Search

JP-7856378-B1 - Training terminal, cyber training system, log collection method and program

JP7856378B1JP 7856378 B1JP7856378 B1JP 7856378B1JP-7856378-B1

Abstract

[Problem] To provide a log collection method that enables online log collection even when the communication line has limited bandwidth. [Solution] The training terminal includes means for determining whether the bandwidth of the communication line connecting the terminal and the device to which the log is sent is narrowband, means for controlling the amount of information in the output log, and means for sending the log to the device. When the determination means determines that the bandwidth is narrowband, the control means reduces the amount of information in the log, and the transmission means sends the log with the reduced amount of information. [Selection Diagram] Figure 1

Inventors

  • 亀田 健一
  • 田平 親
  • 小野 真和
  • 安陪 利明
  • 山田 佳範
  • 堀江 祥文

Assignees

  • 防衛装備庁長官
  • 日本電気株式会社

Dates

Publication Date
20260511
Application Date
20241112

Claims (10)

  1. It is a training terminal for cyber exercises, A means for determining whether the bandwidth of the communication line connecting the terminal and the device to which the logs are sent is narrowband or not, A means to control the amount of information in the output logs, Means for transmitting the log to the device, Equipped with, If the means for making the determination determines that the bandwidth is narrowband, The control means reduces the amount of information in the log by extracting information necessary to understand the status of the cyber exercise and omitting other information . The means for transmitting transmits the log with reduced information content. Training terminal.
  2. If the aforementioned bandwidth is not narrowband, The means for transmitting transmits the log, which has not reduced the amount of information, to the device. The training terminal according to claim 1.
  3. The device further comprises means for receiving instruction information from the device indicating whether or not to reduce the amount of information in the log, The control means determines whether the bandwidth is narrowband or not, or controls the amount of information in the log based on the instruction information. The training terminal according to claim 1 or claim 2.
  4. The system further comprises means for changing the format of the output log, The control means controls the amount of information in the log after the format has been changed. The training terminal according to claim 1 or claim 2.
  5. Means for encoding the log after controlling the amount of information, The exercise terminal according to claim 1 or claim 2, further comprising:
  6. The system further comprises means for compressing the encoded log, The means for transmitting transmits the compressed log. The training terminal according to claim 5.
  7. The aforementioned transmission means transmits the log to the configured destination based on the destination setting information for each log. The training terminal according to claim 1 or claim 2.
  8. The training terminal according to claim 1 or claim 2, A management server comprising means for receiving the log and means for displaying the log on a display unit, During the execution of the cyber exercise, the transmission means repeatedly transmits, in accordance with the progress of the cyber exercise, a system monitoring log including monitoring the status of processes related to the cyber exercise, a cyber attack monitoring log including the execution time and type of cyber attack performed during the cyber exercise, and a cyber exercise evaluation log including the countermeasures taken against the cyber attack and the execution time of those countermeasures. In the management server, the receiving means receives the system monitoring log, the cyber attack monitoring log, and the cyber exercise evaluation log, and the display means displays the system monitoring log, the cyber attack monitoring log, and the cyber exercise evaluation log on the display unit. Cyber training system.
  9. A log collection method for collecting logs from training terminals in a cyber exercise, The computer of the aforementioned training terminal determines whether the bandwidth of the communication line connecting its own terminal and the device to which the log is sent is narrowband or not. The computer of the aforementioned training terminal controls the amount of information in the output log, The computer of the aforementioned training terminal transmits the log to the aforementioned device. It has, In the determination step described above, if the computer of the exercise terminal determines that the bandwidth is narrowband, In the control step described above, the computer of the exercise terminal extracts the information necessary to understand the status of the cyber exercise and reduces the amount of information in the log by omitting other information . In the transmission step, the computer of the exercise terminal transmits the log with reduced information content. Log collection method.
  10. On the computer of the training terminal for the cyber exercise , A step to determine whether the bandwidth of the communication line connecting the terminal and the device to which the logs are sent is narrowband, A step to control the amount of information in the output log, The steps include sending the log to the device, It has, If, in the above determination step, it is determined that the bandwidth is narrowband, In the control step described above, information necessary for understanding the status of the cyber exercise is extracted, and other information is omitted to reduce the amount of information in the log. The above transmission step involves the process of transmitting the log with reduced information content. A program that executes the command.

Description

This invention relates to a training terminal, a cyber training system, a log collection method, and a program. With the expansion of communication network usage, security measures against cyberattacks and other threats have become increasingly important. In response, private companies are conducting personnel training through cyber exercises. Typical cyber exercises involve a high-quality network environment, and a management server controls the execution of simulated cyberattacks on the exercise terminals as the exercise progresses. To conduct effective and practical exercises, it is preferable to use the user's normal environment rather than a simulated environment prepared specifically for exercises. In recent years, mobile and wireless communications have become widespread, and it is possible that users' environments also utilize mobile communications. However, the sequential execution of attack scenarios in cyber exercises requires a high-quality network environment between the management server and the exercise terminal. Therefore, using a practical exercise environment utilizing the user's environment may result in unstable communication, potentially affecting the cyber exercise. For example, Patent Document 1 discloses control over log collection during cyber exercises. Specifically, the exercise terminal records the results of the simulated cyberattack and the actions taken by the exerciser during the execution of the cyber exercise. The exercise terminal sends the recorded logs online to the management server. The management server displays the execution status of the cyber exercise based on the transmitted logs. This allows administrators to understand the exercise status. If communication becomes unstable, log transmission may fail, and the management server may be unable to confirm the status of the cyber exercise. Japanese Patent Publication No. 2019-191670 This is a block diagram of the cyber exercise system according to the embodiment.This figure shows an overview of the log management process according to this embodiment.This flowchart shows an example of the log management process according to the embodiment.This diagram illustrates the flow of the log management process according to the embodiment.This figure shows an example of a log according to the present invention.This is a block diagram showing the configuration of a training terminal with a minimum setup.This flowchart shows the processing of an exercise terminal with a minimal configuration.This figure shows an example of the hardware configuration of the cyber exercise system according to the embodiment. <Implementation> A cyber exercise system according to one embodiment of the present invention will be described below with reference to the drawings. In the drawings used in the following description, the configuration of parts not related to the present invention may be omitted from the description and not shown. (System configuration) Figure 1 is a block diagram of a cyber exercise system according to an embodiment. As shown in Figure 1, the cyber exercise system 1 comprises a management server 10 and user terminals 20a, 20b, and 20c. The management server 10 distributes data to the user terminals 20a to 20c for use in the cyber exercises performed on the user terminals 20a to 20c. The user terminals 20a to 20c conduct the cyber exercises using the distributed data. The distributed data includes an exercise scenario and attack-related modules. The exercise scenario defines the execution schedule and conditions for a simulated cyber attack. The attack-related modules include programs necessary for simulating cyber attacks such as malware. The user terminals 20a to 20c log the content and results of the simulated cyber attack during the cyber exercise, as well as the countermeasures taken by the exercisers, and send this log to the management server 10 during the cyber exercise. The user terminals 20a to 20c are terminal devices that participants in the cyber exercise normally use for work or other purposes. For example, the user terminals 20a to 20c are personal computers (PCs), tablet terminals, smartphones, and other mobile devices. The management server 10 and user terminals 20a to 20c are connected via a network NW that allows for communication. The network NW may use a line with narrow bandwidth that is prone to unstable communication conditions such as communication delays and interruptions. The management server 10 comprises an input receiving unit 11, a control unit 12, a display unit 13, a storage unit 14, and a communication unit 15. The input receiving unit 11 is configured to include input devices such as a touch panel and a keyboard, and receives operations performed by a user (for example, the administrator of a cyber exercise) using the input device, generates information corresponding to the operation, and outputs the generated information to the control unit 12. The control unit 12 controls the operation of the