Attack analysis system, cooperation apparatus, attack analysis cooperation method, and program
First Claim
1. An attack analysis system including a log collection apparatus that includes log collection circuitry and that collects a log of at least one device connected to a network being monitored and stores the log in a storage device as log information, a detection apparatus that includes detection circuitry and that detects an attack on the network being monitored, and an analysis apparatus that includes analysis circuitry and that analyzes the log information collected by the log collection apparatus, the attack analysis system comprising:
- a cooperation apparatus that includes cooperation circuitry and that is connected to the detection apparatus and connected to the analysis apparatus, whereinupon detection of the attack on the network being monitored, the detection apparatus transmits to the cooperation apparatus warning information including an attack identifier for identifying the detected attack and an attack occurrence time at which the detected attack has occurred,the cooperation apparatus includesan attack scenario information storage unit, implemented by the cooperation circuitry, that stores attack scenario information in a storage device in advance, the attack scenario information including a plurality of attack identifiers for identifying a respective plurality of attacks predicted to occur on the network being monitored,a scheduled analysis request unit, implemented by the cooperation circuitry, that when the warning information is received from the detection apparatus, computes a predicted occurrence time of a subsequent attack that has not yet occurred and is predicted to occur at a time after the attack occurrence time at which the detected attack has occurred, based on the warning information received and the attack scenario information stored by the attack scenario information storage unit, and transmits to the analysis apparatus a scheduled analysis request that is a request for analyzing the log information at the predicted occurrence time computed, the subsequent attack being one of the plurality of attacks included in the attack scenario information and being predicted to occur at the time after the attack occurrence time, andthe analysis apparatus analyzes the log information at the predicted occurrence time, based on the scheduled analysis request transmitted from the scheduled analysis request unit of the cooperation apparatus.
1 Assignment
0 Petitions
Accused Products
Abstract
In a log analysis cooperation system including a logger that collects a log of a communication device and stores the log in a storage device, a SIEM apparatus that detects an attack, and a log analysis apparatus that analyzes the log collected by the logger, a log analysis cooperation apparatus stores an attack scenario in a storage device, receives from the SIEM apparatus warning information including information on the detected attack, computes a predicted occurrence time of an attack predicted to occur subsequent to the detected attack based on the warning information and the attack scenario, and transmits to the log analysis apparatus a scheduled search to search the log at predicted occurrence time computed. The log analysis apparatus transmits a scheduled search to the logger to search the log at the predicted occurrence time.
-
Citations
16 Claims
-
1. An attack analysis system including a log collection apparatus that includes log collection circuitry and that collects a log of at least one device connected to a network being monitored and stores the log in a storage device as log information, a detection apparatus that includes detection circuitry and that detects an attack on the network being monitored, and an analysis apparatus that includes analysis circuitry and that analyzes the log information collected by the log collection apparatus, the attack analysis system comprising:
-
a cooperation apparatus that includes cooperation circuitry and that is connected to the detection apparatus and connected to the analysis apparatus, wherein upon detection of the attack on the network being monitored, the detection apparatus transmits to the cooperation apparatus warning information including an attack identifier for identifying the detected attack and an attack occurrence time at which the detected attack has occurred, the cooperation apparatus includes an attack scenario information storage unit, implemented by the cooperation circuitry, that stores attack scenario information in a storage device in advance, the attack scenario information including a plurality of attack identifiers for identifying a respective plurality of attacks predicted to occur on the network being monitored, a scheduled analysis request unit, implemented by the cooperation circuitry, that when the warning information is received from the detection apparatus, computes a predicted occurrence time of a subsequent attack that has not yet occurred and is predicted to occur at a time after the attack occurrence time at which the detected attack has occurred, based on the warning information received and the attack scenario information stored by the attack scenario information storage unit, and transmits to the analysis apparatus a scheduled analysis request that is a request for analyzing the log information at the predicted occurrence time computed, the subsequent attack being one of the plurality of attacks included in the attack scenario information and being predicted to occur at the time after the attack occurrence time, and the analysis apparatus analyzes the log information at the predicted occurrence time, based on the scheduled analysis request transmitted from the scheduled analysis request unit of the cooperation apparatus. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A cooperation apparatus included in an attack analysis system including a log collection apparatus that collects a log of at least one device connected to a network being monitored and stores the log in a storage device as log information, a detection apparatus that detects an attack on the network being monitored, and an analysis apparatus that analyzes the log information collected by the log collection apparatus, the cooperation apparatus being connected to the detection apparatus and connected to the analysis apparatus, the cooperation apparatus comprising:
circuitry configured to upon detection of the attack on the network being monitored, receive from the detection apparatus warning information including an attack identifier for identifying the detected attack and an attack occurrence time at which the detected attack has occurred, store attack scenario information in a storage device in advance, the attack scenario information including a plurality of attack identifiers for identifying a respective plurality of attacks predicted to occur on the network being monitored, when the warning information is received from the detection apparatus, compute a predicted occurrence time of a subsequent attack that has not yet occurred and is predicted to occur at a time after the attack occurrence time at which the detected attack has occurred, based on the warning information received and the attack scenario information stored at the storage device, the subsequent attack being one of the plurality of attacks included in the attack scenario information and being predicted to occur at the time after the attack occurrence time, and transmit to the analysis apparatus a scheduled analysis request that is a request for analyzing the log information at the predicted occurrence time computed.
-
15. An attack analysis cooperation method associated with an attack analysis system including a log collection apparatus that collects a log of at least one device connected to a network being monitored and stores the log in a storage device as log information, a detection apparatus that detects an attack on the network being monitored, and an analysis apparatus that analyzes the log information collected by the log collection apparatus, and a cooperation apparatus that is connected to the detection apparatus and connected to the analysis apparatus, the method comprising:
-
by the detection apparatus, upon detection of the attack on the network being monitored, transmitting to the cooperation apparatus warning information including an attack identifier for identifying the detected attack and an attack occurrence time at which the detected attack has occurred; by the cooperation apparatus, storing attack scenario information in a storage device in advance, the attack scenario information including a plurality of attack identifiers for identifying a respective plurality of attacks predicted to occur on the network being monitored; by the cooperation apparatus, when the warning information is received from the detection apparatus, computing a predicted occurrence time of a subsequent attack that has not yet occurred and is predicted to occur after the attack occurrence time at which the detected attack has occurred, based on the warning information received and the attack scenario information stored at the storage device, and transmitting to the analysis apparatus a scheduled analysis request that is a request for analyzing the log information at the predicted occurrence time computed, the subsequent attack being one of the plurality of attacks included in the attack scenario information and being predicted to occur at the time after the attack occurrence time; and by the analysis apparatus, analyzing the log information at the predicted occurrence time, based on the scheduled analysis request transmitted from the cooperation apparatus.
-
-
16. A non-transitory computer-readable storage medium including computer executable instructions, wherein the instructions, when executed by a cooperation apparatus included in an attack analysis system including a log collection apparatus that collects a log of at least one device connected to a network being monitored and stores the log in a storage device as log information, a detection apparatus that detects an attack on the network being monitored, and an analysis apparatus that analyzes the log information collected by the log collection apparatus, the cooperation apparatus being a computer connected to the detection apparatus and connected to the analysis apparatus, cause the cooperation apparatus to perform a method, the method comprising:
-
upon detection of the attack on the network being monitored, receiving from the detection apparatus warning information including an attack identifier for identifying the detected attack and an attack occurrence time at which the detected attack has occurred; storing attack scenario information in a storage device in advance, the attack scenario information including a plurality of attack identifiers for identifying a respective plurality of attacks predicted to occur on the network being monitored; when the warning information is received from the detection apparatus, computing a predicted occurrence time of a subsequent attack that has not yet occurred and is predicted to occur after the attack occurrence time at which the detected attack has occurred, based on the warning information received and the attack scenario information stored at the storage device, the subsequent attack being one of the plurality of attacks included in the attack scenario information and being predicted to occur at the time after the attack occurrence time; and transmitting to the analysis apparatus a scheduled analysis request that is a request for analyzing the log information at the predicted occurrence time computed.
-
Specification