Diagnostic device, diagnostic method, and program
The diagnostic device automates the estimation and detection of security risk impact on business operations, addressing the inefficiencies of manual analysis by identifying entry points, attack targets, and detecting attack routes, thereby reducing the time and effort needed for risk assessment.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- NEC CORP
- Filing Date
- 2024-11-29
- Publication Date
- 2026-06-10
AI Technical Summary
Existing systems fail to accurately determine the magnitude of security risks' impact on business operations, requiring significant time and effort for manual analysis.
A diagnostic device and method that estimates business impact, identifies entry and attack target devices, detects attack routes, and outputs diagnostic results, reducing the need for manual intervention.
Reduces the time and effort required to assess the impact of security risks on business operations by automating the estimation and detection of attack routes and target devices.
Smart Images

Figure 2026094623000001_ABST
Abstract
Description
Technical Field
[0001] The present disclosure relates to a diagnostic device, a diagnostic method, and a program.
Background Art
[0002] In general, in order to diagnose the security risk of a system to be diagnosed, it is necessary for an expert to read design information and the like. For this purpose, a lot of time and effort are required.
[0003] Patent Document 1 describes a support system that extracts security requirements to be complied with and functions of a cloud infrastructure, and instructs a design of the cloud infrastructure in which the extracted security requirements and functions of the cloud infrastructure are adjusted. The support system of Patent Document 1 introduces a security monitoring function based on monitoring target data collected from a monitoring target device into the cloud infrastructure.
Prior Art Documents
Patent Documents
[0004]
Patent Document 1
Summary of the Invention
Problems to be Solved by the Invention
[0005] The cloud infrastructure by the support system of Patent Document 1 has a security monitoring function based on monitoring target data collected from a monitoring target device. Therefore, the time and effort for diagnosing security risks are reduced. However, with the technology of Patent Document 1, it is not possible to obtain the magnitude of the impact of security risks on the business.
[0006] One object of the present disclosure is to provide a diagnostic device, a diagnostic method, and a program that can reduce the time and effort for obtaining the magnitude of the impact of security risks on the business.
Means for Solving the Problems
[0007] A diagnostic device according to one aspect of the present disclosure includes: estimation means for estimating the business impact, which is the magnitude of the impact on business operations due to an attack on a device, from information on the use of the device included in the system to be diagnosed; identification means for identifying an entry point device that could be an entry point and an attack target device that could be the target of an attack, from information on the configuration of the system to be diagnosed and the business impact of the device; detection means for detecting an attack route, which is a route through which an attack can be successfully carried out from the entry point device to the attack target device, using information on the configuration of the system to be diagnosed, information on the state of the device, and information on successful attacks for each state; and output means for outputting diagnostic result information indicating the business impact due to the attack on the attack target device via the detected attack route.
[0008] A diagnostic method according to one aspect of this disclosure estimates the business impact, which is the magnitude of the impact on business operations due to an attack on a device, from information on the use of the device included in the system to be diagnosed; identifies an entry point device that could be an entry point and an attack target device that could be the target of an attack, from information on the configuration of the system to be diagnosed and the business impact of the device; detects an attack route, which is a route on which an attack can be successfully carried out from the entry point device to the attack target device, using information on the configuration of the system to be diagnosed, information on the state of the device, and information on successful attacks for each state; and outputs diagnostic result information indicating the business impact due to an attack on the attack target device via the detected attack route.
[0009] A program according to one aspect of this disclosure causes a computer to execute: an estimation process that estimates the business impact, which is the magnitude of the impact on business operations if the devices included in the system to be diagnosed are attacked, based on information about the use of the devices; an identification process that identifies intrusion devices that could be entry points and attack target devices that could be targets of attacks, based on information about the configuration of the system to be diagnosed and the business impact of the devices; a detection process that detects an attack route, which is a route through which an attack can be successfully carried out from the intrusion device to the attack target device, using information about the configuration of the system to be diagnosed, information about the state of the devices, and information about successful attacks for each state; and an output process that outputs diagnostic result information indicating the business impact caused by the attack on the attack target device being attacked via the detected attack route. One aspect of this disclosure can also be realized by a storage medium that stores the above-mentioned program. [Effects of the Invention]
[0010] This disclosure has the effect of reducing the time and effort required to determine the magnitude of the impact of security risks on business operations. [Brief explanation of the drawing]
[0011] [Figure 1] Figure 1 is a block diagram showing an example of the configuration of the diagnostic device relating to this disclosure. [Figure 2] Figure 2 is a flowchart illustrating an example of the operation of the diagnostic device relating to this disclosure. [Figure 3] Figure 3 is a block diagram showing an example of the configuration of the diagnostic system related to this disclosure. [Figure 4] Figure 4 is a block diagram showing an example of the configuration of the diagnostic device relating to this disclosure. [Figure 5] Figure 5 is a flowchart illustrating an example of the operation of the diagnostic device according to this disclosure. [Figure 6] Figure 6 is a flowchart illustrating an example of the operation of the diagnostic device relating to this disclosure. [Figure 7] Figure 7 is a flowchart illustrating an example of the operation of the diagnostic device relating to this disclosure. [Figure 8] FIG. 8 is a flowchart showing an example of the operation of the diagnostic apparatus according to the present disclosure. [Figure 9] FIG. 9 is a block diagram showing an example of the configuration of the diagnostic apparatus according to the present disclosure. [Figure 10] FIG. 10 is a flowchart showing an example of the operation of the diagnostic apparatus according to the present disclosure. [Figure 11] FIG. 11 is a flowchart showing an example of the operation of the diagnostic apparatus according to the present disclosure when receiving selection information. [Figure 12] FIG. 12 is a diagram showing an example of the hardware configuration of a computer capable of realizing the diagnostic apparatus according to the present disclosure. MODE FOR CARRYING OUT THE INVENTION
[0012] Hereinafter, embodiments of the present disclosure will be described in detail with reference to the drawings.
[0013] <First Embodiment> First, the first embodiment of the present disclosure will be described in detail with reference to the drawings.
[0014] <Configuration> FIG. 1 is a block diagram showing an example of the configuration of the diagnostic apparatus according to the present disclosure.
[0015] Hereinafter, an example of the configuration of the diagnostic apparatus according to the first embodiment of the present disclosure will be described in detail with reference to FIG. 1.
[0016] In the example shown in FIG. 1, the diagnostic apparatus 10 includes an estimation unit 121, a specification unit 122, a detection unit 130, and an output unit 140.
[0017] <Estimation Unit 121> The estimation unit 121 estimates the business impact, which is the magnitude of the impact on business operations caused by an attack on a device, based on information about the use of the device included in the system to be diagnosed. The business impact may include information indicating the magnitude of the impact on business operations caused by an attack on the target device, and information indicating the device itself. Hereinafter, "business impact of the device" refers to the business impact related to the device.
[0018] <Specific part 122> The identification unit 122 identifies potential entry point devices and potential attack target devices based on information about the system under diagnosis's configuration and the business impact of the devices.
[0019] <Detection unit 130> The detection unit 130 uses information about the configuration of the system to be diagnosed, information about the status of the device, and information about possible attacks for each status to detect an attack route, which is a route in which an attack can be successfully carried out from the entry point device to the target device.
[0020] <Output section 140> The output unit 140 outputs diagnostic information indicating the business impact resulting from an attack on the target device via the detected attack route.
[0021] <Details> <Estimation part 121> Information on the device's purpose is, for example, information that describes the device's intended use. The device's purpose might be, for example, the management of product manufacturing. In this case, the device's purpose information includes information such as the product in which the device is used and its sales revenue, and information on products in which the device is used as a component and its sales revenue. Product information may include information such as the product name and the destination of the product.
[0022] The device's intended use information may, for example, be for storing information. In this case, the device's intended use information may include information representing the content of the information stored in the device's storage (hereinafter also referred to as stored information). Furthermore, the device's intended use information may include information on the amount of damage expected if the stored information were to be leaked (for example, the sum of the decrease in sales and the expected amount of compensation).
[0023] The information regarding the use of the device is not limited to these examples. The device may have multiple uses. For example, a device used to control the manufacturing of a product may also be used for storing information.
[0024] The magnitude of the impact on business operations may be expressed, for example, in monetary terms. If the device's purpose is to control the manufacturing of products, the magnitude of the impact on business operations due to an attack on the device may be expressed, for example, in terms of sales of products whose manufacturing is affected by the device's shutdown and the products in which those products are used (hereinafter also referred to as "impacted sales"). In this case, sales may be expressed as sales during a predetermined standard period of time during which the attacked device is down. If the device's purpose is to store information, the magnitude of the impact on business operations due to an attack on the device may be expressed, for example, in terms of the amount of damage expected if the stored information is leaked.
[0025] The magnitude of the impact on business operations may be represented, for example, by one of several predetermined levels. In this case, the scope of affected sales and losses may be divided into several scopes, for example, and one level may be associated with each of these scopes. The magnitude of the impact on business operations may be represented by the level associated with the scope that includes the affected sales and losses.
[0026] <Specific part 122> The system to be diagnosed is an information processing system implemented by devices and a communication network connecting those devices. The devices include information processing equipment. The devices may further include communication equipment such as routers and switches. The devices are connected to other devices in a communicative manner. At least a portion of the devices may be connected to the outside of the system to be diagnosed.
[0027] The information regarding the configuration of the system being diagnosed may include information representing the network configuration of the devices included in the system being diagnosed. The network configuration of the devices is, for example, information representing devices that are connected to each other via a communication network.
[0028] Device status information includes, for example, information about vulnerabilities present in the device and information about the device's security settings. The device status represents at least one of the device's vulnerabilities and the device's security status.
[0029] The identification unit 122 identifies, for example, devices included in the system under diagnosis that can be directly accessed from outside the system under diagnosis as entry point devices. The identification unit 122 identifies target attack devices from among the devices included in the system under diagnosis using the magnitude of the business impact. The identification unit 122 may, for example, identify devices included in the system under diagnosis whose business impact exceeds a predetermined standard as target attack devices. The identification unit 122 may, for example, identify the device included in the system under diagnosis that has the greatest business impact as a target attack device. The identification unit 122 may identify multiple entry point devices. The identification unit 122 may identify multiple target attack devices.
[0030] <Detection unit 130> Information on possible attacks for each state represents the state of the device and the attacks that can succeed against that device when it is in that state. Information on possible attacks for each state may be obtained for each type of device. Information on multiple states of a device and, for each state, information representing the attacks that can succeed against that device when it is in that state may be obtained.
[0031] The detection unit 130 detects attack routes, which are routes from an entry point device to a target device, that are routes through which an attack can be successfully carried out, using any of the various existing methods. The detection unit 130 may detect attack routes using, for example, the technique described in International Publication No. 2023 / 089669. The detection unit 130 may detect attack routes using other methods. If multiple entry points are identified, the detection unit 130 may detect attack routes from each of the multiple entry points to the target device. If multiple target devices are identified, the detection unit 130 may detect attack routes from each of the multiple entry points to each of the multiple target devices. If multiple entry points and multiple target devices are identified, the detection unit 130 may detect attack routes from each of the multiple entry points to each of the multiple target devices.
[0032] <Output section 140> As described above, the output unit 140 outputs diagnostic information indicating the business impact resulting from the attack on the target device via the detected attack route.
[0033] The output unit 140 may output, for example, information indicating the business impact, representing the magnitude of the impact on business operations caused by an attack on a target device, for each target device that can be attacked via a detected attack route, as diagnostic result information.
[0034] The output unit 140 may further output information representing the detected attack for each target device that can be attacked via the detected attack route.
[0035] <Operation> Next, the operation of the first embodiment of this disclosure will be described in detail with reference to the drawings.
[0036] Figure 2 is a flowchart illustrating an example of the operation of the diagnostic device relating to this disclosure.
[0037] Below, an example of the operation of the diagnostic device according to the first embodiment of this disclosure will be described in detail with reference to Figure 2.
[0038] In the example shown in Figure 2, the estimation unit 121 estimates the business impact of an attack on the target device based on information about the use of the devices included in the system under diagnosis (step S11). Next, the identification unit 122 identifies the entry point device and the target device based on information about the system under diagnosis's configuration and the business impact of the devices (step S12). Next, the detection unit 130 uses information about the system under diagnosis's configuration, information about the status of the devices, and information about successful attacks for each status to detect an attack route, which is a route through which an attack from the entry point device to the target device could succeed (step S13). Finally, the output unit 140 outputs diagnostic result information indicating the business impact of an attack on the target device via the attack route (step S14).
[0039] <Effects> The embodiment described above has the effect of reducing the time and effort required to determine the magnitude of the impact of security risks on business operations.
[0040] The reason for this is that the estimation unit 121 estimates the business impact, which is the magnitude of the impact on business operations if the devices are attacked, based on information about the uses of the devices included in the system to be diagnosed. Then, the identification unit 122 identifies entry point devices that could be entry points and attack target devices that could be targets of attacks, based on information about the configuration of the system to be diagnosed and the business impact of the devices. Then, the detection unit 130 uses information about the configuration of the system to be diagnosed, information about the status of the devices, and information about successful attacks for each status to detect attack routes, which are routes through which attacks from entry point devices to attack target devices can be successful. Furthermore, the output unit 140 outputs diagnostic result information that shows the business impact resulting from attacks on attack target devices via the detected attack routes. In this way, the diagnostic device 10 derives the magnitude of the impact that security risks (for example, attacks on attack target devices via attack routes through which attacks can be successful) have on business operations (i.e., the business impact mentioned above). In other words, the diagnostic device 10 derives the magnitude of the impact that security risks have on business operations without relying on human intervention. Therefore, compared to manually analyzing the magnitude of the impact of security risks on business operations in the system being diagnosed, this method can reduce the time and effort required.
[0041] <Second Embodiment> First, a first embodiment of this disclosure will be described in detail with reference to the drawings. Unless otherwise specified, the terms used in the first embodiment and the terms used in the second embodiment refer to the same terms used in the first embodiment.
[0042] <Structure> Figure 3 is a block diagram showing an example of the configuration of the diagnostic system related to this disclosure.
[0043] Below, an example of the configuration of a diagnostic system according to the second embodiment of this disclosure will be described in detail with reference to Figure 3.
[0044] In the example shown in Figure 3, the diagnostic system 1 includes a diagnostic device 100, an LLM server 200 on which a Large Language Model (LLM) operates, and a terminal device 400. The diagnostic device 100 and the LLM server 200 are connected to each other via a communication network 300. The diagnostic device 100 and the terminal device 400 are also connected to each other via a communication network 300. The terminal device 400 may also be connected to the communication network 300. In this case, the diagnostic device 100 and the terminal device 400 are connected to each other via the communication network 300. Note that the communication network 300 does not refer to the communication network of the system to be diagnosed as described in the first embodiment.
[0045] The large-scale language model, for example, receives instructions written in text from the diagnostic device 100 and returns the results for the received instructions to the diagnostic device 100. The large-scale language model may be one of many existing large-scale language models.
[0046] The terminal device 400 is an information processing device used by the user to give instructions to the diagnostic device 100 for the diagnosis of the system to be diagnosed.
[0047] <Diagnostic device 100> Figure 4 is a block diagram showing an example of the configuration of the diagnostic device relating to this disclosure.
[0048] In the following, a diagnostic device according to the second embodiment of this disclosure will be described in detail with reference to Figure 4.
[0049] In the example shown in Figure 4, the diagnostic device 100 includes an instruction receiving unit 110, a diagnostic parameter generation unit 120, a detection unit 130, an output unit 140, a procedure control unit 150, a model generation unit 160, an information storage unit 170, an equipment diagnostic unit 171, a diagnostic result estimation unit 180, a countermeasure identification unit 181, and an output information generation unit 182. The diagnostic parameter generation unit 120 includes an estimation unit 121, an identification unit 122, an item generation unit 123, a requirement generation unit 124, and an information acquisition unit 125.
[0050] <Instruction Reception Unit 110> The instruction receiving unit 110 receives instructions from the terminal device 400 to diagnose the system to be diagnosed. The instructions for diagnosing the system to be diagnosed may include information indicating the system to be diagnosed and a diagnosis request, which is information indicating the content of the diagnosis to be performed. The instructions for diagnosing the system to be diagnosed may be written in text. The instruction receiving unit 110 identifies the system to be diagnosed from the received instructions. The instruction receiving unit 110 further identifies the diagnosis request from the received instructions.
[0051] The information identifying the system to be diagnosed may be the name of the system to be diagnosed. In this case, the name of the system to be diagnosed may be one of the names of a predetermined system to be diagnosed. Information on the configuration of the system to be diagnosed and information on the devices included in the system to be diagnosed may be provided to the diagnostic device 100 in advance and stored in the information storage unit 170, which will be described in detail later. For example, the instruction receiving unit 110 may receive information on the configuration of the system to be diagnosed and information on the devices included in the system to be diagnosed from the terminal device 400, or from another server that holds information on the configuration of the system to be diagnosed and information on the devices included in the system to be diagnosed.
[0052] A request for diagnosis is, for example, a request for a diagnosis of any type of impact on business operations. The types of impacts on business operations may include, for example, the amount of damages and rule violations. Examples of requests for diagnosis include a request for a diagnosis of the amount of damages, a request for a diagnosis of rule violations, or a request for a diagnosis of both the amount of damages and rule violations. In this disclosure, a request for diagnosis is also referred to as a content instruction. In this case, "content" refers to the type of impact on business operations indicated by the request for diagnosis.
[0053] The amount of damages may be, for example, the amount of damages due to production stoppage, that is, the amount of sales lost due to the suspension of shipments of products whose production is stopped due to an attack on equipment affecting the production of the product, and other products that incorporate that product. The amount of damages due to production stoppage may also be, for example, the sum of the above-mentioned sales loss and the estimated amount of compensation that must be paid to customers for damages resulting from the suspension of shipments of the product and other products that incorporate that product due to the suspension of production of the product. The amount of damages may also be, for example, an estimated amount of sales lost due to loss of credibility and damage to image resulting from the suspension of production of the product due to the attack and the suspension of shipments of that product and other products that incorporate that product (hereinafter referred to as the amount of damages due to the attack). The amount of damages may also be the sum of the amount of damages due to production stoppage and the amount of damages due to the attack.
[0054] A rule is, for example, a law or regulation. In this case, a rule violation is a violation of the law or regulation. A rule may also include guidelines. In this case, a rule violation is a violation of at least one of the law or regulation and / or the guidelines. A guideline is, for example, a guideline established according to the intended use of the system being diagnosed.
[0055] <Procedure Control Unit 150> The procedure control unit 150 controls the processing of the diagnostic device 100. That is, the procedure control unit 150 instructs the next component of the diagnostic device 100 to execute processing according to the stage of processing of the diagnostic device 100. For example, when the instruction receiving unit 110 receives an instruction to diagnose the system to be diagnosed, the procedure control unit 150 sends an instruction to the equipment diagnosis unit 171 to acquire information about the equipment of the system to be diagnosed. Once the status of the equipment of the system to be diagnosed is obtained, the procedure control unit 150 instructs the model generation unit 160 to generate a virtual model of the system to be diagnosed and instructs the diagnostic parameter generation unit 120 to generate diagnostic parameters. The virtual model and diagnostic parameters will be described in detail later.
[0056] Once the virtual model and diagnostic parameters have been generated, the procedure control unit 150 may instruct the detection unit 130 to detect the attack route. Once the detection of the attack route is complete, the procedure control unit 150 may send an instruction to the diagnostic result estimation unit 180 to estimate the diagnostic result. Once the estimation of the diagnostic result is complete, the procedure control unit 150 may send an instruction to the countermeasure identification unit 181 to identify the countermeasure. Once the identification of the countermeasure is complete, the procedure control unit 150 may send an instruction to the output information generation unit 182 to generate output information. Once the generation of output information is complete, the procedure control unit 150 may send an instruction to the output unit 140.
[0057] Furthermore, if there is information necessary for processing but not yet obtained, the procedure control unit 150 may output a request to the terminal device 400 to input the information necessary for processing but not yet obtained. The procedure control unit 150 may then receive the information necessary for processing but not yet obtained that has been input in response to the request. For example, if the information of the configuration of the system to be diagnosed is not stored in the information storage unit 170, the procedure control unit 150 may output information requesting the input of the information of the configuration of the system to be diagnosed.
[0058] <Equipment Diagnostics Department 171> The equipment diagnostic unit 171 acquires information about the status of the equipment included in the system to be diagnosed.
[0059] If the system is configured to store information about the status of the devices included in the system to be diagnosed in the information storage unit 170, the device diagnostic unit 171 may read the information about the status of the devices included in the system to be diagnosed from the information storage unit 170.
[0060] Furthermore, the information storage unit 170 may store vulnerability information for each type of device. The vulnerability information may include information about the risks (in other words, the type of damage) that would result from a successful attack on a device with a vulnerability. The vulnerability information may also include information about the conditions under which the risks (i.e., the type of damage indicated by the risks) occur (for example, the device performing a specific operation, the user of the device performing a specific type of operation such as web access, or a specific type of operation being performed on the device).
[0061] Vulnerability information for each device may be represented, for example, by information on vulnerabilities discovered for each version of the device's software, and information on vulnerabilities that have been mitigated by security programs (also referred to as security patches). The device's software includes, for example, the Operating System (OS) and programs such as drivers running on the device. Vulnerability information may also include information on vulnerabilities that have been mitigated for each version of the device's firmware.
[0062] The device diagnostic unit 171 then obtains information from each device included in the system to be diagnosed, including the type of device and the software version (OS, OS and driver programs, or firmware). If a security program is installed on the device, the device diagnostic unit 171 further obtains information about the installed security program from that device.
[0063] The device diagnostic unit 171 further receives security-related setting information from each of the devices included in the system being diagnosed. This security-related setting information indicates the content of the predefined security settings. Examples of security settings include communication filtering settings, access restriction settings for stored information on the device, and malware protection program settings. However, security-related setting information is not limited to these examples.
[0064] In this case, the device diagnostic unit 171 extracts vulnerabilities that have not been addressed from the vulnerability information for each device, based on the software version obtained from the device (or the software version and the installed security program).
[0065] The device diagnostic unit 171 may connect to the devices included in the system to be diagnosed and obtain information on the security status of the devices included in the system to be diagnosed (for example, existing vulnerabilities and security settings).
[0066] <Information storage section 170> The information storage unit 170 may store information about the configuration of the system to be diagnosed and information about the status of the devices included in the system to be diagnosed. The information about the configuration of the system to be diagnosed and the information about the status of the devices included in the system to be diagnosed are acquired in advance and stored in the information storage unit 170. The information about the configuration of the system to be diagnosed may include at least one of the following: information representing the configuration of the system to be diagnosed, information representing the design of the system to be diagnosed, and information representing the specifications of the system to be diagnosed and the devices included in the system to be diagnosed.
[0067] The device vulnerability information, within the device status information, includes information published by the device manufacturer. The device vulnerability information may also include vulnerability information published by security vendors, etc.
[0068] The information storage unit 170 may store information about countermeasures for each vulnerability for which countermeasures exist (in other words, countermeasures to eliminate the vulnerability; in other words, countermeasures to prevent attacks that exploit the vulnerability from succeeding). Countermeasures for vulnerabilities may include, for example, updating the software to a version in which the vulnerability has been resolved, installing a security program to implement countermeasures against the vulnerability, and changing the device's settings. In other words, a countermeasure can be rephrased as changing the state of the device so that any potentially successful attack against that device will not succeed.
[0069] The information storage unit 170 may store information about vulnerabilities for each type of device.
[0070] Furthermore, the information storage unit 170 stores information about the intended use of the devices included in the system to be diagnosed. This information about the intended use of the devices included in the system to be diagnosed is also acquired in advance and stored in the information storage unit 170.
[0071] Information on the device's intended use may include supply chain information and system requirements information for products whose manufacture would be affected by an attack on the device. Supply chain information may include, for example, business information, usage information, manufacturing information, and litigation risk information. Business information may include, for example, the product name, customers, sales figures, whether or not there are alternative products for the product, and the unit price of any existing alternative products. Business information may also include information on the names of components used in other products into which the product is incorporated, where those components are purchased, and the manufacturers of those components. Usage information may include information on the names of other products into which the product is used (in other words, incorporated), components used in those other products, customers of those other products, and sales figures for those other products. Manufacturing information may include, for example, the product name, other devices into which the product is incorporated, the department that manufactures the product, and contact information for that department (e.g., at least one of an email address and a telephone number).
[0072] Litigation risk information includes information such as estimated amounts of damages that could be claimed in a lawsuit if product shipments are stopped, and estimated amounts of damages that could be claimed in a lawsuit if shipments of other products incorporating the product are stopped.
[0073] System requirements information may include information such as the product name, the standards the product must comply with, the criteria for determining whether the product complies with the standards, and the means of making that determination (e.g., the device used to make the determination).
[0074] Furthermore, the information storage unit 170 pre-stores information about the rules that the system under diagnosis must follow. As mentioned above, these rules are at least one of the following: laws and regulations, guidelines, etc.
[0075] <Model generation unit 160> The model generation unit 160 generates a virtual model of the system to be diagnosed using information about the system's configuration and information about the status of the devices included in the system. The virtual model simulates the security-related behavior of the system to be diagnosed. Security-related behavior includes, for example, the behavior in the event of an attack.
[0076] As described above, the diagnostic parameter generation unit 120 includes an estimation unit 121, a specification unit 122, an item generation unit 123, a requirement generation unit 124, and an information acquisition unit 125. Of these, the estimation unit 121 and the specification unit 122 each have functions similar to those of the estimation unit 121 and specification unit 122 in the first embodiment. The estimation unit 121 and the specification unit 122 each perform operations similar to those of the estimation unit 121 and specification unit 122 in the first embodiment.
[0077] <Estimation part 121> As described above, the estimation unit 121 estimates the business impact, which is the magnitude of the impact on business operations caused by an attack on a device, based on information about the intended use of the device included in the system to be diagnosed.
[0078] Specifically, the estimation unit 121 may calculate the business impact, which is the magnitude of the impact on business caused by an attack on the equipment, from information on the use of the equipment included in the system to be diagnosed. This includes the sum of the sales of the product whose manufacturing would be affected by the attack on the equipment and the sales of other products into which that product is incorporated. Alternatively, the estimation unit 121 may calculate the business impact, which is the sum of the sales of the product whose manufacturing would be affected by the attack on the equipment, the sales of other products into which that product is incorporated, the estimated amount of compensation due to the suspension of product shipments, and the estimated amount of compensation due to the suspension of shipments of other products.
[0079] <Specific part 122> The identification unit 122 identifies entry point devices and target devices that could be targets of attack, based on information about the configuration of the system under diagnosis and the business impact of the devices. In this disclosure, information including combinations of entry point devices and target devices may also be referred to as an attack scenario. Specifically, for example, information indicating entry point devices, information indicating target devices, and information representing the amount of damage caused by an attack on the target devices may also be referred to as an attack scenario (in other words, an attack scenario). The identification unit 122 may generate an attack scenario.
[0080] <Item generation unit 123> The item generation unit 123 generates a diagnostic list, which is a list of diagnostic items representing information indicating successful attacks for each state, the types of risks that result from the attacks, and the conditions under which each type of risk occurs, from information representing the content of the device's vulnerability.
[0081] Diagnostic items include, for example, identification information to identify the diagnostic item, attack means, attack conditions, and the type of damage (the risk described above). Diagnostic items may also include, for example, information indicating whether attack code already exists, whether a function to simulate the vulnerability in a virtual environment is implemented, and whether there are any examples of damage caused by the attack. In this disclosure, diagnostic items may also be referred to as diagnostic parameters.
[0082] The item generation unit 123 may generate a diagnostic list, which is a list of diagnostic items, from information representing the content of the device vulnerability, using a large-scale language model. In that case, the item generation unit 123 generates an instruction to generate the diagnostic list. The item generation unit 123 then sends the instruction to generate the diagnostic list and the information representing the content of the device vulnerability to the LLM server 200. The item generation unit 123 then receives the diagnostic list from the LLM server 200.
[0083] <Requirement generation unit 124> The requirements generation unit 124 generates a requirements list, which is a list of requirements that the system under diagnosis must satisfy, from information on the rules that the system under diagnosis must follow. As mentioned above, the rules that the system under diagnosis must follow include laws, guidelines, etc.
[0084] The requirements generation unit 124 may generate a requirements list using a large-scale language model based on information about the rules that the system under diagnosis must follow. In this case, the requirements generation unit 124 generates an instruction to generate a requirements list. The requirements generation unit 124 then sends the instruction to generate a requirements list and the information about the rules that the system under diagnosis must follow to the LLM server 200. The requirements generation unit 124 then receives the requirements list from the LLM server 200.
[0085] The requirements included in the requirements list may be expressed, for example, as a combination of conditions based on information obtained from the system under diagnosis and rules that will be violated if those conditions are not met. In this case, the information from the system under diagnosis may be, for example, at least one of the following: information obtained when identifying an attack route, information on the status of devices included in the system under diagnosis, and information on the configuration of the system under diagnosis.
[0086] The information obtained when identifying an attack route includes, for example, whether there is a possibility of information leakage due to an attack on a device holding personal information along a route where an attack could succeed, from the entry point device of the system being diagnosed to any device in the system being diagnosed. The condition for this example of information is that it indicates there is no possibility of leakage. In this case, if the condition is not met, the administrator of the system being diagnosed may be in violation of laws and regulations, such as the Personal Information Protection Act. In other words, the rule being violated in this case is, for example, laws and regulations such as the Personal Information Protection Act.
[0087] The information obtained from the configuration information of the system being diagnosed and the information on the status of the devices included in the system being diagnosed can, for example, indicate whether the communication network within the system being diagnosed is divided according to security level, and whether the portion of the communication network with a high security level is configured to prevent direct access from the outside (e.g., the internet). The condition in this case is that the communication network within the system being diagnosed is divided according to security level, and the portion of the communication network with a high security level is configured to prevent direct access from the outside (e.g., the internet). If this condition is not met, the system being diagnosed violates the guideline that requires the network to be divided according to security level, and that the portion of the network with a high security level is configured to prevent direct access from the outside. The rule being violated in this case is that guideline.
[0088] Information obtained from the configuration information of the system being diagnosed and the status information of the devices included in the system can include, for example, information indicating whether the network is divided into segments according to security level and whether access restrictions are implemented between each segment. The conditions in this case are that the network is divided into segments according to security level, and access restrictions are implemented between any two segments. If these conditions are not met, the system being diagnosed may be in violation of the guidelines that stipulate that the network is divided into segments according to security level and that access restrictions are implemented between each segment. In this case, the rule being violated is the guidelines themselves.
[0089] Information obtained from the status information of the devices included in the system being assessed may, for example, indicate whether or not vulnerability management is being implemented. In this case, the condition may be, for example, that there are no vulnerabilities among the devices included in the system being assessed for which a certain amount of time has passed since the fix was made public. If this condition is not met, the system being assessed may be in violation of the guidelines that stipulate that vulnerability management is being implemented. In this case, the rule being violated is the guidelines themselves.
[0090] The above are not limited examples of requirements. Furthermore, at least one of the requirements described above does not need to be included in the requirements list.
[0091] <Information acquisition unit 125> The information acquisition unit 125 acquires, for example, information on vulnerabilities. The information acquisition unit 125 may acquire information on newly disclosed vulnerabilities. The information acquisition unit 125 stores the newly acquired vulnerability information in the information storage unit 170.
[0092] The information acquisition unit 125 may, for example, acquire information on the rules that the system under diagnosis must follow. If the rules that the system under diagnosis must follow are updated, the information acquisition unit 125 acquires information on the updated rules. The information acquisition unit 125 then updates the rule information stored in the information storage unit 170 by, for example, applying the acquired rule information to the rule information stored in the information storage unit 170.
[0093] <Detection unit 130> The detection unit 130 uses information about the configuration of the system under diagnosis, information about the status of the devices, and information about possible successful attacks for each status to detect an attack route, which is a route in which an attack can be successfully carried out from the entry point device to the target device. The detection unit 130 may use a virtual model as the information about the configuration of the system under diagnosis and the status of the devices to detect the attack route. That is, the detection unit 130 uses a virtual model and information about possible successful attacks for each status to detect an attack route, which is a route in which an attack can be successfully carried out from the entry point device to the target device.
[0094] As described above, the detection unit 130 detects an attack route, which is a route from the entry device to the target device that could be successfully attacked, using one of various existing methods. The detection unit 130 may detect the attack route using, for example, the technique described in International Publication No. 2023 / 089669. The detection unit 130 (and the detection unit 130 of the first embodiment) may detect the attack route as follows, for example.
[0095] For example, the detection unit 130 uses information about the state of the target device to determine whether or not it is possible to attack the target device by exploiting vulnerabilities present in it.
[0096] The detection unit 130 may use an item list to determine whether an attack on a device (attack target device, entry point device, and connectable device described below) is possible by exploiting vulnerabilities present in that device. Specifically, the detection unit 130 determines whether a vulnerability in an item included in the item list exists in the device. If a vulnerability in a diagnostic item included in the item list exists in the device, the detection unit 130 uses, for example, information on the device's security settings to determine whether the attack conditions for that diagnostic item can be met. If it is determined that the attack conditions cannot be met, the detection unit 130 determines that an attack using the attack means of that diagnostic item cannot succeed. If it is determined that the attack conditions can be met, the detection unit 130 determines that an attack using the attack means of that diagnostic item can succeed. In this case, the detection unit 130 determines that the device may suffer damage of the type indicated by the type of damage in the diagnostic item.
[0097] If an attack exploiting a vulnerability in the target device is not possible, the detection unit 130 determines that there is no attack route from the entry device to the target device. If an attack exploiting a vulnerability in the target device is possible, the detection unit 130 may perform the determination described below.
[0098] The detection unit 130 uses information about the state of the entry point device to determine whether an attack on the entry point device is possible. For example, the detection unit 130 determines whether an attack on the entry point device is possible by exploiting vulnerabilities present in the entry point device, based on the configuration of the entry point device. If an attack is possible by exploiting vulnerabilities present in the entry point device, based on the configuration of the entry point device, the detection unit 130 determines that an attack on the entry point device is possible. If an attack is not possible by exploiting vulnerabilities present in the entry point device, based on the configuration of the entry point device, the detection unit 130 determines that there is no attack route from that entry point device to the target device.
[0099] If the detection unit 130 determines that an attack on the entry point device is likely to succeed, it identifies a device that is communicatively connected to the entry point device (hereinafter referred to as a connectable device). If the connectable device is the target device, the detection unit 130 identifies the route between the entry point device and the target device as the attack route.
[0100] If the connectable device is not an attack target device, the detection unit 130 uses information about the state of the connectable device to determine whether an attack on the connectable device using a vulnerability present in the connectable device can be successful. The method for determining whether an attack on a connectable device can be successful may be the same as the method for determining whether an attack on an entry point device can be successful. If it is determined that an attack on any connectable device can be successful, the detection unit 130 identifies a device that is not an entry point device and is not selected as a connectable device, but is communicatively connected to that connectable device, as a new connectable device.
[0101] If the newly identified connectable device is a target device, the detection unit 130 identifies the route from the entry point device to the target device, via connectable devices that have been determined to be capable of attacks utilizing vulnerabilities present in the connectable device, as the attack route.
[0102] If a new connectable device that is not an attack target device is identified, the detection unit 130 similarly uses information about the status of that connectable device to determine whether an attack on that connectable device that exploits vulnerabilities in that device could be successful. If it determines that an attack on that connectable device could be successful, the detection unit 130 identifies a device that is not an entry point device and is not selected as a connectable device, but is communicatively connected to that connectable device, as a new connectable device.
[0103] The detection unit 130 may repeat the process of determining whether an attack on a connectable device using a vulnerability present in that device is likely to succeed, and identifying new connectable devices, until it has finished determining whether an attack on all identified connectable devices is likely to succeed and no new connectable devices can be identified.
[0104] In this disclosure, detecting an attack route from an entry point device to a target device is referred to as an attack simulation (in other words, an attack simulation). The detection unit 130 may perform an attack simulation using an attack scenario. The attack scenario includes information on the amount of damage that would result from the target device being attacked. When an attack route is detected, the amount of damage that would result from the target device being attacked via that attack route is also identified.
[0105] <Diagnostic result estimation unit 180> The diagnostic result estimation unit 180 estimates a diagnostic result showing the business impact due to the risks (in other words, damage) resulting from a successful attack on the target device via the detected attack route, using information on the configuration of the system being diagnosed, information on the status of the device, and a diagnostic list. The diagnostic result estimation unit 180 may also estimate the diagnostic result using a virtual model of the system being diagnosed as the information on the configuration of the system being diagnosed and the information on the status of the device. That is, the diagnostic result estimation unit 180 may estimate a diagnostic result showing the business impact due to the risks (in other words, damage) resulting from a successful attack on the target device via the detected attack route, using a virtual model of the system being diagnosed and a diagnostic list. As described above, the diagnostic requests indicated by the diagnostic instructions received by the instruction receiving unit 110 are, for example, requests for a diagnosis of the amount of damage, requests for a diagnosis of rule violations, or requests for a diagnosis of both the amount of damage and rule violations.
[0106] If the diagnostic request is for an assessment of the amount of damages, the diagnostic result estimation unit 180 estimates the business impact as follows, for example.
[0107] If an attack route to the target device is detected, it is determined that an attack on the target device via that route is likely to succeed. The diagnostic result estimation unit 180 calculates the sum of the decrease in sales due to the suspension of shipments of products affected by the target device's manufacturing and other products that use those products, and the estimated amount of compensation due to the suspension of shipments of those products and other products that use those products (i.e., the amount of damage due to production suspension as described above). The diagnostic result estimation unit 180 may also specify the decrease in sales due to the suspension of shipments of products affected by the target device's manufacturing and other products that use those products as the amount of damage due to production suspension. Products affected by the target device's manufacturing and other products that use those products are also referred to as products that the target device is involved in shipping.
[0108] The diagnostic result estimation unit 180 further identifies the expected amount of damage (i.e., the amount of damage caused by the attack, as described above) if the type of damage indicated by the type of damage for a diagnostic item in the diagnostic list that is determined to be likely to succeed in an attack on the target device occurs. The type of damage indicated by the type of damage for a diagnostic item is, for example, information leakage (e.g., leakage of stored information stored by the target device). The expected amount of damage in this case is, for example, the sum of the estimated amount of compensation for the information leakage and the decrease in sales resulting from the loss of credibility and damage to the image caused by the public announcement of the information leakage (hereinafter also referred to as the estimated amount of damage). This decrease in sales does not have to include the decrease in sales due to the suspension of shipments of the product and other products that use that product.
[0109] The diagnostic result estimation unit 180 identifies the sum of the damage caused by production stoppage and the damage caused by attack as the magnitude of the business impact. The diagnostic result estimation unit 180 may also identify the damage caused by production stoppage and the damage caused by attack as two values representing the magnitude of the business impact. The diagnostic result estimation unit 180 may also identify either the damage caused by production stoppage or the damage caused by attack as the magnitude of the business impact.
[0110] If the diagnostic request is for a rule violation, the diagnostic result estimation unit 180 identifies the rule that may be violated, for example, as follows:
[0111] The diagnostic result estimation unit 180 identifies requirements in the requirements list that would not be met if an attack on a target device that could be attacked by the identified attack route were successful. The diagnostic result estimation unit 180 then identifies rules that may be violated, which are identified by the unmet conditions. The diagnostic result estimation unit 180 may identify the identified rules that may be violated as business impacts.
[0112] The diagnostic result estimation unit 180 may further identify the amount of damages incurred from violating a rule, which is predetermined for each rule, as the magnitude of the business impact. The amount of damages incurred from violating a rule is an estimate of the decrease in sales if the violation of the rule is made public. For example, if the range (or amount) of the amount to be paid in the event of a violation of a law is defined, the diagnostic result estimation unit 180 may use the sum of the estimated decrease in sales if the violation of the rule is made public and the estimated amount to be paid in the event of a violation of the law as the amount of damages incurred from violating the rule. If there are products that cannot be shipped if the rule is violated, the diagnostic result estimation unit 180 may identify the sales of those products that cannot be shipped due to a violation of the potentially violated rule. The diagnostic result estimation unit 180 may then use the sum of the estimated decrease in sales if the violation of the rule is made public, the estimated amount to be paid in the event of a violation of the law, and the sales of those products that cannot be shipped due to a violation of the potentially violated rule as the amount of damages incurred from violating the rule.
[0113] If the diagnostic request is for a diagnosis of damages and rule violations, the diagnostic result estimation unit 180 may estimate the business impact as described above and identify the rules that may be violated as described above. In identifying the rules that may be violated, the diagnostic result estimation unit 180 may also identify the amount of damages that would result from a violation of the above-mentioned rules.
[0114] <Countermeasures Specific Section 181> If the diagnostic request includes a request for an assessment of the amount of damages, the countermeasure identification unit 181 identifies the countermeasure, for example, as follows:
[0115] The countermeasure identification unit 181 uses the countermeasure information stored in the information storage unit 170 to identify countermeasures that change the state of devices included in the attack route from the entry point device to the target device so that an attack on the target device via that attack route is unsuccessful, as countermeasures against an attack on that target device. A device included in the attack route is a device that, in its state, can be successfully attacked.
[0116] In this case, the countermeasure identification unit 181 may identify the countermeasures for each device on the attack route to the target device for which countermeasures exist that can be modified to prevent an attack on that device from succeeding. Alternatively, the countermeasure identification unit 181 may identify the countermeasures for devices selected using a predetermined selection method from among the devices on the attack route to the target device for which countermeasures exist that can be modified to prevent an attack on that device from succeeding.
[0117] This selection method may, for example, be a method of appropriately selecting one or more devices for which countermeasures exist from each of the attack routes to the target device. This selection method may also be a method of repeatedly selecting a device for which countermeasures exist that is traversed by the most attack routes that do not pass through the selected devices, until there are no more attack routes that do not pass through the unselected devices. In this case, the countermeasure identification unit 181 identifies the countermeasures of the one or more selected devices as countermeasures against attacks on the target device.
[0118] When selecting one device from two or more candidate devices that have the same number of attack routes, the countermeasure identification unit 181 may select the device with the smallest load for countermeasures. The method for calculating the load for countermeasures may be a calculation method that is determined as appropriate, for example, using the number of security countermeasure programs to be installed, whether or not it is necessary to stop the device when executing the countermeasures, or the amount of money required to execute the countermeasures.
[0119] If the diagnostic request includes a request for a rule violation, the countermeasure identification unit 181 identifies the countermeasure, for example, as follows:
[0120] If a rule violation occurs because one of the devices included in the system being diagnosed (referred to as a "factor device") can be attacked, potentially causing the system to violate the rule, the countermeasure identification unit 181 identifies countermeasures to prevent attacks on the potential factor device. For example, countermeasures to prevent violations of laws and regulations such as the Personal Information Protection Act due to the leakage of personal information resulting from an attack on a device that stores personal information. The method for identifying such countermeasures may be the same as the method for identifying countermeasures against attacks on target devices described above. In that case, the explanation would be the same as the explanation for identifying countermeasures against attacks on target devices described above, but with the target device replaced by a factor device.
[0121] If a rule violation is caused by the configuration of the system being diagnosed or the settings of the devices included in the system being diagnosed, the countermeasure to the rule violation may be, for example, to change the settings of the devices included in the system being diagnosed so that the possibility of a rule violation is eliminated. If the possibility of a rule violation is not eliminated by changing only the settings of the devices included in the system being diagnosed, the countermeasure may also include changing the configuration of the system being diagnosed.
[0122] For example, consider a case where the rule requires that the communication network within the system be divided into segments according to security level, and that the high-security-level portion of the communication network within the system is configured to prevent direct access from the outside (e.g., the internet). In this case, the countermeasure identification unit 181 identifies a combination of two devices with different security levels that are included in the same segment, based on the configuration information of the system to be diagnosed and the status information of the devices included in the system to be diagnosed. If such a combination is identified, the countermeasure identification unit 181 identifies a countermeasure that includes dividing the network between the two identified device combinations. The countermeasure identification unit 181 also identifies devices that are directly connected to an external network, among devices with a security level of a predetermined level or higher, based on the configuration information of the system to be diagnosed and the status information of the devices included in the system to be diagnosed. If such a device is identified, the countermeasure identification unit 181 identifies a countermeasure that includes changing the settings of the identified device to block communication with the external network. If such a device is identified, the countermeasure identification unit 181 may identify countermeasures in this case that include (for example, physically) disconnecting the communication network between the identified device and the external network.
[0123] For example, consider a case where the rule requires that the network be divided into segments according to security level, and that access restrictions are implemented between each segment. In this case, the countermeasure identification unit 181 identifies a combination of two devices with different security levels that are included in the same segment, based on the configuration information of the system under diagnosis and the status information of the devices included in the system under diagnosis. If such a combination is identified, the countermeasure identification unit 181 identifies a countermeasure that includes dividing the network between the two identified device combinations. The countermeasure identification unit 181 also identifies a device that is not restricted from accessing devices with different security levels, based on the configuration information of the system under diagnosis and the status information of the devices included in the system under diagnosis. If such a device is identified, the countermeasure identification unit 181 identifies a countermeasure that includes changing the settings of the identified device to restrict access to devices with different security levels.
[0124] For example, consider a case where the rule requires that vulnerability management is implemented on all devices included in the system. In this case, the countermeasure identification unit 181 identifies devices for which vulnerability management is not implemented based on information about the status of the devices included in the system under diagnosis. If such devices are identified, the countermeasure identification unit 181 identifies countermeasures that include changing the settings of the identified devices so that vulnerability management is implemented.
[0125] <Output information generation unit 182> If the diagnostic request includes a diagnosis of the amount of damage, the output information generation unit 182 generates output information that, for example, represents the magnitude of the business impact caused by the attack and the attack target devices that may be attacked. The output information generation unit 182 may, for example, create output information that lists attack target devices that may be attacked via attack routes detected by the detection unit 130, ranked in descending order of the magnitude of the business impact estimated by the diagnostic result estimation unit 180. Hereinafter, the output information will also be referred to as the diagnostic report.
[0126] The output information generation unit 182 may generate output information (i.e., a diagnostic report) using a large-scale language model. Specifically, in this case, the output information generation unit 182 sends to the LLM server 200 an instruction to create a document that explains (in other words, describes) the magnitude of the business impact of the attack and the attack target devices that may be attacked, and information representing the magnitude of the business impact of the attack and the attack target devices that may be attacked. The LLM server 200 creates a document that explains (in other words, describes) the magnitude of the business impact of the attack and the attack target devices that may be attacked, in accordance with the instruction. The LLM server 200 returns the created document to the output information generation unit 182. The output information generation unit 182 generates a diagnostic report that includes the created document (in this case, a document that explains (in other words describes) the magnitude of the business impact of the attack and the attack target devices that may be attacked). The diagnostic report may be written according to a predetermined format.
[0127] The output information generation unit 182 may generate output information (i.e., a diagnostic report) that further includes information representing the countermeasures identified by the countermeasure identification unit 181. The output information generation unit 182 may generate output information (i.e., a diagnostic report) that includes information representing the countermeasures, ranked in order of priority set for the countermeasures. The priority of the countermeasures may be, for example, ranked in order of the magnitude of the business impact if an attack is carried out against an attack target device that can be attacked via an attack route that passes through the device on which the countermeasure is implemented. In this case, the number of attack target devices that can be attacked via an attack route that passes through the device on which the countermeasure is implemented is not limited to one. The output information generation unit 182 may calculate a statistical value of the magnitude of the business impact if an attack is carried out against an attack target device for which the countermeasure is a countermeasure against the attack, among the attack target devices that can be attacked via an attack route that passes through the device on which the countermeasure is implemented. In this case, the statistical value may be, for example, the maximum value or the sum. The output information generation unit 182 may prioritize the countermeasures in order of the magnitude of the calculated statistical value.
[0128] As described above, the output information generation unit 182 may generate output information (i.e., a diagnostic report) using a large-scale language model. The output information generation unit 182 may also use a large-scale language model to create information representing countermeasures (in other words, a document explaining the countermeasures) included in the output information (i.e., a diagnostic report). Specifically in this case, the output information generation unit 182 sends, for example, an instruction to create a document explaining the countermeasures (in other words, a description) and information representing the countermeasures to the LLM server 200. The LLM server 200 creates a document explaining the countermeasures (in other words, a description) according to the instruction. The LLM server 200 returns the created document to the output information generation unit 182. The output information generation unit 182 generates a diagnostic report that includes the created document (in this case, a document explaining the countermeasures). As described above, the diagnostic report may be written according to a predetermined format.
[0129] If the diagnostic request includes a diagnosis of rule violations, the output information generation unit 182 generates a diagnostic report that includes information on rules that the system under diagnosis may violate. The information on rules that the system under diagnosis may violate includes, for example, information indicating the rules that the system under diagnosis may violate and information indicating the nature of the violation. The information indicating the nature of the violation may include information that includes an event considered to be a violation. The information indicating the nature of the violation may also include information that includes the cause of the violation. Specifically, an event considered to be a violation is, for example, the leakage of personal information due to an attack on a device that stores personal information. In this case, the cause of the violation may be, for example, a description of the description that violates the rule, to which the leakage of personal information falls. Specific examples of events considered to be violations are not limited to this example.
[0130] An event considered a violation may refer to the part of a rule that the system under assessment does not satisfy, such as the rule that the communication network within the system is divided into segments according to security level, and that the high-security-level portions of the communication network within the system are configured to prevent direct access from the outside (e.g., the internet). An event considered a violation may refer to the part of a rule that the system under assessment does not satisfy, such as the rule that the network is divided into segments according to security level, and that access restrictions are implemented between each segment. An event considered a violation may refer to the part of a rule that the system under assessment does not satisfy, such as the rule that vulnerability management is implemented on all devices included in the system. In these cases, the cause of the violation may be information that represents the device and its settings that caused the rule to not be satisfied.
[0131] In this case as well, the output information generation unit 182 may generate output information (i.e., a diagnostic report) using a large-scale language model. Specifically, in this case, the output information generation unit 182 sends to the LLM server 200, for example, an instruction to create a document that explains (in other words, describes) information about rules that the system under diagnosis may violate, and information about the rules that the system under diagnosis may violate. The LLM server 200 creates a document that explains (in other words, describes) information about rules that the system under diagnosis may violate, in accordance with the instruction. The LLM server 200 returns the created document to the output information generation unit 182. The output information generation unit 182 generates a diagnostic report that includes the created document (in this case, a document that explains (in other words, describes) information about rules that the system under diagnosis may violate). The diagnostic report may be written in a predetermined format.
[0132] In this case as well, the output information generation unit 182 may generate output information (i.e., a diagnostic report) that further includes information representing the countermeasures identified by the countermeasure identification unit 181. The output information generation unit 182 may generate output information (i.e., a diagnostic report) that includes information representing the countermeasures, ranked in order of priority set for the countermeasures. In this case, the priority of the countermeasures may be, for example, ranked in order of the severity of the rule violations that the countermeasures target. In this case, the magnitude of severity indicates that the rule violation is more serious the larger the severity value of the rule violation. The severity of the rules may be predetermined for each rule. If a countermeasure is a countermeasure for two or more rule violations, the output information generation unit 182 may rank the target rule violations in order of the magnitude of the statistical values (e.g., maximum value or sum) of the severity of the two or more rules. In this case, the priority of the countermeasures may also be, for example, ranked in order of the magnitude of the business impact of the rule violations that the countermeasures target. If the countermeasures are for two or more rule violations, the output information generation unit 182 may rank the target rule violations in order of the magnitude of the statistical value (e.g., maximum value or sum) of the business impact of the two or more rules.
[0133] As described above, the output information generation unit 182 may generate output information (i.e., a diagnostic report) using a large-scale language model. The output information generation unit 182 may also use a large-scale language model to create information representing countermeasures (in other words, a document explaining the countermeasures) included in the output information (i.e., a diagnostic report). Specifically in this case, the output information generation unit 182 sends, for example, an instruction to create a document explaining the countermeasures (in other words, a description) and information representing the countermeasures to the LLM server 200. The LLM server 200 creates a document explaining the countermeasures (in other words, a description) according to the instruction. The LLM server 200 returns the created document to the output information generation unit 182. The output information generation unit 182 generates a diagnostic report that includes the created document (in this case, a document explaining the countermeasures). As described above, the diagnostic report may be written according to a predetermined format.
[0134] Furthermore, the section of the diagnostic report that describes the attack target devices and the business impact of such attacks will be referred to as the impact statement. The section of the diagnostic report that describes rule violations, the severity of the rule violations, or the business impact of the rule violations will also be referred to as the impact statement. In addition, the section of the diagnostic report that describes countermeasures will be referred to as the countermeasures statement.
[0135] <Output section 140> The output unit 140 outputs diagnostic result information indicating the business impact of an attack on the target device via the detected attack route. Specifically, the output unit 140 may output the output information generated by the output information generation unit 182 (i.e., the diagnostic report described above) as diagnostic result information. The output unit 140 outputs the diagnostic result (specifically, diagnostic result information) including, for example, an impact explanation and a countermeasure explanation. The output destination of the output unit 140 is, for example, a terminal device 400. In other words, the output unit 140 outputs the diagnostic result to the terminal device 400.
[0136] The diagnostic device 100 may also operate as a terminal device 400. In this case, the output destination of the output unit 140 may be, for example, an output device such as the display of the diagnostic device 100. The output unit 140 may output the diagnostic results to an output device such as the display of the diagnostic device 100.
[0137] The output unit 140 may output the diagnostic results to any other information processing device or storage device that is communicatively connected to the diagnostic device 100.
[0138] The output unit 140 may output the diagnostic results as data in a format that can be displayed on the screen. The output unit 140 may output the diagnostic results as a file in a predetermined format. The output unit 140 may output the diagnostic results as data in a format that can be displayed on the screen, and as a file in a predetermined format.
[0139] <Operation> Next, the operation of the second embodiment of this disclosure will be described in detail with reference to the drawings.
[0140] Figures 5 to 8 are flowcharts illustrating examples of the operation of the diagnostic device relating to this disclosure.
[0141] Below, an example of the operation of the diagnostic device according to the second embodiment of this disclosure will be described in detail with reference to Figures 5 to 8.
[0142] In the example shown in Figure 5, the instruction receiving unit 110 receives instruction information representing an instruction to diagnose the system to be diagnosed (step S101). Next, for example, the instruction receiving unit 110 identifies the system to be diagnosed and the content of the instructed diagnosis from the instruction information (step S102). Next, for example, the procedure control unit 150 identifies information about the configuration of the system to be diagnosed (step S103). Next, the equipment diagnosis unit 171 acquires information about the status of the devices included in the system to be diagnosed (step S104). Next, the model generation unit 160 generates a virtual model of the system to be diagnosed from the information of the system to be diagnosed (step S105). Next, for example, the information acquisition unit 125 acquires information about the use of the devices included in the system to be diagnosed (step S106). If the information storage unit 170 stores information about the use of the devices, the information acquisition unit 125 reads the information about the use of the devices from the information storage unit 170. If the information storage unit 170 does not store information about the use of the devices, the information acquisition unit 125 acquires the information about the use of the devices from a server or the like that holds the information about the use of the devices. Next, for example, the information acquisition unit 125 acquires information on the rules that the system to be diagnosed must follow (step S107). If the information storage unit 170 stores information on the rules that the system to be diagnosed must follow, the information acquisition unit 125 reads the information on the rules that the system to be diagnosed must follow from the information storage unit 170. If the information storage unit 170 does not store information on the rules that the system to be diagnosed must follow, the information acquisition unit 125 acquires the information on the rules that the system to be diagnosed must follow from a server or other source that holds such information. Note that the rules that the system to be diagnosed must follow may be predetermined for each diagnostic system. The diagnostic device 100 then performs the operations shown in Figure 6.
[0143] In the example shown in Figure 6, first, the estimation unit 121 estimates the business impact of an attack on a target device based on information about the use of the devices included in the system to be diagnosed (step S108). Next, the identification unit 122 identifies the entry point device and the target device based on information about the configuration of the system to be diagnosed and the business impact of the devices (step S109). Next, the item generation unit 123 generates a diagnostic list, which is a list of diagnostic items representing information about possible attacks for each state, the types of risks that result from the attacks, and the conditions under which each type of risk occurs, based on information representing the content of the vulnerability of the device (step S110). Next, the requirements generation unit 124 generates a requirements list, which is a list of requirements that the system to be diagnosed must satisfy, based on information about the rules that the system to be diagnosed must follow, using a large-scale language model (step S111).
[0144] Then, the detection unit 130 uses information about the configuration of the system to be diagnosed and the attack scenario to detect an attack route, which is a route through which an attack from the entry point device to the target device can be successfully carried out (step S112). The diagnostic device 100 then performs the operations shown in Figure 7.
[0145] In the example shown in Figure 7, the diagnostic result estimation unit 180 performs a diagnosis to determine whether the system to be diagnosed meets the conditions of the diagnostic items included in the diagnosis list (step S113). The diagnostic result estimation unit 180 further performs a diagnosis to determine whether the system to be diagnosed meets the requirements included in the requirements list (step S114). Using the diagnostic results obtained in steps S113 and S114, the diagnostic result estimation unit 180 determines the risks that would result from a successful attack on the target device via the detected attack route (step S115). This risk can also be rephrased as the damage described above. The diagnostic result estimation unit 180 estimates the business impact based on the determined risks and the state of the system to be diagnosed as indicated by the diagnostic results (step S116). In step S116, the diagnostic result estimation unit 180 estimates the business impact of an attack on a target device that can be attacked via the detected attack route, and the business impact of rule violations resulting from a successful attack and rule violations in the state of the system to be diagnosed.
[0146] Next, the countermeasure identification unit 181 identifies countermeasures that will change the state of the system being diagnosed, as indicated by the diagnosis results, so that attacks via the detected attack route do not succeed (step S117).
[0147] Next, the output information generation unit 182 generates a countermeasure explanation text that describes the countermeasures (step S118). The diagnostic device 100 then performs the operations shown in Figure 8.
[0148] In the example shown in Figure 8, the output information generation unit 182 generates an impact explanation statement describing the business impact (step S119). Note that the diagnostic device 100 may perform the operation in step S118 of Figure 7 after the operation in step S119 of Figure 8.
[0149] Then, the output unit 140 outputs the diagnostic results, which are information indicating the impact explanation and the countermeasure explanation (step S120).
[0150] <Effects> The embodiment described above has the same effects as the first embodiment. The reason for this is the same as the reason for the effects of the first embodiment.
[0151] <Modified form of the second embodiment> Next, a modified example of the second embodiment of this disclosure will be described in detail with reference to the drawings.
[0152] <Structure> Figure 9 is a block diagram showing an example of the configuration of the diagnostic device relating to this disclosure.
[0153] In the following section, the configuration of a diagnostic device according to a modified example of the second embodiment of this disclosure will be described in detail with reference to Figure 9.
[0154] The diagnostic device 101 shown in Figure 9 includes a selection information acquisition unit 111 in addition to the components of the diagnostic device 100 shown in Figure 4. The components of the diagnostic device 101 shown in Figure 9 are the same as those of the diagnostic device 100 shown in Figure 4, except for the differences described below, which are assigned the same names and reference numerals.
[0155] <Output information generation unit 182> In this modified example, the output information generation unit 182 generates a screen representing the configuration of the system to be diagnosed (for example, a screen including a display representing the devices included in the system to be diagnosed and a display representing the connections between the devices included in the system to be diagnosed). The display representing the devices included in the system to be diagnosed is represented, for example, by at least one of a graphic and / or character indicating the device. The display representing the connections between the devices included in the system to be diagnosed is represented, for example, by lines connecting the displays representing the devices. In this screen, the display indicating the target device may be shown in a different manner from the display indicating a device that is not the target device. The manner of the display representing a device may be, for example, color, pattern, line thickness, line type, etc.
[0156] <Output section 140> In this modified example, the output unit 140 outputs the screen generated by the output information generation unit 182, in addition to the diagnostic result information, to the destination information processing device (e.g., terminal device 400). In this modified example, the output unit 140 may also output the screen generated by the output information generation unit 182 to the destination information processing device (e.g., terminal device 400) as the diagnostic result.
[0157] <Selection Information Acquisition Unit 111> The selection information acquisition unit 111 receives selection information, which is information indicating an attack target device specified by an input device such as a mouse or touch panel of the information processing device (for example, terminal device 400) to which the screen is output, on the screen output by the output unit 140.
[0158] Furthermore, if the procedure control unit 150 obtains selection information indicating the selected attack target device from the selection information acquisition unit 111, it may send an instruction to the output information generation unit 182 to generate output information overlaid with a display showing the business impact if the attack on the selected attack target device is successful.
[0159] In response to the selection information, the output information generation unit 182 generates the above-described screen representing the configuration of the system to be diagnosed, with information on the business impact resulting from an attack on the target device indicated by the selection information superimposed on it. In other words, the output information generation unit 182 updates the screen so that information on the business impact resulting from an attack on the target device indicated by the selection information is superimposed on it.
[0160] The output unit 140 outputs the updated screen to the destination information processing device (for example, the terminal device 400).
[0161] <Operation> Figures 5 to 7 and Figure 10 are flowcharts illustrating examples of the operation of the diagnostic device according to this disclosure.
[0162] In the following, the operation of a diagnostic device according to a modified example of the second embodiment of this disclosure will be described in detail with reference to Figures 5 to 7 and Figure 10.
[0163] The operation of the diagnostic device 101 in this modified example, as shown in Figures 5 to 7, is the same as the operation of the diagnostic device 100 in the second embodiment, as shown in Figures 5 to 7.
[0164] The operations of steps S119 and S120 in Figure 10 of this modified example are the same as the operations of steps S119 and S120 of the diagnostic device 100 of the second embodiment shown in Figure 8. In step S120, the output unit 140 may output the diagnostic result as a file in a predetermined format. The output unit 140 does not have to perform the operation of step S120.
[0165] Following the operation in step S120, the output information generation unit 182 generates a screen representing the configuration of the system to be diagnosed, showing the entry point device, the attack target device, and the attack route (step S121). Next, the output unit 140 outputs the generated screen (step S122).
[0166] Figure 11 is a flowchart illustrating an example of the operation of the diagnostic device according to this disclosure when it receives selection information.
[0167] In the following section, the operation of the diagnostic device according to a modified version of the second embodiment of this disclosure when it receives selection information will be described in detail with reference to Figure 11. The diagnostic device 101 of this modified version performs the operation shown in Figure 11 after the operation of step S122 shown in Figure 10.
[0168] In the example shown in Figure 11, the selection information acquisition unit 111 receives selection information indicating the attack target device selected on a screen representing the configuration of the system to be diagnosed (step S131). The selection information acquisition unit 111 identifies the attack target device indicated by the selection information (step S132).
[0169] The output information generation unit 182 generates a screen in which information about the business impact of an attack on a identified target device is superimposed (step S133).
[0170] The output unit 140 outputs the generated screen (step S134).
[0171] Next, for example, the selection information acquisition unit 111 receives the following instruction (step S135). The next instruction is, for example, an instruction to terminate or selection information. If an instruction to terminate is not received (NO in step S136), the diagnostic device 101 repeats the operation from step S131 onwards.
[0172] If a termination instruction is received (YES in step S136), the diagnostic device 101 terminates the operation shown in Figure 11.
[0173] <Other Embodiments> The diagnostic device relating to this disclosure can be implemented by a computer that includes a memory into which a program read from a storage medium is loaded, and a processor that executes that program. The diagnostic device relating to this disclosure can also be implemented by dedicated hardware. The diagnostic device relating to this disclosure can also be implemented by a combination of the aforementioned computer and dedicated hardware.
[0174] Figure 12 is a diagram showing an example of the hardware configuration of a computer 1000 that can realize the diagnostic device according to this disclosure. In the example shown in Figure 12, the computer 1000 includes a processor 1001, memory 1002, storage device 1003, and an I / O (Input / Output) interface 1004. The computer 1000 can also access a storage medium 1005. Memory 1002 and storage device 1003 are, for example, RAM (Random Access Memory) or a hard disk. Storage medium 1005 is, for example, a storage device such as RAM or a hard disk, ROM (Read Only Memory), or a portable storage medium. Storage device 1003 may also be storage medium 1005. The processor 1001 can read and write data and programs to and from memory 1002 and storage device 1003. The processor 1001 can access, for example, an LLM server 200, etc., via the I / O interface 1004. The processor 1001 can access the storage medium 1005. The storage medium 1005 stores a program that causes the computer 1000 to operate as a diagnostic device according to this disclosure.
[0175] The processor 1001 loads a program stored in the storage medium 1005 into the memory 1002 that causes the computer 1000 to operate as a diagnostic device according to this disclosure. Then, the processor 1001 executes the program loaded into the memory 1002, causing the computer 1000 to operate as a diagnostic device according to this disclosure. The instruction receiving unit 110, the selection information acquisition unit 111, the diagnostic parameter generation unit 120, the detection unit 130, the output unit 140, the procedure control unit 150, the model generation unit 160, the equipment diagnostic unit 171, the diagnostic result estimation unit 180, the countermeasure identification unit 181, and the output information generation unit 182 can be implemented, for example, by a processor 1001 that executes a program loaded into memory 1002. The estimation unit 121, the identification unit 122, the item generation unit 123, the requirement generation unit 124, and the information acquisition unit 125 can be implemented, for example, by a processor 1001 that executes a program loaded into memory 1002. The information storage unit 170 can be implemented by a storage device 1003 such as memory 1002 or a hard disk drive included in the computer 1000. Some or all of the instruction receiving unit 110, selection information acquisition unit 111, diagnostic parameter generation unit 120, detection unit 130, output unit 140, procedure control unit 150, model generation unit 160, information storage unit 170, equipment diagnostic unit 171, diagnostic result estimation unit 180, countermeasure identification unit 181, and output information generation unit 182 can be realized by dedicated circuits that realize the functions of each unit. Some or all of the estimation unit 121, identification unit 122, item generation unit 123, requirement generation unit 124, and information acquisition unit 125 can be realized by dedicated circuits that realize the functions of each unit.
[0176] Furthermore, some or all of the above embodiments may also be described as follows, but are not limited to these.
[0177] (Note 1) An estimation means for estimating the business impact, which is the magnitude of the impact on business operations caused by an attack on a device included in the system to be diagnosed, based on information about the use of the device, A means for identifying intrusion devices that could be entry points and attack target devices that could be targets of attacks, based on information about the configuration of the system to be diagnosed and the business impact of the devices, A detection means for detecting an attack route, which is a route in which an attack can be successfully carried out from the entry point device to the target device, using information on the configuration of the system to be diagnosed, information on the state of the device, and information on successful attacks for each state, An output means that outputs diagnostic information indicating the business impact resulting from the attack on the target device via the detected attack route, A diagnostic device equipped with the following features.
[0178] (Note 2) The output means outputs the diagnostic result information, including the information about the attack route. The diagnostic device described in Appendix 1.
[0179] (Note 3) The state of the device includes the vulnerability state of the device and the configuration state of the device. The device comprises an item generation means that generates a diagnostic list, which is a list of diagnostic items representing information indicating a possible attack for each state, the type of risk caused by the attack, and the conditions under which the risk for each type of risk occurs, from information representing the content of the vulnerability of the device, The detection means detects the attack route using the status of the device and the diagnostic list. The diagnostic device is Diagnostic result estimation means that estimates the diagnostic result, which indicates the business impact due to the risk resulting from a successful attack on the target device via the detected attack route, using the diagnostic list. A diagnostic device as described in Appendix 1 or 2, comprising the above.
[0180] (Note 4) The output means outputs a screen showing the configuration of the system to be diagnosed, in which the entry point device and the attack target device are indicated. The diagnostic device includes selection information acquisition means for acquiring selection information indicating the attack target device selected on the screen, The output means outputs the screen on which information regarding the business impact resulting from an attack on the target device indicated by the selection information is superimposed. The diagnostic device described in Appendix 1 or 2.
[0181] (Note 5) The detection means detects the attack route by using information about the configuration of the system to be diagnosed to perform a simulation of an attack from the entry point device to the target device. The diagnostic device described in Appendix 1 or 2.
[0182] (Note 6) Instruction receiving means for receiving instructions on the content of the aforementioned business impact Equipped with, The estimation means estimates the business impact of the content. The diagnostic device described in Appendix 1 or 2.
[0183] (Note 7) The instructions described above include the amount of damages, The information regarding the use of the device includes the products related to the shipment of the device and sales information for those products. The estimation means estimates the business impact, when the instruction of the content is the amount of damage, to include the magnitude of the decrease in sales of the product related to the shipment of the target device. The diagnostic device described in Appendix 6.
[0184] (Note 8) The instructions described above include the amount of damages, The information regarding the use of the device includes information about the stored information that the device stores, and information about the estimated amount of damage caused by the leakage of the stored information in the event that the stored information is leaked. The estimation means estimates the business impact when the instruction of the content is the amount of damage, including the magnitude of the estimated damage due to the leakage of the stored information of the target device in the event that the stored information of the target device is leaked as a result of the attack on the target device. The diagnostic device described in Appendix 6.
[0185] (Note 9) Instructions in the above content include rule violations, The estimation means estimates the business impact when the instruction of the content violates the rule, including information on the rule that is violated among one or more rules that the system under diagnosis should follow, in the state of the device of the system under diagnosis. The diagnostic device described in Appendix 6.
[0186] (Note 10) The information regarding the use of the device includes the stored information which is stored in the device. The estimation means estimates the business impact, including information on the rules that would be violated if the stored information of the target device were leaked as a result of an attack on the target device. The diagnostic device described in Appendix 9.
[0187] (Note 11) Requirements generation means that generates a list of requirements that the system to be diagnosed must satisfy, using a large-scale language model based on information about the rules that the system to be diagnosed must follow. Equipped with, The estimation means estimates whether the requirements included in the list are met based on the configuration of the system to be diagnosed and the state of the device, and estimates the rule that is violated based on the information of the requirements that are not met. The diagnostic device described in Appendix 9.
[0188] (Note 12) The system includes a model generation means that generates a virtual model representing the system to be diagnosed from the configuration information of the system to be diagnosed and the information of the device, The estimation means estimates the diagnostic result using the virtual model. The diagnostic device described in Appendix 1 or 2.
[0189] (Note 13) The system includes output information generation means that uses a large-scale language model to generate a result explanation text, which is a sentence that explains the diagnosis result, from the diagnosis result, The output means outputs the diagnostic result information, including the result explanation. The diagnostic device described in Appendix 1 or 2.
[0190] (Note 14) Countermeasure Identification Means: Using information on countermeasures to change the state of the device so that an attack on the target device via the attack route to the target device is unsuccessful, countermeasures to change the state of the device included in the attack route to the target device so that an attack via the attack route to the target device is unsuccessful are identified as countermeasures against the target device. Equipped with, The output information generation means generates a countermeasure explanation text, which is a text explaining the countermeasures against the attack target device, using the large-scale language model. The output means outputs diagnostic result information, which further includes the explanation of the countermeasures for the countermeasures for the attack target device, in order of the magnitude of the business impact if the attack target device were attacked. The diagnostic device described in Appendix 13.
[0191] (Note 15) Based on information about the intended use of the devices included in the system being diagnosed, the business impact, which is the magnitude of the impact on business operations if the devices are attacked, is estimated. Based on the information regarding the configuration of the system to be diagnosed and the business impact of the device, the device is identified as an entry point device that could be an entry point and an attack target device that could be an attack target. Using the information on the configuration of the system to be diagnosed, the information on the status of the device, and the information on successful attacks for each status, an attack route is detected, which is a route on which an attack from the entry point device to the target device can be successfully carried out. The system outputs diagnostic information indicating the business impact resulting from the attack on the target device via the detected attack route. Diagnostic methods.
[0192] (Note 16) The diagnostic results information, including the information on the attack route, is output. The diagnostic method described in Appendix 15.
[0193] (Note 17) The state of the device includes the vulnerability state of the device and the configuration state of the device. From the information representing the nature of the vulnerability of the device, a diagnostic list is generated, which is a list of diagnostic items representing information indicating a possible attack for each state, the type of risk caused by the attack, and the conditions under which the risk for each type occurs. Using the status of the device and the diagnostic list, the attack route is detected. The diagnostic results, which indicate the business impact resulting from the risk arising from a successful attack on the target device via the detected attack route, are estimated using the diagnostic list. The diagnostic method described in Appendix 15 or 16.
[0194] (Note 18) The system outputs a screen showing the configuration of the system to be diagnosed, with the entry point device and the attack target device indicated. The selection information indicating the attack target device selected on the screen is obtained, The screen is output with information superimposed on it regarding the business impact resulting from an attack on the target device indicated by the selected information. The diagnostic method described in Appendix 15 or 16.
[0195] (Note 19) The attack route is detected by performing a simulation of an attack from the entry point device to the target device using the configuration information of the system to be diagnosed. The diagnostic method described in Appendix 15 or 16.
[0196] (Note 20) We have received instructions regarding the content of the aforementioned business impact. The business impact of the above content is estimated. The diagnostic method described in Appendix 15 or 16.
[0197] (Note 21) The instructions described above include the amount of damages, The information regarding the use of the device includes the products related to the shipment of the device and sales information for those products. If the instruction described above is the amount of damage, the business impact will be estimated to include the magnitude of the decrease in sales of the products related to the shipment of the attack target device. The diagnostic method described in Appendix 20.
[0198] (Note 22) The instructions described above include the amount of damages, The information regarding the use of the device includes information about the stored information that the device stores, and information about the estimated amount of damage caused by the leakage of the stored information in the event that the stored information is leaked. If the instruction described above is the amount of damage, the business impact is estimated to include the magnitude of the estimated damage caused by the leakage of the stored information of the target device, in the event that the stored information of the target device is leaked as a result of the attack on the target device. The diagnostic method described in Appendix 20.
[0199] (Note 23) Instructions in the above content include rule violations, If the instructions described above violate the rules, the business impact is estimated to include information about the rule being violated among one or more rules that the system under diagnosis should follow, given the state of the device under diagnosis. The diagnostic method described in Appendix 20.
[0200] (Note 24) The information regarding the use of the device includes the stored information which is stored in the device. The business impact is estimated, including information on the rules that would be violated if the stored information of the target device were leaked as a result of an attack on the target device. The diagnostic method described in Appendix 23.
[0201] (Note 25) From the information of the rules that the system to be diagnosed must follow, a list of requirements that the system to be diagnosed must satisfy is generated using a large-scale language model. Based on the configuration of the system to be diagnosed and the state of the device, it is estimated whether the requirements included in the list are met, and from the information of the requirements that are not met, the rule that is violated is estimated. The diagnostic method described in Appendix 23.
[0202] (Note 26) A virtual model representing the system to be diagnosed is generated from the information on the configuration of the system to be diagnosed and the information on the device. The aforementioned virtual model is used to estimate the diagnostic result. The diagnostic method described in Appendix 15 or 16.
[0203] (Note 27) Using a large-scale language model, a result explanation text, which is a sentence that explains the diagnosis result, is generated from the diagnosis result. Output the diagnostic results information, including the aforementioned explanation of the results. The diagnostic method described in Appendix 15 or 16.
[0204] (Note 28) Using information on countermeasures to change the state of the device so that an attack that could succeed in the aforementioned state does not succeed, countermeasures to change the state of the device included in the attack route to the target device so that an attack via the attack route to the target device does not succeed are identified as countermeasures against the target device. Using the aforementioned large-scale language model, a countermeasure explanation document is generated, which is a text describing the countermeasures against the attack target device. The diagnostic results output information that further includes the explanation of the countermeasures for the countermeasures for the attack target device, in order of the magnitude of the business impact if the attack target device is attacked. The diagnostic method described in Appendix 27.
[0205] (Note 29) An estimation process that estimates the business impact, which is the magnitude of the impact on business operations caused by an attack on a device included in the system to be diagnosed, based on information about the use of the device. Based on the information on the configuration of the system to be diagnosed and the business impact of the device, an identification process is performed to identify intrusion devices that could be entry points and attack target devices that could be targets of attacks. A detection process that uses information about the configuration of the system to be diagnosed, information about the state of the device, and information about successful attacks for each state to detect an attack route which is a route in which an attack from the entry point device to the target device can be successful, Output processing that outputs diagnostic results indicating the business impact caused by the attack on the target device via the detected attack route, A program that causes a computer to execute something.
[0206] (Note 30) The output process outputs the diagnostic result information, including the information about the attack route. The program described in Appendix 29.
[0207] (Note 31) The state of the device includes the vulnerability state of the device and the configuration state of the device. The aforementioned program, The computer is instructed to perform an item generation process to generate a diagnostic list, which is a list of diagnostic items representing information indicating a possible attack for each state, the type of risk caused by the attack, and the conditions under which the risk for each type occurs, based on information representing the nature of the vulnerability of the device. The detection process uses the status of the device and the diagnostic list to detect the attack route. The aforementioned program, Diagnostic result estimation process: Using the diagnostic list, estimates the diagnostic result that indicates the business impact due to the risk resulting from a successful attack on the target device via the detected attack route. A program described in Appendix 29 or 30 that causes a computer to execute.
[0208] (Note 32) The output process outputs a screen representing the configuration of the system to be diagnosed, showing the entry point device and the attack target device. The program causes the computer to perform a selection information acquisition process to acquire selection information indicating the attack target device selected on the screen. The output process outputs the screen on which information regarding the business impact resulting from an attack on the target device indicated by the selection information is superimposed. The program described in Appendix 29 or 30.
[0209] (Note 33) The detection process detects the attack route by using information about the configuration of the system to be diagnosed to perform a simulation of an attack from the entry point device to the target device. The program described in Appendix 29 or 30.
[0210] (Note 34) The aforementioned program, Instruction receiving process for receiving instructions regarding the content of the aforementioned business impact. Have the computer run it, The estimation process estimates the business impact of the above content. The program described in Appendix 29 or 30.
[0211] (Note 35) The instructions described above include the amount of damages, The information regarding the use of the device includes the products related to the shipment of the device and sales information for those products. The estimation process estimates the business impact, when the instruction for the content is the amount of damage, including the magnitude of the decrease in sales of the products related to the shipment of the attack target device. The program described in Appendix 34.
[0212] (Note 36) The instructions described above include the amount of damages, The information regarding the use of the device includes information about the stored information that the device stores, and information about the estimated amount of damage caused by the leakage of the stored information in the event that the stored information is leaked. The estimation process estimates the business impact when the instruction for the content is the amount of damage, including the magnitude of the estimated damage due to the leakage of the stored information of the target device, in the case where the stored information of the target device is leaked as a result of the attack on the target device. The program described in Appendix 34.
[0213] (Note 37) Instructions in the above content include rule violations, The estimation process estimates the business impact when the instruction of the content violates the rule, including information on the rule that is violated among one or more rules that the system under diagnosis should follow, in the state of the device of the system under diagnosis. The program described in Appendix 34.
[0214] (Note 38) The information regarding the use of the device includes the stored information which is stored in the device. The estimation process estimates the business impact, including information on the rules that would be violated if the stored information of the target device were leaked as a result of an attack on the target device. The program described in Appendix 37.
[0215] (Note 39) The aforementioned program, Requirements generation process: Using a large-scale language model, generates a list of requirements that the system under diagnosis must satisfy, based on the information of the rules that the system under diagnosis must follow. Have the computer run it, The estimation process estimates whether the requirements included in the list are met based on the configuration of the system to be diagnosed and the state of the device, and estimates the rule that is violated based on the information of the requirements that are not met. The program described in Supplementary Note 37.
[0216] (Supplementary Note 40) The program causes a computer to perform a model generation process of generating a virtual model representing the diagnostic target system from information on the configuration of the diagnostic target system and information on the device. and the estimation process estimates the diagnostic result using the virtual model. The program described in Supplementary Note 29 or 30.
[0217] (Supplementary Note 41) The program causes a computer to perform an output information generation process of generating a result explanation text, which is a text explaining the diagnostic result from the diagnostic result, using a large language model, and the output process outputs information on the diagnostic result including the result explanation text. The program described in Supplementary Note 29 or 30.
[0218] (Supplementary Note 42) The program uses information on countermeasures for changing the state so that an attack on the device that can succeed in the state does not succeed, and specifies, as a countermeasure for the attack target device, a countermeasure for changing the state of the device included in the attack route to the attack target device so that an attack via the attack route to the attack target device does not succeed. This is a countermeasure specifying process and causes a computer to perform the output information generation process generates a countermeasure explanation text, which is a text explaining the countermeasure for the attack target device, using the large language model, and the output process outputs information on the diagnostic result further including the countermeasure explanation text of the countermeasure for the attack target device in the order of the magnitude of the business impact when the attack target device is attacked. The program described in Supplementary Note 41.
[0219] Although the present disclosure has been described with reference to the embodiments, the present disclosure is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present disclosure within the scope of the present disclosure.
Explanation of Signs
[0220] 1 Diagnostic system 10 Diagnostic device 100 Diagnostic device 101 Diagnostic device 110 Instruction reception unit 111 Selection information acquisition unit 120 Diagnostic parameter generation unit 121 Estimation unit 122 Identification unit 123 Item generation unit 124 Requirement generation unit 125 Information acquisition unit 130 Detection unit 140 Output unit 150 Procedure control unit 160 Model generation unit 170 Information storage unit 171 Equipment diagnosis unit 180 Diagnostic result estimation unit 181 Countermeasure identification unit 182 Output information generation unit 200 LLM server 300 Communication network 400 Terminal device 1000 Computer 1001 Processor 1002 Memory 1003 Storage device 1004 I / O interface 1005 Storage medium
Claims
1. An estimation means for estimating the business impact, which is the magnitude of the impact on business operations caused by an attack on a device included in the system to be diagnosed, based on information about the use of the device, A means for identifying intrusion devices that could be entry points and attack target devices that could be targets of attacks, based on information about the configuration of the system to be diagnosed and the business impact of the devices, A detection means for detecting an attack route, which is a route in which an attack can be successfully carried out from the entry point device to the target device, using information on the configuration of the system to be diagnosed, information on the state of the device, and information on successful attacks for each state, An output means that outputs diagnostic information indicating the business impact resulting from the attack on the target device via the detected attack route, A diagnostic device equipped with the following features.
2. The output means outputs the diagnostic result information, including the information about the attack route. The diagnostic device according to claim 1.
3. The state of the device includes the vulnerability state of the device and the configuration state of the device. The device comprises an item generation means that generates a diagnostic list, which is a list of diagnostic items representing information indicating a possible attack for each state, the type of risk caused by the attack, and the conditions under which the risk for each type occurs, from information representing the content of the vulnerability of the device. The detection means detects the attack route using the status of the device and the diagnostic list. The diagnostic device is Diagnostic result estimation means that estimates the diagnostic result, which indicates the business impact due to the risk resulting from a successful attack on the target device via the detected attack route, using the diagnostic list. A diagnostic device according to claim 1 or 2, comprising:
4. The output means outputs a screen showing the configuration of the system to be diagnosed, in which the entry point device and the attack target device are indicated. The diagnostic device includes selection information acquisition means for acquiring selection information indicating the attack target device selected on the screen, The output means outputs the screen on which information regarding the business impact resulting from an attack on the target device indicated by the selection information is superimposed. The diagnostic device according to claim 1 or 2.
5. The detection means detects the attack route by using information about the configuration of the system to be diagnosed to perform a simulation of an attack from the entry point device to the target device. The diagnostic device according to claim 1 or 2.
6. Instruction receiving means for receiving instructions on the content of the aforementioned business impact Equipped with, The estimation means estimates the business impact of the content. The diagnostic device according to claim 1 or 2.
7. The instructions described above include the amount of damages, The information regarding the use of the device includes the products related to the shipment of the device and sales information for those products. The estimation means estimates the business impact, when the instruction of the content is the amount of damage, to include the magnitude of the decrease in sales of the product related to the shipment of the target device. The diagnostic device according to claim 6.
8. The instructions described above include the amount of damages, The information regarding the use of the device includes information about the stored information that the device stores, and information about the estimated amount of damage caused by the leakage of the stored information in the event that the stored information is leaked. The estimation means estimates the business impact when the instruction of the content is the amount of damage, including the magnitude of the estimated damage due to the leakage of the stored information of the target device, in the case where the stored information of the target device is leaked as a result of the attack on the target device. The diagnostic device according to claim 6.
9. Instructions in the above content include rule violations, The estimation means estimates the business impact when the instruction of the content violates the rule, including information on the rule that is violated among one or more rules that the system under diagnosis should follow, in the state of the device of the system under diagnosis. The diagnostic device according to claim 6.
10. The information regarding the use of the device includes the stored information which is stored in the device. The estimation means estimates the business impact, including information on the rules that would be violated if the stored information of the target device were leaked as a result of an attack on the target device. The diagnostic device according to claim 9.
11. Requirements generation means that generates a list of requirements that the system to be diagnosed must satisfy, using a large-scale language model based on information about the rules that the system to be diagnosed must follow. Equipped with, The estimation means estimates whether the requirements included in the list are met based on the configuration of the system to be diagnosed and the state of the device, and estimates the rule that is violated based on the information of the requirements that are not met. The diagnostic device according to claim 9.
12. The system includes a model generation means that generates a virtual model representing the system to be diagnosed from the configuration information of the system to be diagnosed and the information of the device, The estimation means estimates the diagnostic result using the virtual model. The diagnostic device according to claim 1 or 2.
13. The system includes output information generation means that uses a large-scale language model to generate a result explanation text, which is a sentence that explains the diagnosis result, from the diagnosis result, The output means outputs the diagnostic result information, including the result explanation. The diagnostic device according to claim 1 or 2.
14. Countermeasure Identification Means: Using information on countermeasures to change the state of the device so that an attack on the target device via the attack route to the target device is unsuccessful, countermeasures to change the state of the device included in the attack route to the target device so that an attack via the attack route to the target device is unsuccessful are identified as countermeasures against the target device. Equipped with, The output information generation means generates a countermeasure explanation text, which is a text explaining the countermeasures against the attack target device, using the large-scale language model. The output means outputs diagnostic result information, which further includes the explanation of the countermeasures for the countermeasures for the attack target device, in order of the magnitude of the business impact if the attack target device were attacked. The diagnostic device according to claim 13.
15. Based on information about the intended use of the devices included in the system being diagnosed, the business impact, which is the magnitude of the impact on business operations if the devices are attacked, is estimated. Based on the information regarding the configuration of the system to be diagnosed and the business impact of the device, the device is identified as an entry point device that could be an entry point and an attack target device that could be an attack target. Using the information on the configuration of the system to be diagnosed, the information on the status of the device, and the information on successful attacks for each status, an attack route is detected, which is a route on which an attack from the entry point device to the target device can be successfully carried out. The system outputs diagnostic information indicating the business impact resulting from the attack on the target device via the detected attack route. Diagnostic methods.
16. An estimation process that estimates the business impact, which is the magnitude of the impact on business operations caused by an attack on a device included in the system to be diagnosed, based on information about the use of the device. Based on the information on the configuration of the system to be diagnosed and the business impact of the device, an identification process is performed to identify intrusion devices that could be entry points and attack target devices that could be targets of attacks. A detection process that uses information about the configuration of the system to be diagnosed, information about the state of the device, and information about successful attacks for each state to detect an attack route which is a route in which an attack from the entry point device to the target device can be successful, Output processing that outputs diagnostic results indicating the business impact caused by the attack on the target device via the detected attack route, A program that causes a computer to execute something.