Attack detection device, attack detection method, and non-transitory computer readable recording medium recorded with attack detection program
First Claim
1. An attack detection device comprising:
- an event stage information memory which stores, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack which is made before the event is observed, the post-event stage being a stage of a progress of an attack which is made after the event is observed;
an observed event notice information receiver which receives observed event notice information notifying an observed event observed by the information system; and
an event sequence creator which searches for event stage information describing the observed event notified by the observed event notice information, from the event stage information memory, searches for event stage information describing a post-event stage coinciding with a pre-event stage of the event stage information searched for or a pre-event stage coinciding with a post-event stage of the event stage information searched for, from the event stage information memory, and if an event of the event stage information searched for is an observation non-available event that cannot be observed, creates an event sequence by treating the observation non-available event as having been observed and connecting the observed event and the observation non-available event to each other with a dependency.
1 Assignment
0 Petitions
Accused Products
Abstract
For a plurality of events, event stage information is stored which describes an event observed by an information system when an attack against the information system is underway, a pre-event stage, and a post-event stage. Observed event notice information is received which notifies an observed event observed by the information system. Event stage information is searched for which describes the observed event notified by the observed event notice information. Event stage information is searched for which describes a post-event stage coinciding with a pre-event stage of the event stage information searched for, or a pre-event stage coinciding with a post-event stage of the event stage information searched for. If an event of the event stage information searched for is an observation non-available event that cannot be observed, an event sequence is created by treating the observation non-available event as having been observed and connecting the observed event and the observation non-available event to each other with a dependency.
-
Citations
8 Claims
-
1. An attack detection device comprising:
-
an event stage information memory which stores, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack which is made before the event is observed, the post-event stage being a stage of a progress of an attack which is made after the event is observed; an observed event notice information receiver which receives observed event notice information notifying an observed event observed by the information system; and an event sequence creator which searches for event stage information describing the observed event notified by the observed event notice information, from the event stage information memory, searches for event stage information describing a post-event stage coinciding with a pre-event stage of the event stage information searched for or a pre-event stage coinciding with a post-event stage of the event stage information searched for, from the event stage information memory, and if an event of the event stage information searched for is an observation non-available event that cannot be observed, creates an event sequence by treating the observation non-available event as having been observed and connecting the observed event and the observation non-available event to each other with a dependency. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An attack detection method of an attack detection device which detects an attack against an information system, comprising:
-
an event stage information storage storing step, by an event stage information storage unit, of storing, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by the information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack which is made before the event is observed, the post-event stage being a stage of a progress of an attack which is made after the event is observed; a step, by an observed event notice information reception unit, of receiving observed event notice information notifying an observed event observed by the information system; and an event sequence creation step, by an event sequence creation unit, of searching for event stage information describing the observed event notified by the observed event notice information, from the event stage information storage unit, searching for event stage information describing a post-event stage coinciding with a pre-event stage of the event stage information searched for or a pre-event stage coinciding with a post-event stage of the event stage information searched for, from the event stage information storage unit, and if an event of the event stage information searched for is an observation non-available event that cannot be observed, creating an event sequence by treating the observation non-available event as having been observed and connecting the observed event and the observation non-available event to each other with a dependency.
-
-
8. A non-transitory computer readable recording medium which records an attack detection program that causes a computer which stores, for a plurality of events, event stage information describing an event, a pre-event stage, and a post-event stage, the event being observed by an information system when an attack against the information system is underway, the pre-event stage being a stage of a progress of an attack which is made before the event is observed, the post-event stage being a stage of a progress of an attack which is made after the event is observed, to perform:
-
an observed event notice information reception process of receiving observed event notice information notifying an observed event observed by the information system; and an event sequence creation process of searching for event stage information describing the observed event notified by the observed event notice information, searching for event stage information describing a post-event stage coinciding with a pre-event stage of the event stage information searched for or a pre-event stage coinciding with a post-event stage of the event stage information searched for, and if an event of the event stage information searched for is an observation non-available event that cannot be observed, creating an event sequence by treating the observation non-available event as having been observed and connecting the observed event and the observation non-available event to each other with a dependency.
-
Specification