SECURITY EVENT MONITORING DEVICE, METHOD, AND PROGRAM
First Claim
1. A security event monitoring device which detects a specific operation from logs that are records of operations conducted on a plurality of monitoring target devices connected mutually on a same local network, the security event monitoring device comprising:
- a storage module which stores in advance a correlation rule that is applied when performing a correlation analysis on each of the logs;
a log collection unit which receives each of the logs from each of the monitoring target devices;
a correlation analysis unit which generates scenario candidates in which each of the logs is associated with each other by applying the correlation rule to each of the logs, and stores the scenario candidates to the storage module along with an importance degree of the scenario candidate given by the correlation rule;
a scenario candidate evaluation unit which recalculates the importance degree for each of the scenario candidates; and
a result display unit which displays/outputs the scenario candidate with the recalculated high importance degree, whereinthe scenario candidate evaluation unit comprises;
a user association degree evaluation function which enumerates possible users who may have done each of the operations contained in each of the scenario candidates, and calculates user association degrees that are relevancies of each of the users for each of the operations;
an operation association degree evaluation function which calculates operation association degrees that are relevancies between each of the operations of each of the scenario candidates; and
a scenario candidate importance degree reevaluation function which recalculates the importance degrees of each of the scenario candidates by each of the users according to the user association degrees and the operation association degrees.
1 Assignment
0 Petitions
Accused Products
Abstract
The security event monitoring device includes: a storage module which stores in advance a correlation rule; a log collection unit which receives each log from each monitoring target device; a correlation analysis unit which generates scenario candidates by associating each of the logs; a scenario candidate evaluation unit which calculates the importance degrees of each scenario candidate; and a result display unit which displays/outputs the scenario candidate of a high importance degree. The scenario candidate evaluation unit includes: a user association degree evaluation function which calculates user association degrees; an operation association degree evaluation function which calculates the operation association degrees; and a scenario candidate importance reevaluation function which recalculates the importance degrees of each of the scenario candidates by each user according to the user association degrees and the operation association degrees.
34 Citations
10 Claims
-
1. A security event monitoring device which detects a specific operation from logs that are records of operations conducted on a plurality of monitoring target devices connected mutually on a same local network, the security event monitoring device comprising:
-
a storage module which stores in advance a correlation rule that is applied when performing a correlation analysis on each of the logs; a log collection unit which receives each of the logs from each of the monitoring target devices; a correlation analysis unit which generates scenario candidates in which each of the logs is associated with each other by applying the correlation rule to each of the logs, and stores the scenario candidates to the storage module along with an importance degree of the scenario candidate given by the correlation rule; a scenario candidate evaluation unit which recalculates the importance degree for each of the scenario candidates; and a result display unit which displays/outputs the scenario candidate with the recalculated high importance degree, wherein the scenario candidate evaluation unit comprises; a user association degree evaluation function which enumerates possible users who may have done each of the operations contained in each of the scenario candidates, and calculates user association degrees that are relevancies of each of the users for each of the operations; an operation association degree evaluation function which calculates operation association degrees that are relevancies between each of the operations of each of the scenario candidates; and a scenario candidate importance degree reevaluation function which recalculates the importance degrees of each of the scenario candidates by each of the users according to the user association degrees and the operation association degrees. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A security event monitoring method used for a security event monitoring device which detects a specific operation from logs that are records of operations conducted on a plurality of monitoring target devices connected mutually on a same local network, wherein:
-
a log collection unit receives each of the logs from each of the monitoring target devices; a correlation analysis unit which generates scenario candidates in which each of the logs is associated with each other by applying a correlation rule to each of the logs; the correlation analysis unit stores each of the scenario candidates to the storage module along with importance degrees of the scenario candidates given by the correlation rule; a user association degree evaluation function of a scenario candidate evaluation unit enumerates possible users who may have done each of the operations contained in each of the scenario candidates; the user association degree evaluation function calculates the user association degrees that are relevancies of each of the users for each of the operations; an operation association degree evaluation function of the scenario candidate evaluation unit calculates operation association degrees that are relevancies between each of the operations of each of the scenario candidates; a scenario candidate importance degree recalculation function of the scenario candidate evaluation unit recalculates the importance degrees of each of the scenario candidates by each of the users according to the user association degrees and the operation association degrees; and a result display unit displays/outputs the scenario candidate of the high importance degree.
-
-
9. A non-transitory computer readable recording medium storing a security event monitoring program used in a security event monitoring device which detects a specific operation from logs that are records of operations conducted on a plurality of monitoring target devices connected mutually on a same local network, the program causing a computer provided to the security event monitoring device to execute:
-
a procedure for receiving each of the logs from each of the monitoring target devices; a procedure for generating scenario candidates in which each of the logs are associated by applying a correlation rule given in advance to each of the logs; a procedure for storing each of the scenario candidates along with the importance degrees of the scenario candidates given by the correlation rule; a procedure for enumerating possible users who may have done each of the operations contained in each of the scenario candidates; a procedure for calculating user association degrees that are relevancies of each of the users for each of the operations; a procedure for calculating operation association degrees that are relevancies between each of the operations of each of the scenario candidates; a procedure for recalculating importance degrees of each of the scenario candidates by each of the users according to the user association degrees and the operation association degrees; and a procedure for displaying/outputting the scenario candidate of the high importance degree.
-
-
10. A security event monitoring device which detects a specific operation from logs that are records of operations conducted on a plurality of monitoring target devices connected mutually on a same local network, the security event monitoring device comprising:
-
storage means for storing in advance a correlation rule that is applied when performing a correlation analysis on each of the logs; log collection means for receiving each of the logs from each of the monitoring target devices; correlation analysis means for generating scenario candidates in which each of the logs is associated with each other by applying the correlation rule to each of the logs, and storing the scenario candidates to the storage means along with an importance degree of the scenario candidate given by the correlation rule; scenario candidate evaluation means for recalculating the importance degree for each of the scenario candidates; and result display means for displaying/outputting the scenario candidate with the recalculated high importance degree, wherein the scenario candidate evaluation means comprises; a user association degree evaluation function which enumerates possible users who may have done each of the operations contained in each of the scenario candidates, and calculates user association degrees that are relevancies of each of the users for each of the operations; an operation association degree evaluation function which calculates operation association degrees that are relevancies between each of the operations of each of the scenario candidates; and a scenario candidate importance degree reevaluation function which recalculates the importance degrees of each of the scenario candidates by each of the users according to the user association degrees and the operation association degrees.
-
Specification