ATTACK ANALYSIS SYSTEM, COOPERATION APPARATUS, ATTACK ANALYSIS COOPERATION METHOD, AND PROGRAM
1 Assignment
0 Petitions
Accused Products
Abstract
In a log analysis cooperation system including a logger that collects a log of a communication device and stores the log in a storage device, a SIEM apparatus that detects an attack, and a log analysis apparatus that analyzes the log collected by the logger, a log analysis cooperation apparatus stores an attack scenario in a storage device, receives from the SIEM apparatus warning information including information on the detected attack, computes a predicted occurrence time of an attack predicted to occur subsequent to the detected attack based on the warning information and the attack scenario, and transmits to the log analysis apparatus a scheduled search to search the log at predicted occurrence time computed. The log analysis apparatus transmits a scheduled search to the logger to search the log at the predicted occurrence time.
20 Citations
33 Claims
-
1-16. -16. (canceled)
-
17. An attack analysis system comprising:
-
a log collection apparatus that collects log information of a device connected to a network to be monitored; a detection apparatus that detects an attack on the network to be monitored and transmits warning information including an attack occurrence time at which the detected attack has occurred; a cooperation apparatus that stores attack scenario information indicating a plurality of attacks predicted to occur on the network to be monitored, computes a predicted occurrence time of an attack predicted to occur at a time before or after the attack occurrence time based on the warning information received from the detection apparatus and the attack scenario information, and transmits a scheduled analysis request that is a request for analyzing the log information at the predicted occurrence time computed; and an analysis apparatus that analyzes the log information at the predicted occurrence time out of the log information collected by the log collection apparatus, based on the scheduled analysis request transmitted from the cooperation apparatus. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A cooperation apparatus included in an attack analysis system including a log collection apparatus that collects log information of a device connected to a network to be monitored, a detection apparatus that detects an attack on the network to be monitored and transmits warning information including an attack occurrence time at which the detected attack has occurred, and an analysis apparatus that analyzes the log information collected by the log collection apparatus,
wherein the cooperation apparatus stores attack scenario information indicating a plurality of attacks predicted to occur on the network to be monitored, computes a predicted occurrence time of an attack predicted to occur at a time before or after the attack occurrence time based on the warning information received from the detection apparatus and the attack scenario information, and transmits a scheduled analysis request that is a request for analyzing the log information at the predicted occurrence time computed.
-
32. An attack analysis cooperation method in an attack analysis system including a log collection apparatus that collects log information of a device connected to a network to be monitored, a detection apparatus that detects an attack on the network to be monitored and transmits warning information including an attack occurrence time at which the detected attack has occurred, and an analysis apparatus that analyzes the log information collected by the log collection apparatus, and a cooperation apparatus that stores attack scenario information indicating a plurality of attacks predicted to occur on the network to be monitored, the method comprising:
-
by the cooperation apparatus, computing a predicted occurrence time of an attack predicted to occur before or after the attack occurrence time, based on the warning information received from the detection apparatus and the attack scenario information, and transmitting a scheduled analysis request that is a request for analyzing the log information at the predicted occurrence time computed; and by the analysis apparatus, analyzing the log information at the predicted occurrence time out of the log information collected by the log collection apparatus, based on the scheduled analysis request transmitted from the cooperation apparatus.
-
-
33. A program for a cooperation apparatus included in an attack analysis system including a log collection apparatus that collects log information of a device connected to a network to be monitored, a detection apparatus that detects an attack on the network to be monitored and transmits warning information including an attack occurrence time at which the detected attack has occurred, and an analysis apparatus that analyzes the log information collected by the log collection apparatus, the cooperation apparatus being a computer, and the program causing the cooperation apparatus to execute:
a scheduled analysis request process of storing attack scenario information indicating a plurality of attacks predicted to occur on the network to be monitored, computing a predicted occurrence time of an attack predicted to occur before or after the attack occurrence time based on the warning information received from the detection apparatus and the attack scenario information, and transmitting to the analysis apparatus a scheduled analysis request that is a request for analyzing the log information at the predicted occurrence time computed.
Specification