Search

US-12621319-B2 - Processing device, processing method, and non-transitory computer-readable medium in which control program is stored

US12621319B2US 12621319 B2US12621319 B2US 12621319B2US-12621319-B2

Abstract

A processing device acquires a value of a first kind transmission performance index and a value of a second kind transmission performance index of each of a plurality of failed attack traffics being associated with a failed attack on an apparatus in a network, and a value of the first kind transmission performance index and a value of the second kind transmission performance index of each of a plurality of successful attack traffics being associated with a successful attack; and forms first attacked distribution information including information about a plurality of areas including a failed attack area and a successful attack area based on a value of the first kind transmission performance index and a value of the second kind transmission performance index for the plurality of failed attack traffics and the plurality of successful attack traffics.

Inventors

  • Shohei HIRUTA
  • Satoshi Ikeda

Assignees

  • NEC CORPORATION

Dates

Publication Date
20260505
Application Date
20200827

Claims (12)

  1. 1 . A processing device comprising: at least one memory storing instructions, and at least one processor configured to execute, according to the instructions, a process comprising: acquiring, for each of a plurality of failed attack traffics being associated with a failed attack on an apparatus in a network, a first value of a first kind transmission performance index and a first value of a second kind transmission performance index, and acquiring, for each of a plurality of successful attack traffics being associated with a successful attack, a second value of the first kind transmission performance index and a second value of the second kind transmission performance index; forming first attacked distribution information including information about a plurality of areas including a failed attack area and a successful attack area in a coordinate plane with the first kind transmission performance index and the second kind transmission performance index as two coordinate axes, based on the first value of the first kind transmission performance index and the first value of the second kind transmission performance index for the plurality of failed attack traffics, and the second value of the first kind transmission performance index and the second value of the second kind transmission performance index for the plurality of successful attack traffics; and disconnecting the apparatus associated with the successful attack.
  2. 2 . The processing device according to claim 1 , wherein the forming includes: calculating a distribution of a failed attack probability density in the coordinate plane for the failed attack traffic, based on the first value of the first kind transmission performance index and the first value of the second kind transmission performance index of the plurality of failed attack traffics, calculating a distribution of a successful attack probability density in the coordinate plane for the successful attack traffic, based on the second value of the first kind transmission performance index and the second value of the second kind transmission performance index of the plurality of successful attack traffics assigning each unit area in the coordinate plane to any of a failed attack area, a successful attack area, and an unconfirmed attack area, based on magnitude between each of the failed attack probability density and the successful attack probability density of each unit area and an area determination threshold value, and forming the first attacked distribution information by associating each unit area with an area classification being assigned to each unit area.
  3. 3 . The processing device according to claim 2 , wherein the process further comprises acquiring transmission performance of a plurality of first traffic flows related to a first security alert being notified from a network-based intrusion detection device configured to detect an attack on the apparatus in the network, the first attacked distribution information is related to a second security alert being notified from the network-based intrusion detection device, and the process further comprises: calculating a third value of the first kind transmission performance index and a third value of the second kind transmission performance index of each first traffic flow, based on the acquired transmission performance of the plurality of first traffic flows, forming second attacked distribution information including information about a confirmed attack area related to the first security alert in the coordinate plane, based on a calculated value of the first kind transmission performance index and a calculated value of the second kind transmission performance index of each first traffic flow, and determining a priority degree of the first security alert, based on the first attacked distribution information and the second attacked distribution information.
  4. 4 . The processing device according to claim 3 , wherein the determining includes: assigning a first priority degree to the first security alert when at least a part of the confirmed attack area indicated by the second attacked distribution information overlaps the successful attack area indicated by the first attacked distribution information, calculating a proportion of a portion area of the confirmed attack area that does not overlap the failed attack area when the confirmed attack area indicated by the second attacked distribution information and the successful attack area indicated by the first attacked distribution information do not overlap each other, assigning a second priority degree to the first security alert when the calculated proportion is greater than a priority degree determination threshold value, and assigning a third priority degree to the first security alert when the calculated proportion is equal to or less than a priority degree determination threshold value, the first priority degree has a priority degree equal to the second priority degree or higher than the second priority degree, and the third priority degree has a priority degree lower than both of the first priority degree and the second priority degree.
  5. 5 . The processing device according to claim 3 , wherein the process further comprising: displaying, on display means, a priority degree of the first security alert, and information about the plurality of first traffic flows related to the first security alert; and receiving a feedback signal indicating success or failure of an attack by each of the plurality of displayed first traffic flows.
  6. 6 . The processing device according to claim 5 , wherein a first table configured to hold the first value of the first kind transmission performance index and the first value of the second kind transmission performance index for the plurality of failed attack traffics and a second table configured to hold the second value of the first kind transmission performance index and the second value of the second kind transmission performance index for the plurality of successful attack traffics are stored in storage means, and the process further comprises: updating the second table by using a fourth value of the first kind transmission performance index and a fourth value of the second kind transmission performance index of a first traffic flow indicating success of an attack by the feedback signal, and updating the first table by using a fifth value of the first kind transmission performance index and a fifth value of the second kind transmission performance index of a first traffic flow indicating failure of an attack by the feedback signal.
  7. 7 . The processing device according to claim 6 , wherein the process further comprises: storing the formed first attacked distribution information in the storage-means, and updating the stored first attacked distribution information, based on the updated first table and the updated second table.
  8. 8 . The processing device according to claim 2 , wherein process further comprises acquiring transmission performance of a plurality of first traffic flows related to a first security alert being notified from a network-based intrusion detection device configured to detect an attack on the apparatus in the network, the first attacked distribution information is related to a second security alert being notified from the network-based intrusion detection device, the process further comprises: calculating a third value of the first kind transmission performance index and a third value of the second kind transmission performance index of each first traffic flow, based on the acquired transmission performance of the plurality of first traffic flows, forming second attacked distribution information including information about a confirmed attack area related to the first security alert in the coordinate plane, based on a calculated value of the first kind transmission performance index and a calculated value of the second kind transmission performance index of each first traffic flow, and controlling a display manner by display means among a first display manner in which the failed attack area, the successful attack area, and the unconfirmed attack area are displayed in the coordinate plane by the display means in manners different from one another, a second display manner in which the confirmed attack area is displayed in the coordinate plane by the display means, and a third display manner in which the failed attack area, the successful attack area, the unconfirmed attack area, and the confirmed attack area are displayed in the coordinate plane by the display means.
  9. 9 . The processing device according to claim 1 , wherein the process further comprises displaying the plurality of areas in the coordinate plane in manners different from one another on display means.
  10. 10 . A processing device comprising: at least one memory storing instructions, and at least one processor configured to execute, according to the instructions, a process comprising: acquiring transmission performance of a plurality of first traffic flows related to a first security alert being notified from a network-based intrusion detection device configured to detect an attack on an apparatus in a network; calculating a first value of a first kind transmission performance index and a first value of a second kind transmission performance index of each first traffic flow, based on the acquired transmission performance of the plurality of first traffic flows, forming second attacked distribution information including information about a confirmed attack area that is an area in a coordinate plane with the first kind transmission performance index and the second kind transmission performance index as two coordinate axes and is related to the first security alert, based on a calculated value of the first kind transmission performance index and a calculated value of the second kind transmission performance index of each first traffic flow; determining a priority degree of the first security alert, based on the second attacked distribution information, and first attacked distribution information including information about a plurality of areas including a failed attack area and a successful attack area in the coordinate plane; and disconnecting the attacked apparatus.
  11. 11 . A processing method comprising: acquiring, for each of a plurality of failed attack traffics being associated with a failed attack on an apparatus in a network, a first value of a first kind transmission performance index and a first value of a second kind transmission performance index, and acquiring, for each of a plurality of successful attack traffics being associated with a successful attack, a second value of the first kind transmission performance index and a second value of the second kind transmission performance index; forming first attacked distribution information including information about a plurality of areas including a failed attack area and a successful attack area in a coordinate plane with the first kind transmission performance index and the second kind transmission performance index as two coordinate axes, based on the first value of the first kind transmission performance index and the first value of the second kind transmission performance index for the plurality of failed attack traffics, and the second value of the first kind transmission performance index and the second value of the second kind transmission performance index for the plurality of successful attack traffics; and disconnecting the apparatus associated with the successful attack.
  12. 12 . A non-transitory computer-readable medium configured to store a control program causing a processing device to execute processing of: acquiring, for each of a plurality of failed attack traffics being associated with a failed attack on an apparatus in a network, a first value of a first kind transmission performance index and a first value of a second kind transmission performance index, and acquiring, for each of a plurality of successful attack traffics being associated with a successful attack, a second value of the first kind transmission performance index and a second value of the second kind transmission performance index; forming first attacked distribution information including information about a plurality of areas including a failed attack area and a successful attack area in a coordinate plane with the first kind transmission performance index and the second kind transmission performance index as two coordinate axes, based on the first value of the first kind transmission performance index and the first value of the second kind transmission performance index for the plurality of failed attack traffics, and the second value of the first kind transmission performance index and the second value of the second kind transmission performance index for the plurality of successful attack traffics; and disconnecting the apparatus associated with the successful attack.

Description

This application is a National Stage Entry of PCT/JP2020/032386 filed on Aug. 27, 2020, the contents of all of which are incorporated herein by reference, in their entirety. TECHNICAL FIELD The present disclosure relates to a processing device, a processing method, and a non-transitory computer-readable medium storing a control program. BACKGROUND ART Many organizations including a company and the like compose a security operation center (SOC) or use an external SOC service in order to protect important information of an organization from a cyber attack. The SOC is an organization that analyzes a log being generated by an information security apparatus, a server, and the like, and detects and notifies a cyber attack. One of information security apparatuses being used in the SOC is a network-based intrusion detection system (IDS). The network-based intrusion detection system is a device that detects an attack on an apparatus present on a network and issues a security alert to an analyzer. The analyzer takes measures in such a way as to disconnect an attacked apparatus from a network, based on the security alert. As a related technique, a device that presents alert information and importance of the alert information to an analyzer has been proposed (for example, Patent Literature 1). CITATION LIST Patent Literature [Patent Literature 1] International Patent Publication No. WO2016/092834 SUMMARY OF INVENTION Technical Problem The present inventor has found out that only alert information and importance of the alert information being presented by the device disclosed in Patent Literature 1 may be insufficient as information to be used for an analysis of an attack. An object of the present disclosure is to provide a processing device, a processing method, and a non-transitory computer-readable medium storing a control program that are able to form useful information for an analysis of an attack on a network apparatus. Solution to Problem A processing device according to a first aspect includes: a first acquisition means for acquiring a value of a first kind transmission performance index and a value of a second kind transmission performance index of each of a plurality of failed attack traffics being associated with a failed attack on an apparatus in a network, and a value of the first kind transmission performance index and a value of the second kind transmission performance index of each of a plurality of successful attack traffics being associated with a successful attack; anda distribution formation means for forming first attacked distribution information including information about a plurality of areas including a failed attack area and a successful attack area in a coordinate plane with the first kind transmission performance index and the second kind transmission performance index as two coordinate axes, based on a value of the first kind transmission performance index and a value of the second kind transmission performance index of the plurality of failed attack traffics, and a value of the first kind transmission performance index and a value of the second kind transmission performance index of the plurality of successful attack traffics. A processing device according to a second aspect includes: an acquisition means for acquiring transmission performance of a plurality of first traffic flows related to a first security alert being notified from a network-based intrusion detection device configured to detect an attack on an apparatus in a network;a distribution formation means for calculating a value of a first kind transmission performance index and a value of a second kind transmission performance index of each first traffic flow, based on the acquired transmission performance of the plurality of first traffic flows, and forming second attacked distribution information including information about a confirmed attack area that is an area in a coordinate plane with the first kind transmission performance index and the second kind transmission performance index as two coordinate axes and is related to the first security alert, based on a calculated value of the first kind transmission performance index and a calculated value of the second kind transmission performance index of each first traffic flow; anda priority degree determination means for determining a priority degree of the first security alert, based on the second attacked distribution information, and first attacked distribution information including information about a plurality of areas including a failed attack area and a successful attack area in the coordinate plane. A processing method according to a third aspect includes: acquiring a value of a first kind transmission performance index and a value of a second kind transmission performance index of each of a plurality of failed attack traffics being associated with a failed attack on an apparatus in a network, and a value of the first kind transmission performance index and a value of the