives/feast/feast20160720-1.html> NEC, “サイバー攻撃ルート診断サービス”, [令和5年5月29日検索],インターネット<URL:https://jpn.nec.com/cybersecurity/professionalservice/vulnerability_diagnosis/attack_route.html>NEC, "Cyber Attack Route Diagnosis Service", [Retrieved May 29, 2023], Internet <URL: https://jpn.nec.com/cybersecurity/professionalservice/vulnerability_diagnosis/attack_route.html> NEC, “サイバー攻撃リスク自動診断技術”, [令和5年5月29日検索],インターネット<URL:https://jpn.nec.com/rd/technologies/201804/index.html>NEC, "Cyber Attack Risk Automatic Diagnosis Technology", [Retrieved May 29, 2023], Internet <URL: https://jpn.nec.com/rd/technologies/201804/index.html>

 しかしながら、ネットワーク構成に基づくリスク判定技術では、実際の機器の通信動作を踏まえた影響度がリスク判定に含まれていないという課題があった。 However, risk assessment technology based on network configuration has the problem that the risk assessment does not take into account the impact of the actual communication operations of the devices.

 本発明は、上記に鑑みてなされたものであって、実際の機器の通信動作を踏まえたリスク判定を可能とする通信システム、通信方法及び通信プログラムを提供することを目的とする。 The present invention has been made in consideration of the above, and aims to provide a communication system, a communication method, and a communication program that enable risk assessment based on the actual communication operation of the device.

 上述した課題を解決し、目的を達成するために、本発明に係る通信システムは、判定対象機器に設けられたエージェントと、前記判定対象機器のリスク判定を行う判定装置とを有する通信システムであって、前記判定装置は、前記エージェントを介して取得した前記判定対象機器の通信の動作状態を基に、前記判定対象機器に送信される脆弱性情報に対するリスク判定を行う判定部を行うことを特徴とする。 In order to solve the above-mentioned problems and achieve the objective, the communication system according to the present invention is a communication system having an agent provided in a device to be judged and a judgment device that performs a risk judgment on the device to be judged, and the judgment device is characterized in that it functions as a judgment unit that performs a risk judgment on vulnerability information sent to the device to be judged based on the communication operation status of the device to be judged obtained via the agent.

 本発明によれば、実際の機器の通信動作を踏まえたリスク判定を可能とする。 The present invention makes it possible to assess risk based on the actual communication behavior of devices.

図1は、実施の形態の処理の概要について説明する図である。FIG. 1 is a diagram for explaining an overview of the process according to the embodiment. 図2は、実施の形態の処理の流れについて説明する図である。FIG. 2 is a diagram illustrating a process flow according to the embodiment. 図3は、実施の形態に係る通信システムの構成の一例を示す図である。FIG. 3 is a diagram illustrating an example of a configuration of a communication system according to an embodiment. 図4は、図3に示すエージェントの構成の一例を示す図である。FIG. 4 is a diagram showing an example of the configuration of the agent shown in FIG. 図5は、図3に示す判定装置の構成の一例を示す図である。FIG. 5 is a diagram illustrating an example of the configuration of the determination device illustrated in FIG. 図6は、通信情報生成処理について説明する図である。FIG. 6 is a diagram illustrating the communication information generation process. 図7-1は、通信情報生成処理において生成される通信動作情報の一例を説明する図である。FIG. 7A is a diagram illustrating an example of communication operation information generated in the communication information generation process. 図7-2は、通信情報生成処理において生成される通信動作情報の一例を説明する図である。FIG. 7B is a diagram illustrating an example of communication operation information generated in the communication information generation process. 図7-3は、通信情報生成処理において生成される通信動作情報の一例を説明する図である。FIG. 7C is a diagram illustrating an example of communication operation information generated in the communication information generation process. 図7-4は、通信情報生成処理において生成される通信動作情報の一例を説明する図である。FIG. 7D is a diagram illustrating an example of communication operation information generated in the communication information generation process. 図8は、プロセス情報からソフトウェア情報を取得する方法について説明する図である。FIG. 8 is a diagram illustrating a method for acquiring software information from process information. 図9は、プロセス情報からソフトウェア情報を取得する方法について説明する図である。FIG. 9 is a diagram illustrating a method for acquiring software information from process information. 図10は、機器情報最新化処理について説明する図である。FIG. 10 is a diagram illustrating the device information updating process. 図11-1は、機器情報最新化処理において生成されるリスクレベルの定義を説明する図である。FIG. 11A is a diagram for explaining the definition of the risk level generated in the device information updating process. 図11-2は、機器情報最新化処理において生成されるリスクレベルの定義を説明する図である。FIG. 11B is a diagram for explaining the definition of the risk level generated in the device information updating process. 図12は、機器情報のデータ構成の一例を説明する図である。FIG. 12 is a diagram illustrating an example of a data configuration of the device information. 図13は、リスク閾値設定処理について説明する図である。FIG. 13 is a diagram illustrating the risk threshold setting process. 図14は、リスク判定処理について説明する図である。FIG. 14 is a diagram illustrating the risk determination process. 図15は、リスク判定処理の具体例について説明する図である。FIG. 15 is a diagram illustrating a specific example of the risk assessment process. 図16は、リスク判定処理の具体例について説明する図である。FIG. 16 is a diagram illustrating a specific example of the risk assessment process. 図17は、通信情報生成処理の処理手順を示すフローチャートである。FIG. 17 is a flowchart showing the procedure of the communication information generation process. 図18は、機器情報最新化処理の処理手順を示すフローチャートである。FIG. 18 is a flowchart showing the procedure of the device information updating process. 図19は、リスク閾値設定処理の処理手順を示すフローチャートである。FIG. 19 is a flowchart showing the processing procedure of the risk threshold setting process. 図20は、リスク判定処理の処理手順を示すフローチャートである。FIG. 20 is a flowchart showing the processing procedure of the risk determination process. 図21は、プログラムが実行されることにより、エージェント及び判定装置が実現されるコンピュータの一例を示す図である。FIG. 21 is a diagram illustrating an example of a computer in which an agent and a determination device are realized by executing a program.

 以下、図面を参照して、本発明の一実施形態を詳細に説明する。なお、この実施形態により本発明が限定されるものではない。また、図面の記載において、同一部分には同一の符号を付して示している。 Below, one embodiment of the present invention will be described in detail with reference to the drawings. Note that the present invention is not limited to this embodiment. In addition, in the drawings, the same parts are denoted by the same reference numerals.

[実施の形態]
 図1は、実施の形態の処理の概要について説明する図である。図1に示すように、実施の形態では、4つの処理を実行する。 [Embodiment]
1 is a diagram for explaining an outline of the process according to the embodiment. As shown in FIG. 1, four processes are executed in the embodiment.

 実施の形態では、まず、脆弱性通知に対するリスク判定のための準備として、予め、通信情報生成処理(第1の生成処理)、機器情報最新化処理(第2の生成処理)、リスク閾値設定処理を実行する。通信情報生成処理では、判定対象機器で発生するパケットの取得、通信を行うソフトウェア情報の取得、及び、通信動作情報の更新を行う。機器情報最新化処理では、リスクレベル情報の生成、最新の機器情報の登録を行う。リスク閾値設定処理では、リスク判定時用の閾値(以降、リスク閾値とする。)の設定を行う。これにより、判定装置には常に最新のリスクレベル情報が保持された状態となる。 In the embodiment, first, in preparation for risk assessment in response to a vulnerability notification, a communication information generation process (first generation process), a device information updating process (second generation process), and a risk threshold setting process are executed in advance. The communication information generation process acquires packets generated by the device to be assessed, acquires information on the software performing the communication, and updates communication operation information. The device information updating process generates risk level information and registers the latest device information. The risk threshold setting process sets a threshold for risk assessment (hereinafter referred to as the risk threshold). This ensures that the assessment device always holds the latest risk level information.

 続いて、実施の形態では、判定装置が脆弱性通知を受信すると、脆弱性通知内容に対するリスク判定処理(判定処理)を実行する。なお、リスク判定処理では、判定の結果通知が必要であると判断した場合、判定結果を通知する通知処理を行う。 Next, in the embodiment, when the determination device receives a vulnerability notification, it executes a risk determination process (determination process) for the vulnerability notification content. Note that in the risk determination process, if it determines that notification of the result of the determination is necessary, it executes a notification process to notify the determination result.

 このように、実施の形態では、判定には機器の通信動作から生成されたリスクレベル情報が用いられる。このため、実施の形態によれば、ネットワーク構成に基づく従来のリスク判定技術と異なり、実際の機器の通信動作を踏まえたリスク判定が可能となる。 In this way, in the embodiment, risk level information generated from the communication operation of the device is used for the judgment. Therefore, according to the embodiment, unlike conventional risk judgment techniques based on the network configuration, it is possible to make a risk judgment based on the actual communication operation of the device.

 図2は、実施の形態の処理の流れについて説明する図である。実施の形態では、通信情報生成処理、機器情報最新化処理、リスク閾値設定処理を図2に示すタイミングで実行する。通信情報生成処理は、常時行われる処理である。機器情報最新化処理は、定期的に行われる処理である。リスク閾値設定処理、リスク判定処理は、不定期に行われる処理である。 FIG. 2 is a diagram explaining the process flow of an embodiment. In the embodiment, communication information generation process, device information updating process, and risk threshold setting process are executed at the timing shown in FIG. 2. Communication information generation process is a process that is performed continuously. Device information updating process is a process that is performed periodically. Risk threshold setting process and risk assessment process are processes that are performed irregularly.

[通信システム]
 次に、実施の形態に係る通信システムについて説明する。図3は、実施の形態に係る通信システムの構成の一例を示す図である。 [Communication system]
Next, a communication system according to an embodiment will be described with reference to FIG 3. FIG 3 is a diagram showing an example of the configuration of the communication system according to an embodiment.

 図3に示すように、実施の形態に係る通信システム100は、リスク判定対象である判定対象機器20、判定対象機器20のリスク判定を行う判定装置30、通信の脆弱が疑われる脆弱性情報配信サービス40、外部サーバ50、及び、判定対象機器20と通信する内部サーバ60を有する。 As shown in FIG. 3, the communication system 100 according to the embodiment includes a device 20 to be assessed for risk, a determination device 30 that performs risk assessment for the device 20, a vulnerability information distribution service 40 that is suspected of having communication vulnerabilities, an external server 50, and an internal server 60 that communicates with the device 20 to be assessed.

 脆弱性情報配信サービス40及び外部サーバ50は、インターネットを介して、判定対象機器20と通信が可能である。 The vulnerability information distribution service 40 and the external server 50 can communicate with the assessment target device 20 via the Internet.

 判定対象機器20と、インターネットとの間は、ファイアウォールが設けられ、外部の攻撃から内部の機器を保護する。判定対象機器20には、エージェント10が設けられる。エージェント10は、判定対象機器20の通信の動作状態を取得する。エージェント10は、判定対象機器20の通信の動作情報を基に、ソフトウェア単位でリスクレベル情報を生成し、判定装置30に登録する。 A firewall is provided between the device 20 to be judged and the Internet to protect the internal device from external attacks. An agent 10 is provided in the device 20 to be judged. The agent 10 acquires the communication operation status of the device 20 to be judged. The agent 10 generates risk level information on a software basis based on the communication operation information of the device 20 to be judged, and registers it in the judgment device 30.

 判定装置30は、エージェント10が取得した判定対象機器20の通信の動作状態を基に、判定対象機器20に送信される脆弱性情報に対するリスク判定を行う。 The determination device 30 performs risk determination for the vulnerability information sent to the device 20 to be determined based on the communication operation status of the device 20 to be determined acquired by the agent 10.

[エージェント]
 図4は、図3に示すエージェント10の構成の一例を示す図である。エージェント10は、例えば、ROM(Read Only Memory)、RAM(Random Access Memory)、CPU(Central Processing Unit)等を含むコンピュータ等に所定のプログラムが読み込まれて、CPUが所定のプログラムを実行することで実現される。また、エージェント10は、判定対象機器が有する、ネットワーク等を介して接続された他の装置との間で、各種情報を送受信する通信インタフェースを介して、他の装置との通信が可能である。 [agent]
Fig. 4 is a diagram showing an example of the configuration of the agent 10 shown in Fig. 3. The agent 10 is realized, for example, by loading a predetermined program into a computer or the like including a ROM (Read Only Memory), a RAM (Random Access Memory), a CPU (Central Processing Unit), etc., and having the CPU execute the predetermined program. The agent 10 is also capable of communicating with other devices via a communication interface that is included in the device to be determined and that transmits and receives various information to and from other devices connected via a network or the like.

 図4に示すように、エージェント10は、パケットキャプチャ結果11、通信動作情報DB12、パケットキャプチャ取得部13、ソフトウェア情報取得部14、通信動作情報生成部15、リスクレベル情報生成部16、機器情報生成部17、及び、機器情報送信部18を有する。 As shown in FIG. 4, the agent 10 has a packet capture result 11, a communication behavior information DB 12, a packet capture acquisition unit 13, a software information acquisition unit 14, a communication behavior information generation unit 15, a risk level information generation unit 16, a device information generation unit 17, and a device information transmission unit 18.

 パケットキャプチャ結果11は、パケットキャプチャ取得部13によって取得されたパケットキャプチャが格納される。 The packet capture result 11 stores the packet capture acquired by the packet capture acquisition unit 13.

 通信動作情報DB12は、通信情報生成処理により生成される通信動作情報が格納される。 The communication action information DB12 stores the communication action information generated by the communication information generation process.

 パケットキャプチャ取得部13は、判定対象機器20において発生するパケットを取得する。パケットキャプチャ取得部13は、内部から外部の通信または外部から内部の通信によって発生するパケットをキャプチャする。パケットキャプチャ取得部13は、キャプチャしたパケットキャプチャ結果11に格納する。 The packet capture acquisition unit 13 acquires packets generated in the device 20 to be determined. The packet capture acquisition unit 13 captures packets generated by communication from inside to outside or communication from outside to inside. The packet capture acquisition unit 13 stores the captured packets in the packet capture result 11.

 ソフトウェア情報取得部14は、通信情報生成処理において、パケットキャプチャ取得部13が取得したパケットの通信を行ったソフトウェア情報を取得する。ソフトウェア情報取得部14は、キャプチャしたパケットが既知の通信パターンでない場合、このパケットの通信を行ったソフトウェア情報を取得する。ソフトウェア情報取得部14は、ソフトウェア単位でソフトウェア情報を取得する。 The software information acquisition unit 14 acquires software information about the software that communicated the packet acquired by the packet capture acquisition unit 13 during the communication information generation process. If the captured packet does not have a known communication pattern, the software information acquisition unit 14 acquires software information about the software that communicated this packet. The software information acquisition unit 14 acquires software information on a software-by-software basis.

 通信動作情報生成部15は、通信情報生成処理において、パケットの通信動作を示す通信動作情報を生成する。通信動作情報は、パケットキャプチャ取得部13が取得したパケットの通信を行ったソフトウェアを少なくとも含む。 The communication operation information generating unit 15 generates communication operation information indicating the communication operation of the packet in the communication information generating process. The communication operation information includes at least the software that performed the communication of the packet acquired by the packet capture acquiring unit 13.

 通信動作情報生成部15は、パケットキャプチャ取得部13がキャプチャしたパケットが既知の通信パターンである場合、この既知の通信パターンの通信動作情報の最終通信時刻を更新する。通信動作情報生成部15は、パケットキャプチャ取得部13がキャプチャしたパケットが既知の通信パターンでない場合、ソフトウェア情報取得部14が取得したソフトウェア情報を基に、このパケットの通信の通信動作情報を生成する。通信動作情報生成部15は、ソフトウェア単位で通信動作情報を生成する。 If the packet captured by the packet capture acquisition unit 13 is of a known communication pattern, the communication operation information generation unit 15 updates the last communication time of the communication operation information of this known communication pattern. If the packet captured by the packet capture acquisition unit 13 is not of a known communication pattern, the communication operation information generation unit 15 generates communication operation information for the communication of this packet based on the software information acquired by the software information acquisition unit 14. The communication operation information generation unit 15 generates communication operation information on a software basis.

 リスクレベル情報生成部16は、機器情報最新化処理において、通信動作情報を用いて、通信動作に基づくリスクレベル情報を生成する。リスクレベル情報生成部16は、ソフトウェア毎に、リスクレベル情報を生成する。 The risk level information generating unit 16 uses the communication operation information in the device information updating process to generate risk level information based on the communication operation. The risk level information generating unit 16 generates risk level information for each piece of software.

 リスクレベル情報生成部16は、前回実行時から通信情報が変化したソフトウェアの有無、及び、前回実行時にはなかったソフトウェアの通信情報への追加の有無を基に、当該ソフトウェアのリスクレベル情報を生成する。リスクレベル情報生成部16は、外部通信のリスクレベル情報及び内部通信のリスクレベル情報を生成する。後述するようにリスクレベルは、疎通性と、通信動作との状態に応じて、例えば、4段階で定義されている。 The risk level information generating unit 16 generates risk level information for software based on whether or not the software has had its communication information changed since the previous execution, and whether or not software that was not present during the previous execution has been added to the communication information. The risk level information generating unit 16 generates risk level information for external communication and risk level information for internal communication. As described below, risk levels are defined, for example, in four stages, depending on the state of connectivity and communication operation.

 リスクレベル情報生成部16は、前回実行時から通信情報が変化したソフトウェアがある場合には、このソフトウェアについて、疎通性及び通信動作の状態に応じてリスクレベルを更新し、更新したリスクレベルを含むリスクレベル情報を生成する。また、リスクレベル情報生成部16は、前回実行時から通信情報が変化したソフトウェアがない場合であっても、前回実行時にはなかったソフトウェアが通信情報に追加されている場合には、追加されているソフトウェアについて、疎通性及び通信動作の状態に応じてリスクレベルを判定し、判定したリスクレベルを示すリスクレベル情報を生成する。 If there is software whose communication information has changed since the last time it was executed, the risk level information generating unit 16 updates the risk level of this software according to the communication status and communication operation status, and generates risk level information including the updated risk level. In addition, even if there is no software whose communication information has changed since the last time it was executed, if software that was not present at the last time it was executed has been added to the communication information, the risk level information generating unit 16 determines the risk level of the added software according to the communication status and communication operation status, and generates risk level information indicating the determined risk level.

 機器情報生成部17は、機器情報最新化処理において、判定対象機器20の最新の機器情報を生成する。機器情報生成部17は、ソフトウェアと当該ソフトウェアに対応するリスクレベル情報とを対応付けた機器情報を判定装置30に登録する。機器情報は、ソフトウェア毎に、ソフトウェアの識別情報と、外部通信のリスクレベル情報及び内部通信のリスクレベル情報とが対応付けられる構成を有する。 The device information generating unit 17 generates the latest device information of the device 20 to be determined in the device information updating process. The device information generating unit 17 registers device information in which software is associated with risk level information corresponding to the software in the determination device 30. The device information has a configuration in which software identification information is associated with external communication risk level information and internal communication risk level information for each piece of software.

 機器情報送信部18は、機器情報生成部17が生成した判定対象機器20の最新の機器情報を判定装置30に送信し、最新の機器情報の登録を要求する。 The device information transmission unit 18 transmits the latest device information of the device 20 to be determined, generated by the device information generation unit 17, to the determination device 30, and requests registration of the latest device information.

[判定装置]
 図5は、図3に示す判定装置30の構成の一例を示す図である。判定装置30は、例えば、ROM、RAM、CPU等を含むコンピュータ等に所定のプログラムが読み込まれて、CPUが所定のプログラムを実行することで実現される。また、判定装置30は、判定対象機器が有する、ネットワーク等を介して接続された他の装置との間で、各種情報を送受信する通信インタフェースを介して、他の装置との通信が可能である。 [Determination device]
Fig. 5 is a diagram showing an example of the configuration of the determination device 30 shown in Fig. 3. The determination device 30 is realized, for example, by loading a predetermined program into a computer or the like including a ROM, a RAM, a CPU, etc., and having the CPU execute the predetermined program. In addition, the determination device 30 is capable of communicating with other devices via a communication interface that is included in the device to be determined and that transmits and receives various information to and from other devices connected via a network or the like.

 図5に示すように、判定装置30は、機器情報DB31、リスク閾値設定情報32、機器情報登録部33、リスク閾値設定部34、脆弱性情報受信部35、リスク判定部36、結果通知部37を有する。 As shown in FIG. 5, the determination device 30 has a device information DB 31, risk threshold setting information 32, a device information registration unit 33, a risk threshold setting unit 34, a vulnerability information receiving unit 35, a risk determination unit 36, and a result notification unit 37.

 機器情報DB31は、エージェント10から送信された機器情報を格納する。 The device information DB31 stores the device information sent from the agent 10.

 リスク閾値設定情報32は、リスク閾値の設定情報が格納されるDBである。リスク閾値は、外部通信、内部通信のそれぞれに設定され、リスクレベルのレベル値で表現される。 Risk threshold setting information 32 is a DB that stores setting information for risk thresholds. Risk thresholds are set for both external and internal communications, and are expressed as risk level values.

 機器情報登録部33は、例えば、エージェント10から送信された機器情報を受信し、機器情報DB31に格納する。 The device information registration unit 33, for example, receives device information sent from the agent 10 and stores it in the device information DB 31.

 リスク閾値設定部34は、リスク閾値を含むリスク判定時用の閾値情報(リスク閾値情報)の入力を受け付け、入力されたリスク閾値情報を基に、リスク閾値を、リスク閾値設定情報32として登録する。例えば、リスク閾値は、運用者によって、外部通信、内部通信のそれぞれに設定される。 The risk threshold setting unit 34 accepts input of threshold information (risk threshold information) for risk judgment, including a risk threshold, and registers the risk threshold as risk threshold setting information 32 based on the input risk threshold information. For example, the risk threshold is set by the operator for each of external communication and internal communication.

 脆弱性情報受信部35は、脆弱性情報配信サービス40から送信された脆弱性情報を受信する。 The vulnerability information receiving unit 35 receives vulnerability information sent from the vulnerability information distribution service 40.

 リスク判定部36は、脆弱性情報受信部35が受信した脆弱性情報のリスクを判定する。リスク判定部36は、エージェント10が取得した判定対象機器20の通信の動作状態を基に、判定対象機器20に送信される脆弱性情報に対するリスク判定を行う。リスク判定部36は、判定対象機器20への脆弱性情報の配信の通知を受けると、エージェント10によって登録された機器情報と、予め設定されたリスク判定時用の閾値(リスク閾値)とを基に、脆弱性情報のリスクを判定する。リスク閾値は、前述したように、外部通信と内部通信とのそれぞれについて、ソフトウェア毎に設定される。 The risk assessment unit 36 assesses the risk of the vulnerability information received by the vulnerability information receiving unit 35. The risk assessment unit 36 performs risk assessment on the vulnerability information sent to the assessment target device 20 based on the communication operation state of the assessment target device 20 acquired by the agent 10. When the risk assessment unit 36 receives notification of the distribution of vulnerability information to the assessment target device 20, it assesses the risk of the vulnerability information based on the device information registered by the agent 10 and a preset threshold value (risk threshold) for risk assessment. As described above, the risk threshold is set for each software for both external communication and internal communication.

 具体的には、リスク判定部36は、脆弱性情報の攻撃元区分、脆弱性情報に該当するソフトウェアのリスクレベル、及び、リスク閾値を基に、受信した脆弱性情報のリスクを判定する。リスク判定部36は、脆弱性情報のリスクを、所定の判定ルールを基に判定する。例えば、リスク判定部36は、リスクレベルが、所定のリスク閾値以上である場合には、リスクが高いと判定し、リスクレベルが、所定のリスク閾値未満である場合には、リスクが低いと判定する。 Specifically, the risk determination unit 36 determines the risk of the received vulnerability information based on the attack source classification of the vulnerability information, the risk level of the software corresponding to the vulnerability information, and the risk threshold. The risk determination unit 36 determines the risk of the vulnerability information based on predetermined determination rules. For example, if the risk level is equal to or greater than the predetermined risk threshold, the risk determination unit 36 determines the risk to be high, and if the risk level is less than the predetermined risk threshold, the risk determination unit 36 determines the risk to be low.

 結果通知部37は、リスク判定部36によって判定されたリスクの度合いに応じて、運用者に、リスク判定部36の判定結果を運用者に通知する。 The result notification unit 37 notifies the operator of the result of the risk assessment unit 36 depending on the degree of risk assessed by the risk assessment unit 36.

[通信処理の流れ]
 次に、実施の形態に係る通信処理の流れについて説明する。まず、通信情報生成処理について説明する。 [Communication processing flow]
Next, a flow of communication processing according to the embodiment will be described. First, a communication information generation process will be described.

[通信情報生成処理]
 図6は、通信情報生成処理について説明する図である。 [Communication information generation process]
FIG. 6 is a diagram illustrating the communication information generation process.

 図6に示すように、通信情報生成処理において、エージェント10は、判定対象機器20において発生するパケットをキャプチャし、取得する(図6の(1))。エージェント10は、内部通信、内部から外部の通信、または外部から内部の通信によって発生するパケットをキャプチャする。内部通信には、判定対象機器20からホストに対する通信と、他ホストから判定対象機器に対する通信とがある。 As shown in FIG. 6, in the communication information generation process, the agent 10 captures and acquires packets generated in the device to be judged 20 ((1) in FIG. 6). The agent 10 captures packets generated by internal communication, internal to external communication, or external to internal communication. Internal communication includes communication from the device to be judged 20 to the host and communication from other hosts to the device to be judged.

 エージェント10は、判定対象機器20において、キャプチャしたパケットが既知の通信パターンでない場合、このパケットの通信を行ったソフトウェア情報を取得する(図6の(2))。エージェント10は、判定対象機器20において、パケットが既知の通信パターンである場合、該当する既知の通信パターンについて通信動作情報の最終通信時刻を更新する(図6の(3))。 If the captured packet is not of a known communication pattern in the device 20 to be judged, the agent 10 acquires information about the software that communicated the packet ((2) in FIG. 6). If the packet is of a known communication pattern in the device 20 to be judged, the agent 10 updates the last communication time in the communication operation information for the corresponding known communication pattern ((3) in FIG. 6).

 図7-1~図7-4は、通信情報生成処理において生成される通信動作情報の一例を説明する図である。通信情報生成処理により生成される通信動作情報として、例えば、判定対象機器20の外部通信情報(外部から内部への通信)(図7-1)、判定対象機器20の外部通信情報(内部から外部への通信)(図7-2)、判定対象機器20の内部通信情報(他ホストから判定対象機器20への通信)(図7-3)、判定対象機器20の内部通信情報(判定対象機器20から他ホストへの通信)(図7-4)の4つの情報が生成される。 FIGS. 7-1 to 7-4 are diagrams illustrating an example of communication operation information generated in the communication information generation process. For example, four pieces of communication operation information are generated by the communication information generation process: external communication information (communication from outside to inside) of the device to be determined 20 (FIG. 7-1), external communication information (communication from inside to outside) of the device to be determined 20 (FIG. 7-2), internal communication information of the device to be determined 20 (communication from another host to the device to be determined 20) (FIG. 7-3), and internal communication information of the device to be determined 20 (communication from the device to be determined 20 to another host) (FIG. 7-4).

 各情報は、それぞれ送信元IP(srcIP)、送信元ポート(srcPort)、宛先IP(dstIP)、宛先ポート(dstPort)、ソフトウェア名、最終通信時刻の項目を有し、常時更新される。 Each piece of information has the following fields: source IP (srcIP), source port (srcPort), destination IP (dstIP), destination port (dstPort), software name, and last communication time, and is constantly updated.

 例えば、ソフトウェア情報は、プロセス情報等から取得される。ソフトウェア情報は、パケットのヘッダ情報から取得される。 For example, software information is obtained from process information, etc. Software information is obtained from packet header information.

 図8及び図9は、プロセス情報からソフトウェア情報を取得する方法について説明する図である。エージェント10は、図8に示す情報(待ち受けポート番号、当該PID、実行ファイル名)により(図8の(1),(2))、通信を待ち受けているプロセスの実行ファイルを把握する(図8の(3))。 FIGS. 8 and 9 are diagrams explaining a method for acquiring software information from process information. The agent 10 uses the information shown in FIG. 8 (listening port number, PID, executable file name) ((1) and (2) in FIG. 8) to identify the executable file of the process waiting for communication ((3) in FIG. 8).

 図8の例ではLISTEN中のプロセスを例に記載しているが、判定対象機器20から発となる通信であっても、ESTABLISHED状態のコネクションの情報を参照することで、同様にソフトウェア情報を取得する。なお、実行ファイル名がコマンド名である場合は、コマンドの実体ファイルを参照する工程を追加する。 In the example of Figure 8, a process in LISTEN is shown as an example, but even if the communication originates from the device 20 to be determined, software information can be obtained in the same way by referencing the information of the connection in the ESTABLISHED state. Note that if the executable file name is a command name, a process of referencing the actual file of the command is added.

 通信を行っているプロセスの実行ファイル名が確認できれば、図9に示すように、その実行ファイル名を含むパッケージ名を参照することで(図9の(1))、ソフトウェア名とバージョン情報が取得できる。図9は、パッケージ管理システムの情報を用いた例である。この他に、機器のSBOM(Software Bill Of Materials)を用いる方法もある。 Once the executable file name of the communicating process can be confirmed, the software name and version information can be obtained by referencing the package name that contains the executable file name ((1) in Figure 9), as shown in Figure 9. Figure 9 shows an example that uses information from a package management system. Another method is to use the device's SBOM (Software Bill of Materials).

[機器情報最新化処理]
 図10は、機器情報最新化処理について説明する図である。 [Device information update process]
FIG. 10 is a diagram illustrating the device information updating process.

 図10に示すように、機器情報最新化処理において、エージェント10は、機器情報最新化処理において、前回実行時から通信情報が変化したソフトウェアの有無、及び、前回実行時にはなかったソフトウェアの通信情報への追加の有無を基に、当該ソフトウェアのリスクレベル情報を生成する(図10の(1))。 As shown in FIG. 10, in the device information updating process, the agent 10 generates risk level information for the software based on whether or not the software has had its communication information changed since the previous execution of the device information updating process, and whether or not software that was not present in the previous execution of the process has been added to the communication information ((1) in FIG. 10).

 続いて、エージェント10は、判定対象機器20の最新の機器情報を生成する(図10の(2))。エージェント10は、生成した判定対象機器20の最新の機器情報を判定装置30に送信し、最新の機器情報の登録を要求する(図10の(3))。 Then, the agent 10 generates the latest device information of the device 20 to be judged ((2) in FIG. 10). The agent 10 transmits the generated latest device information of the device 20 to the judgment device 30 and requests registration of the latest device information ((3) in FIG. 10).

 なお、機器情報最新化処理は、定期的に行う処理であるが、実施タイミングは運用者が任意に定めてよい。例えば、機器情報最新化処理の実施タイミングとして、情報の最新化を重視して1分間隔で実行する、対象機器の負荷を考慮して日次実行とする、等がある。 Note that although the device information updating process is a process that is performed periodically, the timing of its execution may be determined by the operator. For example, the timing of the device information updating process may be set to execute at one-minute intervals with an emphasis on updating the information, or to execute daily taking into account the load on the target device.

 図11-1及び図11-2は、機器情報最新化処理において生成されるリスクレベルの定義を説明する図である。図11-1及び図11-2では、リスクレベルとして、リスクレベル、通信先IPアドレス、プロトコル/通信先ポート、疎通性/通信動作、及び、備考の項目を設けて、リスクレベルの定義を説明する。なお、リスクレベルの定義は図11-1及び図11-2の例に限定されず、運用者が自由に定めてよい。 FIGS. 11-1 and 11-2 are diagrams explaining the definition of risk levels generated in the device information updating process. In FIG. 11-1 and 11-2, the risk level definition is explained by providing the following items as risk level, destination IP address, protocol/destination port, connectivity/communication operation, and remarks. Note that the definition of risk level is not limited to the examples in FIG. 11-1 and FIG. 11-2, and may be freely defined by the operator.

 図11-1では、外部通信のリスクレベルの定義を示し、図11-2では、内部通信のリスクレベルの定義を示す。図11-1及び図11-2は、疎通不可、通信なし、特定の相手と通信、不特定の相手と通信、の順にリスクを高く定義した例である。 Figure 11-1 shows the definition of risk levels for external communications, and Figure 11-2 shows the definition of risk levels for internal communications. Figures 11-1 and 11-2 are examples in which risk is defined in increasing order as no communication possible, no communication, communication with a specific party, and communication with an unspecified party.

 例えば、図11-1及び図11-2に示すように、疎通不可の場合、疎通不可のためリスクは低いため、リスクレベルは「1」である。疎通可能または疎通性不明であり、機器の正常動作時は通信しない場合、判定対象機器20自身が正常動作している限りリスクが低いため、リスクレベルは「2」である。疎通可能であり、正常動作時は特定の相手のみと通信する場合、判定対象機器20自身と相手とが正常動作している限りリスクが低いため、リスクレベルは「3」である。疎通可能であり、不特定の相手と通信する場合、リスクがある可能性あるため、リスクレベルは「4」である。 For example, as shown in Figures 11-1 and 11-2, if communication is not possible, the risk is low because communication is not possible, and the risk level is "1." If communication is possible or communication is unknown and there is no communication when the device is operating normally, the risk is low as long as the device to be judged 20 itself is operating normally, and the risk level is "2." If communication is possible and the device to be judged communicates only with specific parties when operating normally, the risk is low as long as both the device to be judged 20 itself and the other party are operating normally, and the risk level is "3." If communication is possible and communication is with unspecified parties, there is a possibility of risk, and the risk level is "4."

 エージェント10では、リスクレベル情報生成部16が前回実行時から通信情報が変化したソフトウェアの有無、及び、前回実行時にはなかったソフトウェアの通信情報への追加の有無を判定する。そして、リスクレベル情報生成部16は、図11-1及び図11-2を参照し、当該ソフトウェアのリスクレベルを判定し、リスクレベル情報を生成する。 In the agent 10, the risk level information generating unit 16 determines whether there is software whose communication information has changed since the previous execution, and whether software that was not present at the previous execution has been added to the communication information. The risk level information generating unit 16 then refers to Figures 11-1 and 11-2 to determine the risk level of the software and generate risk level information.

 なお、図11-1のグローバルIPアドレスは、外部との通信を中継するローカルIPアドレス(プロキシ、LB(Load Balancer)等)を含んでもよい。 Note that the global IP address in Figure 11-1 may also include a local IP address (proxy, LB (Load Balancer), etc.) that relays communications with the outside world.

 図12は、機器情報のデータ構成の一例を説明する図である。エージェント10は、図12に示す構成を有する機器情報を、判定装置30に登録する。図12に示すように、機器情報は、ソフトウェア名、外部通信のリスクレベル、及び、内部通信のリスクレベルを項目として有する。このため、この機器情報の登録により、判定装置30では、ソフトウェア構成情報と、通信動作に基づくリスクレベル情報とがセットで保持される。 FIG. 12 is a diagram illustrating an example of the data configuration of device information. The agent 10 registers device information having the configuration shown in FIG. 12 in the determination device 30. As shown in FIG. 12, the device information has items such as software name, risk level of external communication, and risk level of internal communication. Therefore, by registering this device information, the determination device 30 holds a set of software configuration information and risk level information based on communication operations.

[リスク閾値設定処理]
 図13は、リスク閾値設定処理について説明する図である。 [Risk threshold setting process]
FIG. 13 is a diagram illustrating the risk threshold setting process.

 判定装置30は、運用者によるリスク閾値情報の入力を受け付け、リスク判定時用の閾値(リスク閾値)を設定する(図13の(1))。例えば、リスク閾値として、外部通信については、リスクレベル「4」以上、内部通信はリスクレベル「4」以上に設定される。 The determination device 30 accepts risk threshold information input by the operator and sets a threshold value (risk threshold) for risk determination ((1) in FIG. 13). For example, the risk threshold is set to a risk level of "4" or higher for external communications and a risk level of "4" or higher for internal communications.

[リスク判定処理]
 図14は、リスク判定処理について説明する図である。 [Risk Judgment Processing]
FIG. 14 is a diagram illustrating the risk determination process.

 判定装置30は、脆弱性情報配信サービス40から送信された脆弱性通情報を受信すると(図14の(1))、受信した脆弱性情報のリスクを判定する(図14の(2))。判定装置30は、必要な場合には、運用者に、リスク判定の判定結果を通知する(図14の(3))。 When the determination device 30 receives vulnerability information sent from the vulnerability information distribution service 40 ((1) in FIG. 14), it determines the risk of the received vulnerability information ((2) in FIG. 14). If necessary, the determination device 30 notifies the operator of the result of the risk determination ((3) in FIG. 14).

 図15は、リスク判定処理の具体例について説明する図である。前提として、枠W1(図15)に記載のリスク閾値と機器情報とが判定装置30に登録されているとする。また、図15の例では、枠W1に示すように、不特定の相手と通信するソフトウェア(リスクレベル「4」)に該当する脆弱性情報のみを運用者に通知させる。 FIG. 15 is a diagram explaining a specific example of risk assessment processing. As a premise, it is assumed that the risk threshold and device information described in box W1 (FIG. 15) are registered in the assessment device 30. In addition, in the example of FIG. 15, as shown in box W1, only vulnerability information corresponding to software that communicates with unspecified parties (risk level "4") is notified to the operator.

 例えば、この状態においてソフトウェア「RRR」の脆弱性情報が配信された場合(図15の(1))、次のような判定処理が行われる。ソフトウェア「RRR」の通信動作に基づくリスクレベルは、外部通信については「2」、内部通信については「3」であり、運用者が定めたリスク閾値(リスクレベル「4」)未満である。このため、判定装置30は、ソフトウェア「RRR」の脆弱性情報に対し、リスクが低いと判定する(図15の(2))。判定装置30は、ソフトウェア「RRR」の脆弱性情報のリスクが低いと判定したため、運用者への通知処理は不要であると判定し、判定結果を運用者に通知しない(図15の(3))。 For example, if vulnerability information for the software "RRR" is distributed in this state ((1) in FIG. 15), the following judgment process is performed. The risk level based on the communication behavior of the software "RRR" is "2" for external communication and "3" for internal communication, which is less than the risk threshold (risk level "4") set by the operator. Therefore, the judgment device 30 judges that the vulnerability information for the software "RRR" is low risk ((2) in FIG. 15). Since the judgment device 30 has determined that the vulnerability information for the software "RRR" is low risk, it judges that notification processing to the operator is unnecessary and does not notify the operator of the judgment result ((3) in FIG. 15).

 図15の例に対し、ネットワーク構成だけで判定する従来法では、実際の通信相手や通信動作を踏まえた判定を行わないためリスクが高いと判定されていたが、本実施の形態では、通信動作を踏まえた判定によりリスクが低いと判定することができる。 In the example of Figure 15, in the conventional method where the determination is made based only on the network configuration, the risk is determined to be high because the determination is not made based on the actual communication partner or communication operation, but in this embodiment, the risk can be determined to be low by making a determination based on the communication operation.

 図16は、リスク判定処理の具体例について説明する図である。前提として、枠W2(図16)に記載のリスク閾値と機器情報とが判定装置30に登録されている場合とする。また、図16の例では、枠W2に示すように、相手が不特定か否に関わらず、通信を行うソフトウェア(リスクレベル「3」以上)の脆弱性情報を通知させる場合について説明する。 FIG. 16 is a diagram explaining a specific example of risk assessment processing. As a premise, it is assumed that the risk threshold and device information described in box W2 (FIG. 16) are registered in the assessment device 30. In addition, the example of FIG. 16 explains a case where, as shown in box W2, vulnerability information of communicating software (risk level "3" or higher) is notified regardless of whether the other party is unspecified or not.

 例えば、この状態においてソフトウェア「RRR」の脆弱性情報が配信された場合(図16の(1))、次のような判定処理が行われる。ソフトウェア「RRR」の通信動作に基づくリスクレベルは、外部通信については「2」、内部通信については「3」であり、運用者が定めたリスク閾値(リスクレベル「3」)以上である。このため、判定装置30は、ソフトウェア「RRR」の脆弱性情報に対し、リスクが高いと判定する(図16の(2))。判定装置30は、ソフトウェア「RRR」の脆弱性情報のリスクが高いと判定したため、運用者への通知処理が必要であると判定し、判定結果を運用者に通知する(図16の(3))。 For example, if vulnerability information for the software "RRR" is distributed in this state ((1) in FIG. 16), the following judgment process is performed. The risk level based on the communication behavior of the software "RRR" is "2" for external communication and "3" for internal communication, which is equal to or higher than the risk threshold (risk level "3") set by the operator. Therefore, the judgment device 30 judges that the vulnerability information for the software "RRR" is high risk ((2) in FIG. 16). Since the judgment device 30 has determined that the vulnerability information for the software "RRR" is high risk, it judges that notification processing to the operator is necessary and notifies the operator of the judgment result ((3) in FIG. 16).

 図16の例では、仮に運用者がソフトウェア「RRR」は未使用と考えリスクは低いと誤判定していた場合であっても、本実施の形態では、リスクが高いと正しく判定することができる。 In the example of FIG. 16, even if the operator mistakenly determines that the software "RRR" is unused and therefore has a low risk, this embodiment can correctly determine that the risk is high.

[通信処理の処理手順]
 次に、実施の形態に係る通信処理の各処理の処理手順について説明する。 [Communication Processing Procedure]
Next, a process procedure of each step of the communication process according to the embodiment will be described.

[通信情報生成処理の処理手順]
 図17は、通信情報生成処理の処理手順を示すフローチャートである。 [Processing procedure for communication information generation processing]
FIG. 17 is a flowchart showing the procedure of the communication information generation process.

 エージェント10は、判定対象機器20において発生するパケットをキャプチャし、取得する(ステップS1)。 The agent 10 captures and acquires packets generated in the device 20 to be judged (step S1).

 エージェント10は、キャプチャしたパケットが既知の通信パターンであるか否かを判定する(ステップS2)。 The agent 10 determines whether the captured packet is a known communication pattern (step S2).

 キャプチャしたパケットが既知の通信パターンである場合(ステップS2:Yes)、エージェント10は、該当する既知の通信パターンについての通信動作情報の最終通信時刻を更新して(ステップS3)、キャプチャしたパケットに対する通信情報生成処理を終了する。 If the captured packet is a known communication pattern (step S2: Yes), the agent 10 updates the last communication time of the communication operation information for the corresponding known communication pattern (step S3) and ends the communication information generation process for the captured packet.

 キャプチャしたパケットが既知の通信パターンでない場合(ステップS2:No)、エージェント10は、このパケットの通信を行ったソフトウェア情報を取得する(ステップS4)。そして、エージェント10は、当該通信の通信動作情報を生成して(ステップS5)、キャプチャしたパケットに対する通信情報生成処理を終了する。 If the captured packet does not have a known communication pattern (step S2: No), the agent 10 acquires information about the software that performed the communication of this packet (step S4). The agent 10 then generates communication operation information for that communication (step S5) and ends the communication information generation process for the captured packet.

[機器情報最新化処理の処理手順]
 図18は、機器情報最新化処理の処理手順を示すフローチャートである。 [Device information update process procedure]
FIG. 18 is a flowchart showing the procedure of the device information updating process.

 エージェント10は、前回実行時から通信情報が変化したソフトウェアがあるか否かを判定する(ステップS11)。 The agent 10 determines whether there is any software whose communication information has changed since the last time it was executed (step S11).

 前回実行時から通信情報が変化したソフトウェアがある場合(ステップS11:Yes)、エージェント10は、前回実行時から通信情報が変化したソフトウェアのリスクレベル情報を、通信情報の変化に応じて更新し(ステップS12)、判定対象機器20の最新の機器情報を生成する。 If there is software whose communication information has changed since the last time it was executed (step S11: Yes), the agent 10 updates the risk level information of the software whose communication information has changed since the last time it was executed in accordance with the change in the communication information (step S12), and generates the latest device information for the device 20 to be assessed.

 エージェント10は、判定対象機器20の最新の機器情報を判定装置30に送信する(ステップS13)。判定装置30は、最新の機器情報を登録し(ステップS14)、機器情報最新化処理を終了する。 The agent 10 transmits the latest device information of the device 20 to be judged to the judgment device 30 (step S13). The judgment device 30 registers the latest device information (step S14) and ends the device information updating process.

 前回実行時から通信情報が変化したソフトウェアがない場合(ステップS11:No)、エージェント10は、前回実行時にはなかったソフトウェアが通信情報に追加されているか否かを判定する(ステップS15)。 If there is no software whose communication information has changed since the previous execution (step S11: No), the agent 10 determines whether software that was not present during the previous execution has been added to the communication information (step S15).

 前回実行時にはなかったソフトウェアが通信情報に追加されていない場合(ステップS15:No)、機器情報最新化処理を終了する。 If software that was not present the last time the program was executed has not been added to the communication information (step S15: No), the device information update process ends.

 一方、前回実行時にはなかったソフトウェアが通信情報に追加されている場合(ステップS15:Yes)、エージェント10は、通信情報に追加されているソフトウェアのリスクレベル情報を生成する(ステップS16)。 On the other hand, if software that was not present at the time of the previous execution has been added to the communication information (step S15: Yes), the agent 10 generates risk level information for the software that has been added to the communication information (step S16).

 エージェント10は、判定対象機器20の最新の機器情報を判定装置30に送信する(ステップS17)。判定装置30は、最新の機器情報を登録し(ステップS14)、機器情報最新化処理を終了する。 The agent 10 transmits the latest device information of the device 20 to be determined to the determination device 30 (step S17). The determination device 30 registers the latest device information (step S14) and ends the device information updating process.

[リスク閾値設定処理の処理手順]
 図19は、リスク閾値設定処理の処理手順を示すフローチャートである。 [Risk threshold setting process procedure]
FIG. 19 is a flowchart showing the processing procedure of the risk threshold setting process.

 判定装置30は、リスク閾値情報の入力を受け付け(ステップS21)、入力されたリスク閾値情報を基に、リスク閾値設定情報32を登録する(ステップS22)。 The determination device 30 accepts the input of risk threshold information (step S21) and registers risk threshold setting information 32 based on the input risk threshold information (step S22).

[リスク判定処理の処理手順]
 図20は、リスク判定処理の処理手順を示すフローチャートである。 [Risk Judgment Processing Procedure]
FIG. 20 is a flowchart showing the processing procedure of the risk determination process.

 判定装置30は、脆弱性情報配信サービス40から送信された脆弱性情報を受信すると(ステップS31)、受信した脆弱性情報の攻撃元区分がNWであるか否かを判定する(ステップS32)。 When the determination device 30 receives vulnerability information sent from the vulnerability information distribution service 40 (step S31), it determines whether the attack source category of the received vulnerability information is a network (step S32).

 受信した脆弱性情報の攻撃元区分がNWである場合(ステップS32:Yes)、判定装置30は、脆弱性情報に該当するソフトウェアのリスクレベルがリスク閾値以上であるか否かを判定する(ステップS33)。 If the attack source category of the received vulnerability information is NW (step S32: Yes), the determination device 30 determines whether the risk level of the software corresponding to the vulnerability information is equal to or greater than the risk threshold (step S33).

 脆弱性情報に該当するソフトウェアのリスクレベルがリスク閾値以上である場合(ステップS33:Yes)、判定装置30は、リスクが高いと判定し、運用者に通知する(ステップS34)。 If the risk level of the software corresponding to the vulnerability information is equal to or greater than the risk threshold (step S33: Yes), the determination device 30 determines that the risk is high and notifies the operator (step S34).

 脆弱性情報に該当するソフトウェアのリスクレベルがリスク閾値未満である場合(ステップS33:No)、判定装置30は、リスクが低いと判定する(ステップS35)。 If the risk level of the software corresponding to the vulnerability information is less than the risk threshold (step S33: No), the determination device 30 determines that the risk is low (step S35).

 受信した脆弱性情報の攻撃元区分がNWでない場合(ステップS32:No)、ステップS34、または、ステップS35終了後、判定装置30は、リスク判定処理を終了する。 If the attack source category of the received vulnerability information is not NW (step S32: No), after step S34 or step S35 is completed, the determination device 30 ends the risk determination process.

[実施の形態の効果]
 このように、実施の形態では、判定装置30は、エージェント10を介して取得した判定対象機器20の実際の通信の動作状態を基に、判定対象機器20に送信される脆弱性情報に対するリスク判定を行う。具体的には、判定装置30は、エージェント10によって、判定対象機器20の実際の通信動作から生成されたリスクレベル情報を用いて、判定対象機器20のリスク判定を行う。したがって、実施の形態では、実際の機器の通信動作を踏まえたリスク判定が可能となる。 [Effects of the embodiment]
As described above, in the embodiment, the determination device 30 performs risk determination for the vulnerability information transmitted to the determination target device 20, based on the actual communication operation state of the determination target device 20 acquired via the agent 10. Specifically, the determination device 30 performs risk determination for the determination target device 20, using risk level information generated by the agent 10 from the actual communication operation of the determination target device 20. Therefore, in the embodiment, risk determination based on the actual communication operation of the device is possible.

 そして、実施の形態では、エージェント10及び判定装置30が、通信情報生成処理、機器情報最新化処理、リスク閾値設定処理を予め行う。このため、判定装置30には常に最新のリスクレベル情報が保持された状態となる。そして、判定装置30が脆弱性通知を受信すると、最新のリスクレベル情報を基にリスク判定処理が行うため、迅速かつ適正にリスク判定を実行することができる。 In the embodiment, the agent 10 and the determination device 30 perform communication information generation processing, device information updating processing, and risk threshold setting processing in advance. As a result, the determination device 30 always holds the latest risk level information. When the determination device 30 receives a vulnerability notification, it performs risk determination processing based on the latest risk level information, making it possible to perform risk determination quickly and appropriately.

[実施の形態のシステム構成について]
 エージェント10及び判定装置30の各構成要素は機能概念的なものであり、必ずしも物理的に図示のように構成されていることを要しない。すなわち、エージェント10及び判定装置30の機能の分散及び統合の具体的形態は図示のものに限られず、その全部または一部を、各種の負荷や使用状況などに応じて、任意の単位で機能的または物理的に分散または統合して構成することができる。 [System Configuration of the Embodiment]
Each component of the agent 10 and the determination device 30 is a functional concept, and does not necessarily have to be physically configured as shown in the figure. In other words, the specific form of distribution and integration of the functions of the agent 10 and the determination device 30 is not limited to that shown in the figure, and all or part of them can be functionally or physically distributed or integrated in any unit depending on various loads, usage conditions, etc.

 また、エージェント10及び判定装置30においておこなわれる各処理は、全部または任意の一部が、CPU、GPU(Graphics Processing Unit)、及び、CPU、GPUにより解析実行されるプログラムにて実現されてもよい。また、エージェント10及び判定装置30において行われる各処理は、ワイヤードロジックによるハードウェアとして実現されてもよい。 Furthermore, each process performed by the agent 10 and the determination device 30 may be realized, in whole or in part, by a CPU, a GPU (Graphics Processing Unit), and a program analyzed and executed by the CPU and GPU. Furthermore, each process performed by the agent 10 and the determination device 30 may be realized as hardware using wired logic.

 また、実施の形態において説明した各処理のうち、自動的におこなわれるものとして説明した処理の全部または一部を手動的に行うこともできる。もしくは、手動的におこなわれるものとして説明した処理の全部または一部を公知の方法で自動的に行うこともできる。この他、上述及び図示の処理手順、制御手順、具体的名称、各種のデータやパラメータを含む情報については、特記する場合を除いて適宜変更することができる。 Furthermore, among the processes described in the embodiments, all or part of the processes described as being performed automatically can be performed manually. Alternatively, all or part of the processes described as being performed manually can be performed automatically using known methods. In addition, the information including the processing procedures, control procedures, specific names, various data, and parameters described above and illustrated can be modified as appropriate unless otherwise specified.

[プログラム]
 図21は、プログラムが実行されることにより、エージェント10及び判定装置30が実現されるコンピュータの一例を示す図である。コンピュータ1000は、例えば、メモリ1010、CPU1020を有する。また、コンピュータ1000は、ハードディスクドライブインタフェース1030、ディスクドライブインタフェース1040、シリアルポートインタフェース1050、ビデオアダプタ1060、ネットワークインタフェース1070を有する。これらの各部は、バス1080によって接続される。 [program]
21 is a diagram showing an example of a computer in which an agent 10 and a determination device 30 are realized by executing a program. The computer 1000 has, for example, a memory 1010 and a CPU 1020. The computer 1000 also has a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These components are connected by a bus 1080.

 メモリ1010は、ROM1011及びRAM1012を含む。ROM1011は、例えば、BIOS(Basic Input Output System)等のブートプログラムを記憶する。ハードディスクドライブインタフェース1030は、ハードディスクドライブ1090に接続される。ディスクドライブインタフェース1040は、ディスクドライブ1100に接続される。例えば磁気ディスクや光ディスク等の着脱可能な記憶媒体が、ディスクドライブ1100に挿入される。シリアルポートインタフェース1050は、例えばマウス1110、キーボード1120に接続される。ビデオアダプタ1060は、例えばディスプレイ1130に接続される。 The memory 1010 includes a ROM 1011 and a RAM 1012. The ROM 1011 stores a boot program such as a BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to a hard disk drive 1090. The disk drive interface 1040 is connected to a disk drive 1100. A removable storage medium such as a magnetic disk or optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to a mouse 1110 and a keyboard 1120, for example. The video adapter 1060 is connected to a display 1130, for example.

 ハードディスクドライブ1090は、例えば、OS(Operating System)1091、アプリケーションプログラム1092、プログラムモジュール1093、プログラムデータ1094を記憶する。すなわち、エージェント10及び判定装置30の各処理を規定するプログラムは、コンピュータ1000により実行可能なコードが記述されたプログラムモジュール1093として実装される。プログラムモジュール1093は、例えばハードディスクドライブ1090に記憶される。例えば、エージェント10及び判定装置30における機能構成と同様の処理を実行するためのプログラムモジュール1093が、ハードディスクドライブ1090に記憶される。なお、ハードディスクドライブ1090は、SSD(Solid State Drive)により代替されてもよい。 The hard disk drive 1090 stores, for example, an OS (Operating System) 1091, application programs 1092, program modules 1093, and program data 1094. That is, the programs that define the processes of the agent 10 and the determination device 30 are implemented as program modules 1093 in which code executable by the computer 1000 is written. The program modules 1093 are stored, for example, in the hard disk drive 1090. For example, the program modules 1093 for executing processes similar to the functional configurations of the agent 10 and the determination device 30 are stored in the hard disk drive 1090. The hard disk drive 1090 may be replaced by an SSD (Solid State Drive).

 また、上述した実施の形態の処理で用いられる設定データは、プログラムデータ1094として、例えばメモリ1010やハードディスクドライブ1090に記憶される。そして、CPU1020が、メモリ1010やハードディスクドライブ1090に記憶されたプログラムモジュール1093やプログラムデータ1094を必要に応じてRAM1012に読み出して実行する。 Furthermore, the setting data used in the processing of the above-mentioned embodiment is stored as program data 1094, for example, in memory 1010 or hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 or program data 1094 stored in memory 1010 or hard disk drive 1090 into RAM 1012 as necessary and executes it.

 なお、プログラムモジュール1093やプログラムデータ1094は、ハードディスクドライブ1090に記憶される場合に限らず、例えば着脱可能な記憶媒体に記憶され、ディスクドライブ1100等を介してCPU1020によって読み出されてもよい。あるいは、プログラムモジュール1093及びプログラムデータ1094は、ネットワーク(LAN(Local Area Network)、WAN(Wide Area Network)等)を介して接続された他のコンピュータに記憶されてもよい。そして、プログラムモジュール1093及びプログラムデータ1094は、他のコンピュータから、ネットワークインタフェース1070を介してCPU1020によって読み出されてもよい。 The program module 1093 and program data 1094 may not necessarily be stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and program data 1094 may be stored in another computer connected via a network (such as a LAN (Local Area Network), WAN (Wide Area Network)). The program module 1093 and program data 1094 may then be read by the CPU 1020 from the other computer via the network interface 1070.

 以上、本発明者によってなされた発明を適用した実施の形態について説明したが、本実施の形態による本発明の開示の一部をなす記述及び図面により本発明は限定されることはない。すなわち、本実施の形態に基づいて当業者等によりなされる他の実施の形態、実施例及び運用技術等は全て本発明の範疇に含まれる。 The above describes an embodiment of the invention made by the inventor, but the present invention is not limited to the descriptions and drawings that form part of the disclosure of the present invention according to this embodiment. In other words, other embodiments, examples, operational techniques, etc. made by those skilled in the art based on this embodiment are all included in the scope of the present invention.

 10 エージェント
 11 パケットキャプチャ結果
 12 通信動作情報DB
 13 パケットキャプチャ取得部
 14 ソフトウェア情報取得部
 15 通信動作情報生成部
 16 リスクレベル情報生成部
 17 機器情報生成部
 18 機器情報送信部
 20 判定対象機器
 30 判定装置
 31 機器情報DB
 32 リスク閾値設定情報
 33 機器情報登録部
 34 リスク閾値設定部
 35 脆弱性情報受信部
 36 リスク判定部
 37 結果通知部
 40 脆弱性情報配信サービス
 50 外部サーバ
 60 内部サーバ 10 Agent 11 Packet capture result 12 Communication operation information DB
REFERENCE SIGNS LIST 13 Packet capture acquisition unit 14 Software information acquisition unit 15 Communication operation information generation unit 16 Risk level information generation unit 17 Device information generation unit 18 Device information transmission unit 20 Judgment target device 30 Judgment device 31 Device information DB
32 Risk threshold setting information 33 Device information registration unit 34 Risk threshold setting unit 35 Vulnerability information receiving unit 36 Risk determination unit 37 Result notification unit 40 Vulnerability information distribution service 50 External server 60 Internal server

Claims (7)

 判定対象機器に設けられたエージェントと、前記判定対象機器のリスク判定を行う判定装置とを有する通信システムであって、
 前記エージェントは、前記判定対象機器の通信の動作状態を取得し、
 前記判定装置は、前記エージェントが取得した前記判定対象機器の通信の動作状態を基に、前記判定対象機器に送信される脆弱性情報に対するリスク判定を行うことを特徴とする通信システム。 A communication system having an agent provided in a device to be judged and a judgment device that judges a risk of the device to be judged,
The agent acquires an operation status of communication of the determination target device,
A communication system characterized in that the judgment device performs a risk judgment on vulnerability information sent to the judgment target device based on the communication operation status of the judgment target device acquired by the agent.  前記エージェントは、前記判定対象機器において発生するパケットを取得し、取得したパケットの通信を行ったソフトウェア情報を取得して、取得したソフトウェアを少なくとも含む、前記パケットの通信動作を示す通信動作情報を生成することを特徴とする請求項1に記載の通信システム。 The communication system according to claim 1, characterized in that the agent acquires packets generated in the device to be determined, acquires software information that communicated the acquired packets, and generates communication operation information indicating the communication operation of the packets, including at least the acquired software.  前記エージェントは、前記通信動作情報を用いて、前記ソフトウェア毎に、前記通信動作に基づくリスクレベル情報を生成し、前記ソフトウェアと前記ソフトウェアに対応する前記リスクレベル情報とを対応付けた機器情報を前記判定装置に登録することを特徴とする請求項2に記載の通信システム。 The communication system according to claim 2, characterized in that the agent uses the communication behavior information to generate risk level information based on the communication behavior for each piece of software, and registers device information in which the software and the risk level information corresponding to the software are associated with each other in the determination device.  前記判定装置は、前記判定対象機器への脆弱性情報の配信の通知を受けると、前記機器情報と、予め設定されたリスク判定時用の閾値とを基に、前記脆弱性情報のリスクを判定することを特徴とする請求項3に記載の通信システム。 The communication system according to claim 3, characterized in that, when the determination device receives notification of the distribution of vulnerability information to the device to be determined, the determination device determines the risk of the vulnerability information based on the device information and a preset threshold value for risk determination.  前記エージェントは、前記通信動作情報の生成を常時実行し、前記機器情報の前記判定装置への登録を定期的に実行することを特徴とする請求項3に記載の通信システム。 The communication system according to claim 3, characterized in that the agent constantly generates the communication operation information and periodically registers the device information in the determination device.  判定対象機器に設けられたエージェントと、前記判定対象機器のリスク判定を行う判定装置とを有する通信システムが実行する通信方法であって、
 前記エージェントが、前記判定対象機器の通信の動作状態を取得する工程と、
 前記判定装置が、前記取得する工程において取得された前記判定対象機器の通信の動作状態を基に、前記判定対象機器に送信される脆弱性情報に対するリスク判定を行う工程と、
 を含んだことを特徴とする通信方法。 A communication method executed by a communication system having an agent provided in a device to be judged and a judgment device that judges a risk of the device to be judged, comprising:
The agent acquires a communication operation status of the determination target device;
a step of performing a risk judgment on vulnerability information transmitted to the determination target device based on the communication operation state of the determination target device acquired in the acquiring step by the determination device;
A communication method comprising:  方法をコンピュータに実行させる通信プログラムであって、
 判定対象機器に設けられたエージェントとしてのコンピュータに、
 前記判定対象機器の通信の動作状態を取得するステップ
 を実行させ、
 判定装置としてのコンピュータに、
 前記取得するステップにおいて取得された前記判定対象機器の通信の動作状態を基に、前記判定対象機器に送信される脆弱性情報に対するリスク判定を行うステップ、
 を実行させることを特徴とする通信プログラム。 A communication program for causing a computer to execute a method,
A computer as an agent installed in the device to be judged
acquiring an operation status of the communication of the determination target device;
The computer as a judgment device,
a step of performing a risk judgment on the vulnerability information to be transmitted to the judgment target device based on the communication operation state of the judgment target device acquired in the acquiring step;
A communication program characterized by causing the program to execute the above steps.
PCT/JP2023/024683 2023-07-03 2023-07-03 Communication system, communication method, and communication program Pending WO2025009039A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2023/024683 WO2025009039A1 (en) 2023-07-03 2023-07-03 Communication system, communication method, and communication program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2023/024683 WO2025009039A1 (en) 2023-07-03 2023-07-03 Communication system, communication method, and communication program

Publications (1)

Publication Number Publication Date
WO2025009039A1 true WO2025009039A1 (en) 2025-01-09

Family

ID=94171666

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/024683 Pending WO2025009039A1 (en) 2023-07-03 2023-07-03 Communication system, communication method, and communication program

Country Status (1)

Country Link
WO (1) WO2025009039A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005242754A (en) * 2004-02-27 2005-09-08 Mitsubishi Electric Corp Security management system
JP2010177839A (en) * 2009-01-28 2010-08-12 Hitachi Software Eng Co Ltd Detection system for network connection terminal outside organization
JP2020508519A (en) * 2017-02-27 2020-03-19 イヴァンティ,インコーポレイテッド Systems and methods for context-based mitigation of computer security risks
JP2020530922A (en) * 2017-08-08 2020-10-29 センチネル ラボ, インコーポレイテッドSentinel Labs, Inc. How to dynamically model and group edge networking endpoints, systems, and devices
JP2023087980A (en) * 2021-12-14 2023-06-26 株式会社日立製作所 Vulnerability management system, and vulnerability management method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005242754A (en) * 2004-02-27 2005-09-08 Mitsubishi Electric Corp Security management system
JP2010177839A (en) * 2009-01-28 2010-08-12 Hitachi Software Eng Co Ltd Detection system for network connection terminal outside organization
JP2020508519A (en) * 2017-02-27 2020-03-19 イヴァンティ,インコーポレイテッド Systems and methods for context-based mitigation of computer security risks
JP2020530922A (en) * 2017-08-08 2020-10-29 センチネル ラボ, インコーポレイテッドSentinel Labs, Inc. How to dynamically model and group edge networking endpoints, systems, and devices
JP2023087980A (en) * 2021-12-14 2023-06-26 株式会社日立製作所 Vulnerability management system, and vulnerability management method

Similar Documents

Publication Publication Date Title
US8625448B2 (en) Method and system for validating network traffic classification in a blade server
CN112437920B (en) Abnormality detection device and abnormality detection method
CN109565500B (en) On-demand security architecture
EP4027604A1 (en) Security vulnerability defense method and device
US11722458B2 (en) Method and system for restricting transmission of data traffic for devices with networking capabilities
US20120207156A1 (en) Method and system for routing network traffic for a blade server
US8910267B2 (en) Method for managing connections in firewalls
US12021836B2 (en) Dynamic filter generation and distribution within computer networks
US20120250569A1 (en) Internet Protocol Version 6 Network Connectivity in a Virtual Computer System
JP2009110270A (en) Malware detection device, monitoring device, malware detection program, and malware detection method
CN109964469B (en) Method and system for updating white lists at a network node
JP2018133692A (en) Communication apparatus, system, and method
JP2007517305A (en) Flexible network security system and network security method permitting reliable processes
Han et al. State-aware network access management for software-defined networks
CN116723020A (en) Network service simulation method, device, electronic equipment and storage medium
CN1905495B (en) Network monitoring device, network monitoring method, network system and network communication method
JP6676790B2 (en) Request control device, request control method, and request control program
WO2025009039A1 (en) Communication system, communication method, and communication program
US20040093514A1 (en) Method for automatically isolating worm and hacker attacks within a local area network
US8555368B2 (en) Firewall filtering using network controller circuitry
US20060098646A1 (en) Local and remote network based management of an operating system-independent processor
US12041080B2 (en) Persistent device identifier driven compromised device quarantine
EP3200433A1 (en) Ipv6 address management method, device and terminal
EP3432544B1 (en) System and method of determining ddos attacks
US20160364335A1 (en) Clear route cache commands for network communications platforms

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23944291

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2025530837

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2025530837

Country of ref document: JP