INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND COMPUTER READABLE MEDIUM
1 Assignment
0 Petitions
Accused Products
Abstract
A candidate event derivation unit (101) derives, as a candidate event, an event predicted to occur in an information system (200) including a plurality of system components (300), the event being a candidate for a monitoring target. An attribute identification unit (102) derives, as a candidate system component, a system component (300) involved in occurrence of the candidate event from among the plurality of system components (300), and identifies an attribute of the candidate system component. A monitoring target decision unit (103) analyzes the attribute of the candidate system component identified by the attribute identification unit (102), and decides whether or not the candidate event is to be the monitoring target.
9 Citations
28 Claims
-
1. -14. (canceled)
-
15. An information processing apparatus comprising:
-
processing circuitry to; derive, as a candidate event, an event predicted to occur in an information system including a plurality of system components, the event being a candidate for a monitoring target; derive, as a candidate system component, a system component involved in occurrence of the candidate event from among the plurality of system components, and identify an attribute of the candidate system component; and acquire an exclusion rule in which a condition for an event which is to be excluded from the monitoring target is defined using an attribute of the system component, and decide whether or not the candidate event is to be the monitoring target by comparing the attribute of the candidate system component identified by the processing circuitry with the attribute of the system component defined in the exclusion rule. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. An information processing apparatus comprising:
-
processing circuitry to derive, as a candidate event, an event predicted to occur in an information system when the information system is attacked, and derive a candidate progress state being a progress state of the attack on the information system when the candidate event occurs; and a memory to store candidate event definition information in which contents of the candidate event are indicated and candidate progress state information in which the candidate progress state is indicated; wherein the processing circuitry detects the progress state of the attack on the information system and determines, when determination timing arrives, whether or not the candidate progress state indicated in the candidate progress state information coincides with a detected progress state which has been detected until the determination timing, and when the candidate progress state coincides with the detected progress state, deletes the candidate event definition information and the candidate progress state information from the memory. - View Dependent Claims (23, 24)
-
-
25. An information processing method comprising:
-
deriving, as a candidate event, an event predicted to occur in an information system including a plurality of system components, the event being a candidate for a monitoring target; deriving, as a candidate system component, a system component involved in occurrence of the candidate event from among the plurality of system components, and identifying an attribute of the candidate system component; and acquiring an exclusion rule in which a condition for an event which is to be excluded from the monitoring target is defined using an attribute of the system component, and deciding whether or not the candidate event is to be the monitoring target by comparing the identified attribute of the candidate system component with the attribute of the system component defined in the exclusion rule.
-
-
26. An information processing method comprising:
-
deriving, as a candidate event, an event predicted to occur in an information system when the information system is attacked, and deriving a candidate progress state being a progress state of the attack on the information system when the candidate event occurs; storing to a storage apparatus, candidate event definition information in which contents of the candidate event are indicated and candidate progress state information in which the candidate progress state is indicated; detecting, the progress state of the attack on the information system; and determining, when determination timing arrives, whether or not the candidate progress state indicated in the candidate progress state information coincides with a detected progress state which has been detected until the determination timing, and when the candidate progress state coincides with the detected progress state, deleting the candidate event definition information and the candidate progress state information from the storage apparatus.
-
-
27. A non-transitory computer readable medium storing a program to cause a computer to execute:
-
candidate event deriving processing to derive, as a candidate event, an event predicted to occur in an information system including a plurality of system components, the event being a candidate for a monitoring target; attribute identification processing to derive, as a candidate system component, a system component involved in occurrence of the candidate event from among the plurality of system components, and identify an attribute of the candidate system component; and monitoring target decision processing to acquire an exclusion rule in which a condition for an event which is to be excluded from the monitoring target is defined using an attribute of the system component, and decide whether or not the candidate event is to be the monitoring target by comparing the attribute of the candidate system component identified by the attribute identification processing with the attribute of the system component defined in the exclusion rule.
-
-
28. A non-transitory computer readable medium storing a program to cause a computer to execute:
-
candidate event deriving processing to derive, as a candidate event, an event predicted to occur in an information system when the information system is attacked, and derive a candidate progress state being a progress state of the attack on the information system when the candidate event occurs; information storage processing to store to a storage apparatus candidate event definition information in which contents of the candidate event are indicated and candidate progress state information in which the candidate progress state is indicated; progress state detection processing to detect the progress state of the attack on the information system; and information management processing to determine, when determination timing arrives, whether or not the candidate progress state indicated in the candidate progress state information coincides with a detected progress state which has been detected until the determination timing by the progress state detection processing, and when the candidate progress state coincides with the detected progress state, delete the candidate event definition information and the candidate progress state information from the storage apparatus.
-
Specification