INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND PROGRAM

US 20160239661A1
Filed: 10/24/2013
Published: 08/18/2016
Est. Priority Date: 10/24/2013
Status: Active Application

First Claim

Patent Images

1. An information processing apparatus comprising:

processing circuitryto store, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack before the event is observed, the post-event stage being a stage of a progress of an attack after the event is observed;

to receive observed event notice information notifying an observed event which is observed by the information system; and

to search for event stage information describing the observed event notified by the observed event notice information, to acquire a post-event stage of the observed event from the event stage information searched for, to search for event stage information describing a pre-event stage corresponding to the acquired post-event stage of the observed event, and to extract an event predicted to be observed by the information system, based on the event stage information searched for, as an observation predicted event.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An attack activity definition information database 111 stores, for a plurality of events, attack activity definition information describing an event, a precondition, and an achieved phenomenon. The event is observed by an information system when an attack against the information system is underway. The precondition is a prerequisite condition for the event to be observed. The achieved phenomenon is a phenomenon of the time after the event is observed. An event receiving part 108 receives observed event notice information notifying an observed event which is observed by the information system. An attack activity predicting part 105 acquires an achieved phenomenon from the attack activity definition information describing the observed event notified by the observed event notice information, and extracts an event that is predicted to be observed by the information system, based on the attack activity definition information describing a precondition corresponding to the acquired achieved phenomenon of the observed event.

15 Citations

View as Search Results

18 Claims

1. An information processing apparatus comprising:
- processing circuitryto store, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack before the event is observed, the post-event stage being a stage of a progress of an attack after the event is observed;
  
  to receive observed event notice information notifying an observed event which is observed by the information system; and
  
  to search for event stage information describing the observed event notified by the observed event notice information, to acquire a post-event stage of the observed event from the event stage information searched for, to search for event stage information describing a pre-event stage corresponding to the acquired post-event stage of the observed event, and to extract an event predicted to be observed by the information system, based on the event stage information searched for, as an observation predicted event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The information processing apparatus according to claim 1,wherein the processing circuitry furthereach time observed event notice information is received and a post-event stage of an observed event is acquired, stores the acquired post-event stage,stores event stage information describing at least one pre-event stage, andcompares a pre-event stage described in event stage information searched for based on the post-event stage of the observed event with the post-event stage stored, and if a post-event stage which corresponds to all pre-event stage described in the event stage information searched for is stored, extracts an event described in the event stage information searched for, as the observation predicted event.
  - 3. The information processing apparatus according to claim 2,wherein the processing circuitry,as a result of comparing the pre-event stage described in the event stage information searched for based on the post-event stage of the observed event with the post-event stage stored, if for at least one pre-event stage described in the event stage information searched for, a corresponding post-event stage is not stored,searches for event stage information describing a post-event stage corresponding to a pre-event stage whose corresponding post-event stage is not stored,compares a pre-event stage described in the event stage information searched for with the post-event stage stored,if a post-event stage which corresponds to all pre-event stage described in the event stage information searched for is stored, extracts an event described in the event stage information searched for, as the observation predicted event, andif for at least one pre-event stage described in the event stage information searched for, a corresponding post-event stage is not stored, searches for event stage information describing a post-event stage corresponding to a pre-event stage whose corresponding post-event stage is not stored.
  - 4. The information processing apparatus according to claim 1,wherein the processing circuitrystores event stage information describing an attack likelihood value indicating a likelihood of an attack against the information system of when an event is observed,wherein the processing circuitry further,each time an observation predicted event is extracted, relates an accumulated value of an attack likelihood value being accumulated each time an observation predicted event extracted prior to the observation predicted event extracted is observed by the information system, to event stage information describing the observation predicted event extracted, andsearches for event stage information describing the observed event notified by the observed event notice information received, and if an accumulated value of an attack likelihood value is related to the event stage information searched for,updates the accumulated value of the attack likelihood value by accumulating an attack likelihood value described in the event stage information searched for to the accumulated value of the attack likelihood value related to the event stage information searched for, andif the updated accumulated value of the attack likelihood value exceeds an attack determination threshold, determines that an attack against the information system is underway.
  - 5. The information processing apparatus according to claim 4,wherein the processing circuitry, when a new observation predicted event is extracted based on the observed event, relates the updated accumulated value of the attack likelihood value to event stage information describing the new observation predicted event.
  - 6. The information processing apparatus according to claim 4,wherein the processing circuitry, when it is determined that the attack against the information system is underway, outputs a notice message notifying that the attack against the information system is underway.
  - 7. The information processing apparatus according to claim 4,wherein the processing circuitryreceives observed event notice information notifying a type of an observed event and a variable value specifying the observed event,each time observed event notice information is received and the observation predicted event is extracted,relates an accumulated value of an attack likelihood value being accumulated each time an observation predicted event extracted prior to the observation predicted event extracted is observed by the information system, and the variable value notified by the observed event notice information used for extracting the observation predicted event extracted, to the event stage information describing the observation predicted event extracted,searches for event stage information describing an event corresponding to the type of the observed event notified by the observed event notice information received, and compares a variable value related to the event stage information searched for with the variable value notified by the observed event notice information, andif the variable value related to the event stage information searched for is identical to the variable value notified by the observed event notice information, updates the accumulated value of the attack likelihood value by accumulating an attack likelihood value described in the event stage information searched for to the accumulated value of the attack likelihood value related to the event stage information searched for.
  - 8. The information processing apparatus according to claim 4,wherein the processing circuitrystores event stage information describing a monitoring operation start threshold to cause a device included in the information system to start a predetermined monitoring operation, andif the updated accumulated value of the attack likelihood value exceeds the monitoring operation start threshold, causes the device included in the information system to start the monitoring operation.
  - 9. The information processing apparatus according to claim 2,wherein the processing circuitry compares the pre-event stage described in the event stage information searched for with the post-event stage stored, with referring to inference rule information that describes an inference logic.
  - 10. The information processing apparatus according to claim 2,wherein the processing circuitry compares the pre-event stage described in the event stage information searched for with the post-event stage stored, with referring to configuration information that describes a configuration of the information system.
  - 11. The information processing apparatus according to claim 1, wherein the processing circuitry stores event stage information that describes at least either one of the pre-event stage and the post-event stage using a predicate logic.
  - 12. The information processing apparatus according to claim 1,wherein the processing circuitrystores event stage information describing a process practice identifier being an identifier indicating that a process of extracting the observation predicted event is practiced even if a pre-event stage is unsatisfied for any one event,searches for event stage information describing the observed event notified by the observed event notice information received,when the event stage information searched for describes a process practice identifier, even if a pre-event stage described in the event stage information searched for is unsatisfied, acquires a post-event stage of the observed event from the event information searched for, searches for event stage information describing a pre-event stage corresponding to the acquired post-event stage of the observed event, and extracts the observation predicted event based on the event stage information searched for, andwhen the event stage information searched for does not describe a process practice identifier, if a pre-event stage described in the event stage information searched for is unsatisfied, does not practice the process of extracting an observation predicted event.
  - 13. The information processing apparatus according to claim 1,wherein the information system accumulates event derivation information capable of deriving an event, including an event in the information system which is not notified by the observed event notice information, andwherein the processing circuitrysearches for event stage information describing the observed event notified by the observed event notice information received,determines whether or not a pre-event stage described in the event stage information searched for is satisfied based on the event derivation information accumulated in the information system, andif the pre-event stage is satisfied, acquires the post-event stage of the observed event from the event stage information searched for, searches for event stage information describing a pre-event stage corresponding to the acquired post-event stage of the observed event, and extracts the observation predicted event based on the event stage information searched for.
  - 14. The information processing apparatus according to claim 13,wherein the processing circuitrystores event stage information describing an attack likelihood value indicating a likelihood of an attack against the information system of when an event is observed, andas a result of determining whether or not the pre-event stage described in the event stage information searched for is satisfied based on the event derivation information accumulated in the information system, if the pre-event stage is satisfied,analyzes the event derivation information accumulated in the information system and selects at least one event stage information from among a plurality of pieces of event stage information stored, and accumulates an attack likelihood value described in the selected event stage information and an attack likelihood value described in the event stage information searched for, to obtain an accumulated value of an attack likelihood value.
  - 15. The information processing apparatus according to claim 4, wherein the processing circuitry furtherdetermines the attack likelihood value described in the event stage information based on a reception frequency of how often the observed event notice information is received.
  - 16. The information processing apparatus according to claim 10, wherein the processing circuitry furthercollects the configuration information from the information system.

17. An information processing method performed by a computer that stores, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack before the event is observed, the post-event stage being a stage of a progress of an attack after the event is observed, the information processing method comprising:
- receiving observed event notice information notifying an observed event which is observed by the information system; and
  
  searching for event stage information describing the observed event notified by the observed event notice information, acquiring a post-event stage of the observed event from the event stage information searched for, searching for event stage information describing a pre-event stage corresponding to the acquired post-event stage of the observed event, and extracting an event predicted to be observed by the information system, based on the event stage information searched for, as an observation predicted event.

18. A program to cause a computer that stores, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack before the event is observed, the post-event stage being a stage of a progress of an attack after the event is observed, to execute:
- receiving observed event notice information notifying an observed event which is observed by the information system; and
  
  searching for event stage information describing the observed event notified by the observed event notice information, acquiring a post-event stage of the observed event from the event stage information searched for, searching for event stage information describing a pre-event stage corresponding to the acquired post-event stage of the observed event, and extracting an event predicted to be observed by the information system, based on the event stage information searched for, as an observation predicted event.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitsubishi Electric Corporation
Original Assignee
Mitsubishi Electric Corporation
Inventors
KAWAUCHI, Kiyoto

Granted Patent

US 10,282,542 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND PROGRAM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND PROGRAM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others