Information processing apparatus, information processing method, and computer readable medium
First Claim
1. An information processing apparatus for detecting an attacked on one or more monitored target computing apparatuses, the information processing apparatus comprising:
- a memory configured to store, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack before the event is observed, the post-event stage being a stage of a progress of an attack after the event is observed; and
processing circuitry configured toreceive an observed event notice from one of the one or more monitored target computing apparatuses, the observed event notice including information notifying an observed event which is observed by the information system;
acquire corresponding event stage information describing the observed event received in the observed event notice information;
determine whether attack activity status information has been stored for the observed event;
create, in response to a determination that no attack activity status information has been stored for the observed event, new attack activity status information for the observed event based on the corresponding event stage information;
update, in response to a determination that attack activity status information has been stored for the observed event, an accumulated attack likelihood in the stored attack activity status information;
acquire the accumulated attack likelihood for the observed event from the attack activity status information corresponding to the observed event;
notify a user of an occurrence of an attack if the acquired accumulated attack likelihood is greater than a predefined value;
determine, if the acquired accumulated attack likelihood is less than or equal to the predefined value, a predicted observation event that can occur next byacquiring a post-event stage of the observed event from the corresponding event stage information,acquiring event stage information, including attack activity definition information, for an event corresponding to the acquired post-event stage that describes a pre-event stage corresponding to the acquired post-event stage of the observed event,determining whether pre-event stage conditions of the acquired attack activity definition information have been satisfied, andsetting as the predicted observation event the event corresponding to the acquired post-event stage if the pre-event stage conditions have been satisfied.
1 Assignment
0 Petitions
Accused Products
Abstract
An attack activity definition information database 111 stores, for a plurality of events, attack activity definition information describing an event, a precondition, and an achieved phenomenon. The event is observed by an information system when an attack against the information system is underway. The precondition is a prerequisite condition for the event to be observed. The achieved phenomenon is a phenomenon of the time after the event is observed. An event receiving part 108 receives observed event notice information notifying an observed event which is observed by the information system. An attack activity predicting part 105 acquires an achieved phenomenon from the attack activity definition information describing the observed event notified by the observed event notice information, and extracts an event that is predicted to be observed by the information system, based on the attack activity definition information describing a precondition corresponding to the acquired achieved phenomenon of the observed event.
22 Citations
15 Claims
-
1. An information processing apparatus for detecting an attacked on one or more monitored target computing apparatuses, the information processing apparatus comprising:
-
a memory configured to store, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack before the event is observed, the post-event stage being a stage of a progress of an attack after the event is observed; and processing circuitry configured to receive an observed event notice from one of the one or more monitored target computing apparatuses, the observed event notice including information notifying an observed event which is observed by the information system; acquire corresponding event stage information describing the observed event received in the observed event notice information; determine whether attack activity status information has been stored for the observed event; create, in response to a determination that no attack activity status information has been stored for the observed event, new attack activity status information for the observed event based on the corresponding event stage information; update, in response to a determination that attack activity status information has been stored for the observed event, an accumulated attack likelihood in the stored attack activity status information; acquire the accumulated attack likelihood for the observed event from the attack activity status information corresponding to the observed event; notify a user of an occurrence of an attack if the acquired accumulated attack likelihood is greater than a predefined value; determine, if the acquired accumulated attack likelihood is less than or equal to the predefined value, a predicted observation event that can occur next by acquiring a post-event stage of the observed event from the corresponding event stage information, acquiring event stage information, including attack activity definition information, for an event corresponding to the acquired post-event stage that describes a pre-event stage corresponding to the acquired post-event stage of the observed event, determining whether pre-event stage conditions of the acquired attack activity definition information have been satisfied, and setting as the predicted observation event the event corresponding to the acquired post-event stage if the pre-event stage conditions have been satisfied. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An information processing method for detecting an attack on one or more monitored target computing apparatuses performed by a computer that stores, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack before the event is observed, the post-event stage being a stage of a progress of an attack after the event is observed, the information processing method comprising:
-
receiving an observed event notice from one or more of the one or more monitored target computing apparatuses, the observed event notice including information notifying an observed event which is observed by the information system; acquiring corresponding event stage information describing the observed event received in the observed event notice information; determining whether attack activity status information has been stored for the observed event, creating, in response to a determination that no attack activity status information has been stored for the observed event, new attack activity status information for the observed event based on the corresponding event stage information; updating, in response to a determination that attack activity status information has been stored for the observed event, an accumulated attack likelihood in the stored attack activity status information; acquiring the accumulated attack likelihood for the observed event from the attack activity status information corresponding to the observed event; notifying a user of an occurrence of an attack if the acquired accumulated attack likelihood is greater than a predefined value; determining, if the acquired accumulated attack likelihood is less than or equal to the predefined value, a predicted observation event that can occur next by acquiring a post-event stage of the observed event from the corresponding event stage information, acquiring event stage information, including attack activity definition information, for an event corresponding to the acquired post-event stage that describes a pre-event stage corresponding to the acquired post-event stage of the observed event, determining whether pre-event stage conditions of the acquired attack activity definition information have been satisfied, and setting as the predicted observation event the event corresponding to the acquired post-event stage if the pre-event stage conditions have been satisfied.
-
-
15. A non-transitory computer readable medium storing a program to cause a computer that stores, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack before the event is observed, the post-event stage being a stage of a progress of an attack after the event is observed, to execute a process for detecting an attack on one or more monitored target apparatuses that comprises:
-
receiving an observed event notice from one of the one or more monitored target apparatuses, the observed event notice including information notifying an observed event which is observed by the information system; acquiring corresponding event stage information describing the observed event received in the observed event notice information; determining whether attack activity status information has been stored for the observed event; creating, in response to a determination that no attack activity status information has been stored for the observed event, new attack activity status information for the observed event based on the corresponding event stage information; updating, in response to a determination that attack activity status information has been stored for the observed event, an accumulated attack likelihood in the stored attack activity status information; acquiring the accumulated attack likelihood for the observed event from the attack activity status information corresponding to the observed event; notifying a user of an occurrence of an attack if the acquired accumulated attack likelihood is greater than a predefined value; determining, if the acquired accumulated attack likelihood is less than or equal to the predefined value, a predicted observation event that can occur next by acquiring a post-event stage of the observed event from the corresponding event stage information, acquiring event stage information, including attack activity definition information, for an event corresponding to the acquired post-event stage that describes a pre-event stage corresponding to the acquired post-event stage of the observed event, determining whether pre-event stage conditions of the acquired attack activity definition information have been satisfied, and setting as the predicted observation event the event corresponding to the acquired post-event stage if the pre-event stage conditions have been satisfied.
-
Specification