Information processing apparatus, information processing method, and computer readable medium

US 10,282,542 B2
Filed: 10/24/2013
Issued: 05/07/2019
Est. Priority Date: 10/24/2013
Status: Active Grant

First Claim

Patent Images

1. An information processing apparatus for detecting an attacked on one or more monitored target computing apparatuses, the information processing apparatus comprising:

a memory configured to store, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack before the event is observed, the post-event stage being a stage of a progress of an attack after the event is observed; and

processing circuitry configured toreceive an observed event notice from one of the one or more monitored target computing apparatuses, the observed event notice including information notifying an observed event which is observed by the information system;

acquire corresponding event stage information describing the observed event received in the observed event notice information;

determine whether attack activity status information has been stored for the observed event;

create, in response to a determination that no attack activity status information has been stored for the observed event, new attack activity status information for the observed event based on the corresponding event stage information;

update, in response to a determination that attack activity status information has been stored for the observed event, an accumulated attack likelihood in the stored attack activity status information;

acquire the accumulated attack likelihood for the observed event from the attack activity status information corresponding to the observed event;

notify a user of an occurrence of an attack if the acquired accumulated attack likelihood is greater than a predefined value;

determine, if the acquired accumulated attack likelihood is less than or equal to the predefined value, a predicted observation event that can occur next byacquiring a post-event stage of the observed event from the corresponding event stage information,acquiring event stage information, including attack activity definition information, for an event corresponding to the acquired post-event stage that describes a pre-event stage corresponding to the acquired post-event stage of the observed event,determining whether pre-event stage conditions of the acquired attack activity definition information have been satisfied, andsetting as the predicted observation event the event corresponding to the acquired post-event stage if the pre-event stage conditions have been satisfied.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An attack activity definition information database 111 stores, for a plurality of events, attack activity definition information describing an event, a precondition, and an achieved phenomenon. The event is observed by an information system when an attack against the information system is underway. The precondition is a prerequisite condition for the event to be observed. The achieved phenomenon is a phenomenon of the time after the event is observed. An event receiving part 108 receives observed event notice information notifying an observed event which is observed by the information system. An attack activity predicting part 105 acquires an achieved phenomenon from the attack activity definition information describing the observed event notified by the observed event notice information, and extracts an event that is predicted to be observed by the information system, based on the attack activity definition information describing a precondition corresponding to the acquired achieved phenomenon of the observed event.

22 Citations

15 Claims

1. An information processing apparatus for detecting an attacked on one or more monitored target computing apparatuses, the information processing apparatus comprising:
- a memory configured to store, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack before the event is observed, the post-event stage being a stage of a progress of an attack after the event is observed; and
  
  processing circuitry configured toreceive an observed event notice from one of the one or more monitored target computing apparatuses, the observed event notice including information notifying an observed event which is observed by the information system;
  
  acquire corresponding event stage information describing the observed event received in the observed event notice information;
  
  determine whether attack activity status information has been stored for the observed event;
  
  create, in response to a determination that no attack activity status information has been stored for the observed event, new attack activity status information for the observed event based on the corresponding event stage information;
  
  update, in response to a determination that attack activity status information has been stored for the observed event, an accumulated attack likelihood in the stored attack activity status information;
  
  acquire the accumulated attack likelihood for the observed event from the attack activity status information corresponding to the observed event;
  
  notify a user of an occurrence of an attack if the acquired accumulated attack likelihood is greater than a predefined value;
  
  determine, if the acquired accumulated attack likelihood is less than or equal to the predefined value, a predicted observation event that can occur next byacquiring a post-event stage of the observed event from the corresponding event stage information,acquiring event stage information, including attack activity definition information, for an event corresponding to the acquired post-event stage that describes a pre-event stage corresponding to the acquired post-event stage of the observed event,determining whether pre-event stage conditions of the acquired attack activity definition information have been satisfied, andsetting as the predicted observation event the event corresponding to the acquired post-event stage if the pre-event stage conditions have been satisfied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The information processing apparatus according to claim 1, wherein the processing circuitry is further configured to relate, when a new predicted observation event is determined based on the observed event, the updated accumulated attack likelihood to event stage information describing the new predicted observation event.
  - 3. The information processing apparatus according to claim 1, wherein the processing circuitry is further configured to notify a user of an occurrence of an attack by displaying a notice message notifying that an attack against the information system is underway.
  - 4. The information processing apparatus according to claim 1, whereinthe received observed event notice information includes a type of an observed event and a variable value specifying an observed event, andeach time the observed event notice information is received and a predicted observation event is determined, the processing circuitry is configured torelate an accumulated attack likelihood and a variable value notified by observed event notice information to event stage information describing a predicted observation event,acquire event stage information describing an event corresponding to a type of observed event notified by received observed event notice information, andcompare a variable value related to the acquired event stage information describing an event corresponding to a type of observed event with a variable value notified by observed event notice information, andupdate, if the compared variable values are identical, accumulated attack likelihood.
  - 5. The information processing apparatus according to claim 1, wherein the processing circuitry is further configured tostore event stage information describing a monitoring operation start threshold to cause a device included in the information system to start a predetermined monitoring operation, andcause, if the updated accumulated attack likelihood exceeds the monitoring operation start threshold, the device included in the information system to start the monitoring operation.
  - 6. The information processing apparatus according to claim 1, wherein the processing circuitry determines whether or not the pre-event stage conditions of the acquired attack activity definition information have been satisfied by referring to inference rule information that describes an inference logic.
  - 7. The information processing apparatus according to claim 1, wherein the processing circuitry determines whether the pre-event stage conditions of the acquired attack activity definition information have been satisfied by referring to configuration information that describes a configuration of the information system.
  - 8. The information processing apparatus according to claim 1, wherein the processing circuitry stores event stage information using a predicate logic.
  - 9. The information processing apparatus according to claim 1, wherein event stage information includes a process practice identifier indicating that a process of determining the predicted observation event is practiced even if a pre-event stage is unsatisfied for any one event, andthe processing circuitry is configured toacquire, even if a pre-event stage described in acquired event stage information is unsatisfied, the post-event stage of the observed event,acquire the event stage information describing the pre-event stage corresponding to the acquired post-event stage of the observed event, anddetermine the predicted observation event based on the acquired event stage information describing the pre-event stage, andwhen the acquired event stage information describing the pre-event stage does not describe a process practice identifier, if a pre-event stage described in the acquired event stage information describing the pre-event stage is unsatisfied, does not determine a predicted observation event.
  - 10. The information processing apparatus according to claim 1, wherein the information system accumulates event derivation information capable of deriving an event, including an event in the information system which is not notified by the observed event notice information, andwherein the processing circuitry is further configured toacquire event stage information describing the observed event notified by the observed event notice information received,determine whether or not a pre-event stage described in acquired event stage information is satisfied based on the event derivation information accumulated in the information system, andif the pre-event stage is satisfied, acquire the post-event stage of the observed event from acquired event stage information, acquire event stage information describing a pre-event stage corresponding to the acquired post-event stage of the observed event, and extract the predicted observation event.
  - 11. The information processing apparatus according to claim 10, wherein event stage information includes an attack likelihood value indicating a likelihood of an attack against the information system when an event is observed, andas a result of determining whether or not the pre-event stage is satisfied based on the event derivation information accumulated in the information system, if the pre-event stage is satisfied, the processing circuitry is configured toanalyze the event derivation information accumulated in the information system and select at least one event stage information from among a plurality of pieces of stored event stage information stored, andaccumulate an attack likelihood value described in the selected event stage information and an attack likelihood value, to obtain an accumulated value of an attack likelihood value.
  - 12. The information processing apparatus according to claim 1, wherein the processing circuitry is further configured to determine the accumulated attack likelihood based on a reception frequency of how often the observed event notice information is received.
  - 13. The information processing apparatus according to claim 7, wherein the processing circuitry is further configured to collect the configuration information from the information system.

14. An information processing method for detecting an attack on one or more monitored target computing apparatuses performed by a computer that stores, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack before the event is observed, the post-event stage being a stage of a progress of an attack after the event is observed, the information processing method comprising:
- receiving an observed event notice from one or more of the one or more monitored target computing apparatuses, the observed event notice including information notifying an observed event which is observed by the information system;
  
  acquiring corresponding event stage information describing the observed event received in the observed event notice information;
  
  determining whether attack activity status information has been stored for the observed event,creating, in response to a determination that no attack activity status information has been stored for the observed event, new attack activity status information for the observed event based on the corresponding event stage information;
  
  updating, in response to a determination that attack activity status information has been stored for the observed event, an accumulated attack likelihood in the stored attack activity status information;
  
  acquiring the accumulated attack likelihood for the observed event from the attack activity status information corresponding to the observed event;
  
  notifying a user of an occurrence of an attack if the acquired accumulated attack likelihood is greater than a predefined value;
  
  determining, if the acquired accumulated attack likelihood is less than or equal to the predefined value, a predicted observation event that can occur next byacquiring a post-event stage of the observed event from the corresponding event stage information,acquiring event stage information, including attack activity definition information, for an event corresponding to the acquired post-event stage that describes a pre-event stage corresponding to the acquired post-event stage of the observed event,determining whether pre-event stage conditions of the acquired attack activity definition information have been satisfied, andsetting as the predicted observation event the event corresponding to the acquired post-event stage if the pre-event stage conditions have been satisfied.

15. A non-transitory computer readable medium storing a program to cause a computer that stores, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack before the event is observed, the post-event stage being a stage of a progress of an attack after the event is observed, to execute a process for detecting an attack on one or more monitored target apparatuses that comprises:
- receiving an observed event notice from one of the one or more monitored target apparatuses, the observed event notice including information notifying an observed event which is observed by the information system;
  
  acquiring corresponding event stage information describing the observed event received in the observed event notice information;
  
  determining whether attack activity status information has been stored for the observed event;
  
  creating, in response to a determination that no attack activity status information has been stored for the observed event, new attack activity status information for the observed event based on the corresponding event stage information;
  
  updating, in response to a determination that attack activity status information has been stored for the observed event, an accumulated attack likelihood in the stored attack activity status information;
  
  acquiring the accumulated attack likelihood for the observed event from the attack activity status information corresponding to the observed event;
  
  notifying a user of an occurrence of an attack if the acquired accumulated attack likelihood is greater than a predefined value;
  
  determining, if the acquired accumulated attack likelihood is less than or equal to the predefined value, a predicted observation event that can occur next byacquiring a post-event stage of the observed event from the corresponding event stage information,acquiring event stage information, including attack activity definition information, for an event corresponding to the acquired post-event stage that describes a pre-event stage corresponding to the acquired post-event stage of the observed event,determining whether pre-event stage conditions of the acquired attack activity definition information have been satisfied, andsetting as the predicted observation event the event corresponding to the acquired post-event stage if the pre-event stage conditions have been satisfied.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitsubishi Electric Corporation
Original Assignee
Mitsubishi Electric Corporation
Inventors
Kawauchi, Kiyoto
Primary Examiner(s)
Plecha, Thaddeus J

Application Number

US15/025,153
Publication Number

US 20160239661A1
Time in Patent Office

2,021 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Information processing apparatus, information processing method, and computer readable medium

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Information processing apparatus, information processing method, and computer readable medium

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others