Information display device, information display method, and program
The information presentation device and method address the lack of clear tool usage instructions in cyberattack tests by using an LLM to guide operators, enhancing the effectiveness of cyberattack tests.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- NEC CORP
- Filing Date
- 2024-12-18
- Publication Date
- 2026-06-30
Smart Images

Figure 2026106844000001_ABST
Abstract
Description
Technical Field
[0001] The present disclosure relates to an information presentation device, an information presentation method, and a program.
Background Art
[0002] As the importance of cyber security increases, the demand for cyber attack tests is growing. In ordinary cyber attack tests, due to the complexity of the system and the diversity of attack methods, it is difficult to document attack procedures. Therefore, it was not possible to provide operators with specific attack procedures according to the target system and security tools, along with specific attack methods. As a result, when unskilled operators conducted cyber attack tests, there was a possibility that vulnerabilities in the system that should have been pointed out were overlooked.
[0003] Patent Document 1 discloses an information processing device aimed at comprehensively extracting attack paths assumed in a target system and deriving attack cases for each device that enables each attack path. The device of Patent Document 1 extracts attack paths from a list of the device group in the system and the connection relationship. The device of Patent Document 1 stores past attack cases in association with attack purposes and node conditions. The device of Patent Document 1 searches for attack cases based on the node conditions of each device on the extracted attack path.
Prior Art Documents
Patent Documents
[0004]
Patent Document 1
Summary of the Invention
Problems to be Solved by the Invention
[0005] The method described in Patent Document 1 failed to provide operators with instructions on how to use security tools to implement the next attack method. Therefore, when using the method described in Patent Document 1, operators with low skill levels may not know how to use security tools to implement the next attack method.
[0006] The purpose of this disclosure is to provide an information presentation device, an information presentation method, and a program that can present information on how to use security tools to implement attack methods to workers conducting cyberattack tests. [Means for solving the problem]
[0007] An information presentation device in one aspect of this disclosure includes: an acquisition unit that acquires attack data including attack methods in cyberattack tests; a search unit that searches for how to use security tools associated with attack methods; a generation unit that generates instructions requesting the presentation of attack instructions using the searched methods for using security tools; and an output unit that outputs attack instruction data including attack instructions output from a model in response to the input of instructions.
[0008] In one aspect of the information presentation method of this disclosure, a computer acquires attack data including attack methods in a cyberattack test, searches for how to use security tools associated with the attack methods, generates instructions requesting the presentation of attack instructions using the searched security tool usage instructions, and outputs attack instruction data including attack instructions output from a model in response to the input of instructions.
[0009] A program in one aspect of this disclosure causes a computer to perform the following processes: acquiring attack data including attack methods in a cyberattack test; searching for how to use security tools associated with attack methods; generating instructions requesting the presentation of attack instructions using the searched methods for using security tools; and outputting attack instruction data including attack instructions output from a model in response to the input of instructions. [Effects of the Invention]
[0010] According to this disclosure, it will be possible to provide an information presentation device, an information presentation method, and a program that can show workers conducting cyberattack tests how to use security tools to implement attack methods. [Brief explanation of the drawing]
[0011] [Figure 1] This block diagram shows an example of a configuration related to an information presentation device in this disclosure. [Figure 2] This block diagram shows an example of the configuration of an information presentation device in this disclosure. [Figure 3] This is a conceptual diagram showing an example of a user interface that accepts the selection of an attack method displayed on the screen of a terminal device in this disclosure. [Figure 4] This table shows an example of tool information stored in a database referenced by the information presentation device in this disclosure. [Figure 5] This is a conceptual diagram showing an example of a prompt generated by the information presentation device in this disclosure. [Figure 6] This is a conceptual diagram showing an example of how attack instruction information included in attack instruction data output from the information presentation device in this disclosure is displayed. [Figure 7] This flowchart shows an example of the operation of the information presentation device in this disclosure. [Figure 8] This flowchart shows an example of the attack instruction information generation process by the information presentation device in this disclosure. [Figure 9] This block diagram shows an example of the configuration of an information presentation device in this disclosure. [Figure 10] This table shows an example of attack history information stored in the database referenced by the information presentation device in this disclosure. [Figure 11] This is a conceptual diagram showing an example of a prompt generated by the information presentation device in this disclosure. [Figure 12]It is a conceptual diagram showing an example of display of attack instruction information included in attack instruction data output from an information presentation device in the present disclosure. [Figure 13] It is a flowchart showing an example of the operation of an information presentation device in the present disclosure. [Figure 14] It is a flowchart showing an example of attack instruction information generation processing by an information presentation device in the present disclosure. [Figure 15] It is a block diagram showing an example of the configuration of an information presentation device in the present disclosure. [Figure 16] It is a conceptual diagram showing an example of attack data acquired by an information presentation device in the present disclosure. [Figure 17] It is a conceptual diagram showing an example of a prompt generated by an information presentation device in the present disclosure. [Figure 18] It is a conceptual diagram showing an example of display of attack instruction information included in attack instruction data output from an information presentation device in the present disclosure. [Figure 19] It is a flowchart showing an example of the operation of an information presentation device in the present disclosure. [Figure 20] It is a flowchart showing an example of attack instruction information generation processing by an information presentation device in the present disclosure. [Figure 21] It is a block diagram showing an example of the configuration of an information presentation device in the present disclosure. [Figure 22] It is a flowchart showing an example of the operation of an information presentation device in the present disclosure. [Figure 23] It is a block diagram showing an example of a hardware configuration for executing processing in the present disclosure.
Embodiments for Carrying Out the Invention
[0012] The embodiments for carrying out this disclosure will be described below with reference to the drawings. In this disclosure, the drawings used in the description of each embodiment are associated with one or more embodiments. Also, the elements included in each drawing may apply to one or more embodiments. The embodiments described below have technically preferred limitations for carrying out this disclosure, but the scope of the disclosure is not limited thereto. In all the drawings used in the description of the embodiments below, the same parts are denoted by the same reference numerals unless there is a specific reason not to. In the embodiments below, repeated descriptions of similar configurations and operations may be omitted. The direction of the arrows in the drawings is an example of the flow of signals, data, etc., and does not limit the flow of signals, data, etc.
[0013] (First Embodiment) First, the information presentation device according to the first embodiment will be described with reference to the drawings. The information presentation device of this embodiment presents to an operator performing a penetration test, which is one type of cyberattack test, how to use the tools for performing the attack method. A cyberattack test is a test in which a simulated cyberattack is performed on a target system. Cyberattack tests are sometimes performed to evaluate the security of a target system. A cyberattack test is a higher-level concept than penetration tests or vulnerability assessments. Penetration tests are also referred to as intrusion tests. In this embodiment, the tools used in penetration tests are also called security tools. For example, the tools used in penetration tests are also referred to as penetration testing tools or attack simulation tools. For example, a security tool may be a dedicated tool for performing penetration tests. Alternatively, a security tool may be a tool for checking the security status, such as a port scanner or vulnerability scanner. Alternatively, a security tool may be a tool that is also used for purposes other than security, such as a web browser, terminal software, database client, or email client. In typical penetration testing, the complexity of the system and the diversity of attack methods make it difficult to document attack procedures. In this embodiment, the method of using the tools to carry out the attack method is documented and presented. Below, an example of documenting the method of using the tools using a large-scale language model is shown.
[0014] (composition) Figure 1 is a block diagram showing an example configuration related to the information presentation device in this disclosure. The information presentation device 10 is connected to the terminal device 180 and the LLM (Large Language Models) system 150 via a network such as the Internet or an intranet. The information presentation device 10 is a device that performs processing for conducting penetration testing. For example, the information presentation device 10 may have functions such as analyzing the results of penetration testing, evaluating vulnerabilities, and proposing security measures. Details of the information presentation device 10 will be described later.
[0015] Terminal device 180 is an information processing device (computer) used by the worker. Terminal device 180 provides an interface for the worker to access penetration test results and analysis information. Application software for conducting penetration tests is installed on terminal device 180. The application software installed on terminal device 180 is a security tool. The terminal device used to conduct the penetration test and the terminal device connected to the information presentation device 10 may be configured as separate devices. For example, terminal device 180 may be implemented on a cloud or server. The functions of the application software for conducting the penetration test may be built on a server or cloud accessible from terminal device 180. Terminal device 180 may be implemented by a general-purpose computer. Alternatively, terminal device 180 may be implemented by a dedicated computer for conducting penetration tests.
[0016] Terminal device 180 accepts the selection of an attack method for conducting a simulated attack against the system under evaluation. Terminal device 180 conducts a simulated attack against the system under evaluation by executing processing according to the attack method selected by the operator. Terminal device 180 outputs attack data, including the attack method selected by the operator, to the information display device 10. The attack data includes at least one attack method selected by the operator. Terminal device 180 also obtains attack instruction data from the information display device 10, including how to use the tool that executes the attack method selected by the operator. Terminal device 180 executes processing according to the attack method by using the tool that executes the attack method. For example, an attack method can be a Tactic, Technique, Procedure, or tool name. For example, an attack method may be defined as a combination of Tactic, Technique, Procedure, and tool name. Multiple attack methods executed in sequence constitute an attack step. An attack step may include specific details for each attack method. For example, specific details of an attack may include the command used in the attack, its options, and the execution result of the command.
[0017] For example, specific attack methods include network attacks, web application attacks, authentication / access control attacks, social engineering, system-level attacks, and highly targeted attacks. For example, network attacks include port scanning, man-in-the-middle attacks, denial-of-service attacks, and DNS (Domain Name System) poisoning. For example, network attacks include ARP (Address Resolution Protocol) spoofing and wireless network attacks. For example, web application attacks include SQL (Structured Query Language) injection, cross-site scripting, session hijacking, and directory traversal. For example, authentication / access control attacks include password cracking and privilege escalation. For example, social engineering includes phishing. For example, system-level attacks include buffer overflow attacks, memory corruption attacks, and reverse shells. For example, highly targeted attacks include exploiting zero-day vulnerabilities, ransomware attack simulations, and supply chain attack simulations.
[0018] The LLM system 150 is a system that performs processing using a large-scale language model (not shown). The large-scale language model (also called the model) is a deep learning model trained using a large-scale language dataset. The LLM system 150 receives text information composed of natural language and outputs text information corresponding to the content of the input text information. The LLM system 150 utilizes natural language processing technology to interpret the results of penetration tests and provides information in a more easily understandable format. In other words, the LLM system 150 converts complex security information into a format that is easy for humans to understand. For example, the LLM system 150 outputs an answer in response to a question. The LLM system 150 may also be a model capable of inputting and outputting images and audio. For example, the LLM system 150 is a general-purpose model available via an API (Application Programming Interface). The LLM system 150 may also be a dedicated model built for conducting penetration tests. There are no limitations on the type of LLM system 150 or the location where the LLM system 150 is deployed, as long as it can be accessed from the information presentation device 10.
[0019] [Information presentation device] Next, an example of the configuration of the information presentation device 10 will be described with reference to the drawings. Figure 2 is a block diagram showing an example of the configuration of the information presentation device in this disclosure. The information presentation device 10 includes an acquisition unit 11, a search unit 13, an instruction unit 15, and an output unit 17. The information presentation device 10 also includes a database 130. The database 130 may be configured outside the information presentation device 10, provided that it is accessible from the information presentation device 10. The instruction unit 15 is connected to the LLM system 150.
[0020] The acquisition unit 11 is connected to a terminal device 180 used by the worker. The acquisition unit 11 acquires attack data from the terminal device 180 used by the worker, including the next attack method selected by the worker. The attack data includes at least one attack method selected by the worker. The acquisition unit 11 may be configured to acquire the next attack method via a module for selecting attack methods. For example, the acquisition unit 11 may be configured to refer to past attack records and acquire the next attack method following a preceding attack method in order of a series of attack methods that have been executed consecutively.
[0021] Figure 3 is a conceptual diagram showing an example of a user interface that accepts the selection of an attack method displayed on the screen of the terminal device in this disclosure. The IP (Internet Protocol) address and port number of the target of the attack are displayed at the top of the screen of the terminal device 180. Text information indicating the attack work history is displayed on the screen of the terminal device 180, stating, "Attack method A was performed last time." Text information prompting the selection of the next attack method is also displayed on the screen of the terminal device 180, stating, "Please select the next attack method to perform." Furthermore, an attack selection UI (User Interface) that accepts the selection of an attack method is displayed on the screen of the terminal device 180. In the example in Figure 3, the button for attack method B, which has been selected as the next attack method, is active. A cursor for selecting the button for attack method B is hovered over the button for selecting that button. The operator can select the next attack method to perform via the user interface displayed on the screen of the terminal device 180.
[0022] Database 130 stores tool information, including how to use the tools used to carry out attack methods. This tool information includes usage instructions for each tool. Multiple tools stored in Database 130 are associated with unique usage instructions. For example, Database 130 uses a relational database management system that enables high-speed query processing and efficient management of large amounts of data. By normalizing and storing tool information using multiple tables, data integrity is maintained, and flexible searching and analysis become possible. Database 130 may be omitted if the system is configured to retrieve tool usage instructions linked to the following attack methods from an external server via the internet.
[0023] Figure 4 is a table showing an example of tool information stored in a database referenced by the information presentation device in this disclosure. Database 130 stores tool information T, which includes usage instructions for each of several tools. Tool information T includes specific usage instructions for using tools according to attack methods. Usage instructions may include, for example, the usage, man page, description, help, specifications, documentation, etc. for each tool. There are no limitations on how attack methods are expressed. For example, an attack method may be expressed as a Tactic, Technique, Procedure, or tool name.
[0024] The search unit 13 searches the database 130 for information on how to use tools associated with the following attack methods. For example, the search unit 13 may be configured to obtain information on how to use tools associated with the following attack methods from an external server via the internet.
[0025] The instruction unit 15 obtains information indicating the target of the attack and instructions on how to use the tools to be used in the next attack method to be performed against that target. The instruction unit 15 generates a prompt (also called an instruction) that instructs the system to present a method for performing the next attack method by referring to the information indicating the target of the attack and instructions on how to use the tools to be used in the next attack method to be performed against that target. The instruction unit 15 inputs the generated prompt to the LLM system 150. The functional configuration of the instruction unit 15 that generates the prompt (instruction) is also called the generation unit. For example, the instruction unit 15 may be configured to refer to external information before using the LLM system 150.
[0026] Figure 5 is a conceptual diagram showing an example of a prompt generated by the information presentation device in this disclosure. In the example in Figure 5, the tool for carrying out the following attack method is ssh. Figure 5 shows the prompt P that the information presentation device 10 inputs to the LLM system 150. Prompt P includes instructions, target information, and instructions on how to use the tool used to carry out the following attack method. In Figure 5, only a portion of the target information and instructions on how to use the tool used to carry out the following attack method are described. The instructions include the text information, "Please provide instructions on how to attack the target using ssh, referring to the information below." The target information includes the IP address and port number of the target. The instructions on how to use the tool include the explanatory text, "ssh[-1246AaCfGgKkMNnqsTtVvXxYy],..."
[0027] The instruction unit 15 acquires text information output from the LLM system 150 in response to prompt input. The text information includes specific methods for carrying out the next attack technique tailored to the target of the attack. For example, the text information may include attack instructions and commands. Attack instructions may include, for example, instructions for executing commands to use tools used to carry out the next attack technique. Depending on the tool, the attack may be carried out by operating the tool's GUI (Graphical User Interface) rather than using commands. For example, an attack may be carried out by accessing the target web system with a specific browser and entering an appropriate username and password on the login screen. Attack instructions may include, for example, the operating procedure for such a tool. Commands indicate commands to use tools used to carry out the next attack technique. For example, the text information may include a description of the command. The instruction unit 15 outputs the acquired text information to the output unit 17.
[0028] Figure 5 shows the response A output from the LLM system 150 in response to the input of prompt P. Response A includes instructions on how to use the tool to carry out the next attack, stating, "To attack the target using ssh, execute the following command." Response A also includes the command "ssh-p_2XX2_root@192.XXX.YZ". Furthermore, Response A includes a description of the command, stating, "-p is an option to specify the port number, ...".
[0029] The output unit 17 is connected to a terminal device 180 used by the operator. The output unit 17 obtains attack instruction information from the instruction unit 15, which includes text information that specifies the target of the attack and how to use the tools to carry out the next attack method. The output unit 17 outputs attack instruction data, including the obtained attack instruction information, to the terminal device 180. The attack instruction information contained in the attack instruction data output to the terminal device 180 is displayed on the screen of the terminal device 180.
[0030] Figure 6 is a conceptual diagram showing an example of the display of attack instruction information included in the attack instruction data output from the information presentation device in this disclosure. The top of the screen of terminal device 180 displays the IP (Internet Protocol) address and port number of the target of the attack. The screen of terminal device 180 displays text information indicating an attack instruction, which reads, "To attack the target using ssh, execute the following command." The screen of terminal device 180 also displays the command, "ssh_-p_2XX2_root@192.XXX.YZ." The screen of terminal device 180 also displays an explanation of the command, which reads, "p is an option to specify the port number, ...." Furthermore, the screen of terminal device 180 displays a button to accept the execution of the command (Yes) and a button to cancel the execution of the command (No). The operator can carry out the following attack method via the user interface displayed on the screen of terminal device 180.
[0031] In the above description, the instruction unit 15 inputs information to the LLM system 150 using a single prompt and obtains attack instruction data to be executed next, but it is not limited to this. For example, the instruction unit 15 may be configured to input some of the information included in the prompt in the above example to the LLM system 150 using RAG (Retrieval-Augmented Generation) or fine tuning instead of a prompt. For example, the instruction unit 15 may be configured to input the information included in the prompt in the above example into the LLM system 150 by dividing it into multiple prompts.
[0032] (operation) Next, an example of the operation of the information presentation device in this disclosure will be described with reference to the drawings. Figure 7 is a flowchart of an example of the operation of the information presentation device in this disclosure. In the explanation of the process according to the flowchart in Figure 7, the components of the information presentation device 10 will be considered the operating entities. The operating entities of the process according to the flowchart in Figure 7 may also be the information presentation device 10. For example, the process according to the flowchart in Figure 7 is realized by a processor executing a program stored in the memory installed in a computer (not shown) on which the information presentation device 10 is implemented.
[0033] In Figure 7, first, the acquisition unit 11 acquires attack data including the next attack method to be performed on the target and information indicating the target (step S11).
[0034] Next, the search unit 13 searches for information on how to use a tool associated with the following attack method (step S12). The search unit 13 searches for information on how to use a tool from the database 130. The search unit 13 may be configured to search for information on how to use a tool via the internet.
[0035] Next, the instruction unit 15 executes the attack instruction information generation process (step S13). Details of the attack instruction information generation process in step S13 will be described later.
[0036] Next, the output unit 17 outputs attack instruction data, which includes attack instructions that specify how to use the tools associated with the next attack method (step S14). The attack instruction information output from the information display device 10 is displayed on the screen of the terminal device 180 used to conduct the penetration test.
[0037] [Attack instruction information generation process] Next, an example of the attack instruction information generation process by the information presentation device in this disclosure (step S13 in Figure 7) will be described with reference to the drawings. Figure 8 is a flowchart of an example of the attack instruction information generation process by the information presentation device in this disclosure. In the explanation of the process according to the flowchart in Figure 8, the components of the information presentation device 10 (instruction unit 15) will be considered the main operating entity. The main operating entity of the process according to the flowchart in Figure 8 may also be the information presentation device 10.
[0038] In Figure 8, first, the instruction unit 15 generates a prompt that instructs the presentation of a method for attacking the target (step S131). The prompt includes instructions for generating attack instructions using information indicating the target and how to use the tools associated with the next attack method.
[0039] Next, the instruction unit 15 inputs the generated prompt to the LLM system 150 (step S132).
[0040] Next, the instruction unit 15 acquires text information, including attack instructions, output from the LLM system 150 in response to the prompt input (step S133). Following step S133, the process proceeds to step S14 in the flowchart of Figure 7.
[0041] As described above, the information presentation device of this embodiment comprises an acquisition unit, a search unit, an instruction unit, and an output unit. The acquisition unit acquires attack data, including attack methods used in cyberattack testing (penetration testing). The search unit searches for how to use security tools (tools) associated with attack methods. The search unit searches for how to use security tools associated with attack methods from a database that stores tool information, including how to use multiple security tools used in cyberattack testing. The instruction unit generates an instruction (prompt) requesting the presentation of attack instructions using the instructions for using the tools associated with the attack method and information indicating the target of the attack. The instruction unit inputs the generated instructions into a model (large-scale language model). The output unit outputs attack instruction data, including attack instructions output from the model in response to the instructions.
[0042] In this embodiment, the method for using security tools linked to attack methods performed in ongoing cyberattack tests is searched. In this embodiment, an attack instruction including the searched method for using security tools is generated using a large-scale language model. Therefore, according to this embodiment, the method for using security tools to execute attack methods can be presented to the workers performing the cyberattack tests. In this embodiment, a penetration test, which is one type of cyberattack test, was used as an example. The method of this embodiment can also be applied to vulnerability assessments, which are another type of cyberattack test.
[0043] In one embodiment of this invention, the output unit outputs attack instruction data that includes information indicating the target of the attack and commands indicating how to use security tools to carry out the next attack method. According to this embodiment, attack instructions including specific instructions on how to use security tools to carry out the next attack method against the target can be presented to the operator.
[0044] (Second Embodiment) Next, an information presentation device according to the second embodiment will be described with reference to the drawings. This embodiment differs from the first embodiment in that it presents a method for using a tool to implement the following attack method, based on past attack results.
[0045] (composition) Figure 9 is a block diagram showing an example of the configuration of an information presentation device in this disclosure. The information presentation device 20 comprises an acquisition unit 21, a search unit 23, an instruction unit 25, and an output unit 27. The information presentation device 20 also comprises a database 230. The database 230 may be configured outside the information presentation device 20, provided that it is accessible from the information presentation device 20. The instruction unit 25 is connected to an LLM system 250. The LLM system 250 has the same configuration as the LLM system 150 in the first embodiment.
[0046] The acquisition unit 21 has the same configuration as the acquisition unit 11 in the first embodiment. The acquisition unit 21 is connected to a terminal device 280 used by the worker. The acquisition unit 21 acquires attack data from the terminal device 280 used by the worker, including attack methods selected by the worker. The attack data includes at least one attack method selected by the worker. For example, the acquisition unit 21 may be configured to refer to past attack records and acquire the next attack method following a preceding attack method in order of a series of attack methods.
[0047] Database 230 stores tool information, including how to use the tools used to carry out attack methods. This tool information includes usage instructions for each tool. Multiple tools stored in Database 230 are associated with unique usage instructions. Database 230 also stores attack history information regarding past attacks. For example, Database 230 uses a relational database management system that enables high-speed query processing and efficient management of large amounts of data. By normalizing and storing tool information and attack history information using multiple tables, data integrity is maintained, enabling flexible searching and analysis. Database 230 may be omitted if the system is configured to retrieve tool usage instructions linked to the following attack methods from an external server via the internet.
[0048] Figure 10 is a table showing an example of attack history information stored in a database referenced by the information presentation device in this disclosure. Database 230 stores multiple attack history information R. Attack history information R includes attack details for each of multiple attack methods that were carried out consecutively. In the example attack history in Figure 10, attack step 2 was carried out after attack step 1. Attack method A was carried out in attack step 1. The attack details of attack step 1 include the fact that port 2X was open as a log of an nmap port scan. Attack method B was carried out in attack step 2. The attack details of attack step 2 include the fact that a connection to port 2X was made via ssh.
[0049] The search unit 23 searches the database 230 for information on how to use tools associated with the following attack methods. The search unit 23 also searches for past attack records related to the following attack methods. For example, the search unit 23 searches for past attack records that include the following attack methods. The search unit 23 may be configured to obtain information on how to use tools and past attack records from an external server via the internet. For example, past attack records may be publicly available information such as threat reports. For example, past attack records may also be information on penetration tests previously conducted by penetration testers. The instruction unit 25 obtains information indicating the target of the attack and instructions on how to use the tools to be used in the next attack method to be performed against that target. The instruction unit 25 also obtains past attack records related to the next attack method. The instruction unit 25 generates a prompt containing instructions on how to perform the next attack method by referring to the information indicating the target of the attack, the instructions on how to use the tools, and the past attack records. The instruction unit 25 inputs the generated prompt to the LLM system 250. The functional configuration of the instruction unit 25 that generates the prompt (instruction) is also called the generation unit. The instruction unit 25 may be configured to refer to external information before using the LLM system 250.
[0050] Figure 11 is a conceptual diagram showing an example of a prompt generated by the information presentation device in this disclosure. In the example in Figure 11, the tool for carrying out the next attack method is ssh. Figure 11 shows prompt P that the information presentation device 20 inputs to the LLM system 250. Prompt P includes instructions, target information, instructions on how to use the tool used to carry out the next attack method, and past attack results. In Figure 11, only a portion of the target information, instructions on how to use the tool used to carry out the next attack method, and past attack results are described. The instructions include the text information, "Please provide the procedure for carrying out attack method B using the following information." The target information includes the IP address and port number of the target. The instructions on how to use the tool include the explanatory text, "ssh[-1246AaCfGgKkMNnqsTtVvXxYy],...". Prompt P also includes the explanatory text, "$_ssh_-p_2X_root@10.0.0.X", indicating past attack results.
[0051] The instruction unit 25 acquires text information output from the LLM system 250 in response to prompt input. The text information includes specific methods for carrying out the next attack technique tailored to the target of the attack. For example, the text information may include attack instructions and commands. Attack instructions may include, for example, instructions for executing commands to use tools used to carry out the next attack technique. Depending on the tool, the attack may be carried out by manipulating the tool's GUI (Graphical User Interface) rather than using commands. For example, an attack may be carried out by accessing the target web system with a specific browser and entering an appropriate username and password on the login screen. Attack instructions may include, for example, the operating procedure for such a tool. Commands indicate commands to use tools used to carry out the next attack technique. For example, the text information may include a description of the command. The instruction unit 25 outputs the acquired text information to the output unit 27.
[0052] Figure 11 shows response A output from LLM system 250 in response to prompt P. Response A includes instructions on how to use the tool to carry out the next attack, stating, "To attack the target using ssh, execute the following command." Response A also includes the command "$_ssh-p_2XX2_root@192.XXX.YZ". Furthermore, Response A includes a description of the command, stating, "-p is an option to specify the port number, ...".
[0053] The output unit 27 is connected to a terminal device 280 used by the operator. The output unit 27 obtains attack instruction information from the instruction unit 25, which includes text information that specifies the target of the attack and how to use the tools to carry out the next attack method. The output unit 27 outputs attack instruction data, including the obtained attack instruction information, to the terminal device 280. The attack instruction information contained in the attack instruction data output to the terminal device 280 is displayed on the screen of the terminal device 280.
[0054] Figure 12 is a conceptual diagram showing an example of the display of attack instruction information included in the attack instruction data output from the information presentation device in this disclosure. The top of the screen of terminal device 280 displays the IP (Internet Protocol) address and port number of the target of the attack. The screen of terminal device 280 displays text information indicating an attack instruction, which reads, "To attack the target using ssh, execute the following command." The screen of terminal device 280 also displays the command, "ssh_-p_2XX2_root@192.XXX.YZ." The screen of terminal device 280 also displays a command indicating past attack records, "$_ssh_-p_2X_root@10.0.0.X...." The screen of terminal device 180 also displays an explanation of the command, which reads, "p is an option to specify a port number,...." Furthermore, the screen of terminal device 280 displays a button to accept the execution of the command (Yes) and a button to cancel the execution of the command (No). The operator can carry out the following attack method via the user interface displayed on the screen of terminal device 280.
[0055] In the above description, the instruction unit 25 inputs information to the LLM system 250 using a single prompt and obtains attack instruction data to be executed next, but it is not limited to this. For example, the instruction unit 25 may be configured to input some of the information included in the prompt in the above example to the LLM system 250 using RAG (Retrieval-Augmented Generation) or fine tuning instead of a prompt. For example, the instruction unit 25 may be configured to input the information included in the prompt in the above example into the LLM system 250 by dividing it into multiple prompts.
[0056] (operation) Next, an example of the operation of the information presentation device in this disclosure will be described with reference to the drawings. Figure 13 is a flowchart of an example of the operation of the information presentation device in this disclosure. In the explanation of the process according to the flowchart in Figure 13, the components of the information presentation device 20 will be considered the operating entities. The operating entities of the process according to the flowchart in Figure 13 may also be the information presentation device 20. For example, the process according to the flowchart in Figure 13 is realized by a processor executing a program stored in the memory installed in a computer (not shown) on which the information presentation device 20 is implemented.
[0057] In Figure 13, first, the acquisition unit 21 acquires attack data including the next attack method to be performed on the target and information indicating the target (step S21).
[0058] Next, the search unit 23 searches for information on how to use a tool associated with the following attack method (step S22). The search unit 23 searches for information on how to use a tool from the database 230. The search unit 23 may be configured to search for information on how to use a tool via the internet.
[0059] Next, the search unit 23 searches for past attack records related to the next attack method (step S23). The search unit 23 searches for past attack records from the database 230. The search unit 23 may be configured to search for past attack records via the internet. Steps S22 and S23 may be performed in any order or in parallel.
[0060] Next, the instruction unit 25 executes the attack instruction information generation process (step S24). Details of the attack instruction information generation process in step S24 will be described later.
[0061] Next, the output unit 27 outputs attack instruction data, which includes attack instructions that specify how to use the tools associated with the next attack method (step S25). The attack instruction information output from the information display device 20 is displayed on the screen of the terminal device 280 used to conduct the penetration test.
[0062] [Attack instruction information generation process] Next, an example of the attack instruction information generation process by the information presentation device in this disclosure (step S24 in Figure 13) will be described with reference to the drawings. Figure 14 is a flowchart of an example of the attack instruction information generation process by the information presentation device in this disclosure. In the explanation of the process according to the flowchart in Figure 14, the components of the information presentation device 20 (instruction unit 25) will be considered the main operating entity. The main operating entity of the process according to the flowchart in Figure 14 may also be the information presentation device 20.
[0063] In Figure 14, first, the instruction unit 25 generates a prompt that includes instructions for generating attack instructions for the target (step S241). The prompt includes instructions for generating attack instructions using information that indicates the target, including how to use the tool associated with the next attack method, past attack records including the next attack method, and information that indicates the target.
[0064] Next, the instruction unit 25 inputs the generated prompt to the LLM system 250 (step S242).
[0065] Next, the instruction unit 25 acquires text information, including attack instructions, output from the LLM system 250 in response to the input of a prompt (step S243). Following step S243, the process proceeds to step S25 in the flowchart of Figure 13.
[0066] As described above, the information presentation device of this embodiment comprises an acquisition unit, a search unit, an instruction unit, and an output unit. The acquisition unit acquires attack data, including attack methods, in cyberattack tests (penetration tests). The search unit searches for how to use security tools (tools) associated with attack methods. For example, the search unit searches for how to use security tools associated with attack methods from a database that stores tool information, including how to use multiple security tools used in cyberattack tests. The search unit also searches for past attack records, including attack methods. For example, the search unit searches for how to use security tools associated with attack methods from a database that stores past attack records. The instruction unit generates instructions (prompts) requesting the presentation of attack instructions using information indicating how to use security tools associated with attack methods, past attack records, and the target of the attack. The instruction unit inputs the generated instructions into a model (large-scale language model). The output unit outputs attack instruction data, including the attack instructions output from the model in response to the input instructions.
[0067] In this embodiment, the method for using security tools associated with attack methods used in ongoing cyberattack tests is searched. In this embodiment, based on past attack performance, the model generates attack instructions that include instructions for using tools associated with attack methods. The model outputs attack instructions based on past attack performance. Therefore, according to this embodiment, attack instructions based on past attack performance can be presented to the operator conducting the cyberattack test. In this embodiment, a penetration test, which is one type of cyberattack test, was used as an example. The method of this embodiment can also be applied to vulnerability assessment, which is another type of cyberattack test.
[0068] In one embodiment of this system, the output unit outputs attack instruction data including information indicating the target of the attack, commands indicating how to use security tools to carry out the attack method, and past attack results. According to this embodiment, the operator can be presented with attack instructions that include specific instructions on how to use security tools to carry out the attack method against the target, as well as past attack results.
[0069] (Third embodiment) Next, an information presentation device according to the third embodiment will be described with reference to the drawings. This embodiment differs from the first and second embodiments in that it presents how to use a tool for implementing the next attack method based on the attack results in the ongoing penetration test. The attack results in the ongoing penetration test will also be referred to as the current attack results. Below, an example of applying the method of this embodiment to the second embodiment will be given. The method of this embodiment may also be applied to the first embodiment.
[0070] (composition) Figure 15 is a block diagram showing an example of the configuration of an information presentation device in this disclosure. The information presentation device 30 comprises an acquisition unit 31, a search unit 33, an instruction unit 35, and an output unit 37. The information presentation device 30 also comprises a database 330. The database 330 may be configured outside the information presentation device 30, provided that it is accessible from the information presentation device 30. The instruction unit 35 is connected to an LLM system 350. The LLM system 350 has the same configuration as the LLM system 150 in the first embodiment.
[0071] The acquisition unit 31 is connected to a terminal device 380 used by the operator. The acquisition unit 31 acquires attack data from the terminal device 380 used by the operator, including attack methods selected by the operator. The attack data includes at least one attack method selected by the operator. The attack data also includes attack methods executed in the ongoing penetration test. The attack methods and attack details executed in the ongoing penetration test are also referred to as the current attack record. The attack record includes attack steps consisting of at least one attack method and the results (attack details) of each attack method. For example, the attack details include the commands used in the attack, their options, and the execution results of those commands. For example, the acquisition unit 31 may be configured to acquire the next attack method following a preceding attack method based on the attack steps that were executed consecutively, by referring to past attack records and the current attack record.
[0072] Figure 16 is a conceptual diagram showing an example of attack data acquired by the information presentation device in this disclosure. The attack data includes at least one attack method selected by the operator. The attack data also includes the results of the current attack. Attack step 1 shows the results of the current attack. In attack step 1, attack method A was performed. Attack method A includes the process of performing a port scan with nmap to check for available ports. Attack step 2 includes attack method B, which will be performed next and selected by the operator.
[0073] Database 330 stores tool information, including how to use the tools used to carry out attack methods. This tool information includes usage instructions for each tool. Multiple tools stored in Database 330 are associated with unique usage instructions. Database 330 also stores attack history information regarding past attacks. Current attack history may also be stored in Database 330. For example, Database 330 may utilize a relational database management system that enables high-speed query processing and efficient management of large amounts of data. If tool information and attack history information are stored in a normalized manner using multiple tables, data integrity is maintained, and flexible searching and analysis become possible. Database 330 may be omitted if the system is configured to retrieve tool usage instructions linked to the next attack method from an external server via the internet.
[0074] The search unit 33 searches the database 330 for information on how to use tools associated with the following attack methods. The search unit 33 also searches for past attack records related to the following attack methods. For example, the search unit 33 searches for past attack records that include the following attack methods. The search unit 33 may be configured to obtain information on how to use tools and past attack records from an external server via the internet. For example, past attack records may be publicly available information such as threat reports.
[0075] The instruction unit 35 acquires past attack records and current attack records, information indicating the target of the attack, and instructions on how to use the tools to be used in the next attack method to be implemented against that target. The instruction unit 35 generates a prompt (also called an instruction) that instructs the system to present a method for implementing the next attack method by referring to the past attack records and current attack records, information indicating the target of the attack, and instructions on how to use the tools to be used in the next attack method to be implemented against that target. The instruction unit 35 inputs the generated prompt into the LLM system 350. The functional configuration of the instruction unit 35 that generates the prompt (instruction) is also called the generation unit. For example, the instruction unit 35 may be configured to refer to external information before using the LLM system 350.
[0076] The instruction unit 35 acquires text information output from the LLM system 350 in response to prompt input. The instruction unit 35 acquires text information that specifies information indicating the target of the attack and how to use the tools used to carry out the next attack method. For example, the text information may include attack instructions and commands. Attack instructions include instructions to execute commands for using the tools used to carry out the next attack method. Commands indicate commands for using the tools used to carry out the next attack method. For example, the text information may include a description of the command. The text information may also include information indicating past attack results. The instruction unit 35 outputs the acquired text information to the output unit 37.
[0077] Figure 17 is a conceptual diagram showing an example of a prompt generated by the information presentation device in this disclosure. In the example in Figure 17, the next attack method is attack method B. The tool for carrying out attack method B is ssh. Figure 17 shows prompt P that the information presentation device 30 inputs to the LLM system 350. Prompt P includes instructions, target information, instructions on how to use the tool used to carry out the next attack method, past attack results, and current attack results. In Figure 17, only a portion of the target information, instructions on how to use the tool used to carry out the next attack method, past attack results, and current attack results are described. The instructions include the text information, "Please provide the procedure for carrying out attack method B using the following information." The target information includes the IP address and port number of the target. The instructions on how to use the tool include the explanatory text, "ssh[-1246AaCfGgKkMNnqsTtVvXxYy],..." Furthermore, the prompt P includes a description indicating past attack history, such as "$_sudo_nmap_10.0.0.1_-p-,...,$_sudo_-p_2X_root@10.0.0.X,...". Additionally, the prompt P includes a description indicating the current attack history, such as "$_sudo_nmap_192.XXX.Y.Z_-p-,...".
[0078] For example, suppose a past attack log shows that port 2X is open as reported by nmap port scan, and in the next attack, the attacker connected to port 2X via SSH. In this case, based on the past attack log, we can interpret that port 2X was open and that the SSH connection was made to port 2X. Now, suppose the current attack log shows that port 2XX2 is open. In this case, for the next SSH connection, we can interpret the nmap log in the same way as the current attack log and determine that the attacker should attempt to connect to port 2XX2.
[0079] The instruction unit 35 acquires text information output from the LLM system 350 in response to prompt input. The text information includes specific methods for carrying out the next attack technique tailored to the target of the attack. For example, the text information may include attack instructions and commands. Attack instructions may include, for example, instructions for executing commands to use tools used to carry out the next attack technique. Depending on the tool, the attack may be carried out by operating the tool's GUI (Graphical User Interface) rather than using commands. For example, an attack may be carried out by accessing the target web system with a specific browser and entering an appropriate username and password on the login screen. Attack instructions may include, for example, the operating procedure for such a tool. Commands indicate commands to use tools used to carry out the next attack technique. For example, the text information may include a description of the command. The instruction unit 35 outputs the acquired text information to the output unit 37.
[0080] Figure 17 shows the response A output from the LLM system 350 in response to the input of prompt P. Response A includes instructions on how to use the tool to carry out the next attack, stating, "To attack the target using ssh, execute the following command." Response A also includes the command "$_ssh-p_2XX2_root@192.XXX.YZ". Furthermore, Response A includes a description of the command, stating, "-p is an option to specify a port number, ...".
[0081] The output unit 37 is connected to a terminal device 380 used by the operator. The output unit 37 obtains attack instruction information from the instruction unit 35, which includes text information that specifies the target of the attack and how to use the tools to carry out the next attack method. The output unit 37 outputs attack instruction data, including the obtained attack instruction information, to the terminal device 380. The attack instruction information contained in the attack instruction data output to the terminal device 380 is displayed on the screen of the terminal device 380.
[0082] Figure 18 is a conceptual diagram showing an example of the display of attack instruction information included in the attack instruction data output from the information presentation device in this disclosure. The top of the screen of terminal device 380 displays the IP (Internet Protocol) address and port number of the target of the attack. The screen of terminal device 380 displays text information indicating an attack instruction, which reads, "To attack the target using ssh, execute the following command." The screen of terminal device 380 also displays the command, "ssh_-p_2XX2_root@192.XXX.YZ." The screen of terminal device 380 also displays an explanation of the command, which reads, "p is an option to specify the port number, ...." The screen of terminal device 380 also displays commands indicating past attack records, such as "$_sudo_nmap_10.0.0.1_-p-, $_ssh-p_2X_root@10.0.0.X." Furthermore, the terminal device 380 screen displays the command "$_sudo_nmap_192.XXX.Y.Z_-p-", indicating the successful execution of this attack. In addition, the terminal device 380 screen displays a button to accept the command execution (Yes) and a button to cancel the command execution (No). The operator can carry out the next attack method via the user interface displayed on the terminal device 380 screen.
[0083] In the above description, the instruction unit 35 inputs information to the LLM system 350 using a single prompt and obtains attack instruction data to be executed next, but it is not limited to this. For example, the instruction unit 35 may be configured to input some of the information included in the prompt in the above example to the LLM system 350 using RAG (Retrieval-Augmented Generation) or fine tuning instead of a prompt. For example, the instruction unit 35 may be configured to input the information included in the prompt in the above example into multiple prompts to the LLM system 350.
[0084] (operation) Next, an example of the operation of the information presentation device in this disclosure will be described with reference to the drawings. Figure 19 is a flowchart of an example of the operation of the information presentation device in this disclosure. In the explanation of the process according to the flowchart in Figure 19, the components of the information presentation device 30 will be considered the main operating entities. The main operating entities of the process according to the flowchart in Figure 19 may also be the information presentation device 30. For example, the process according to the flowchart in Figure 19 is realized by a processor executing a program stored in the memory installed in a computer (not shown) on which the information presentation device 30 is implemented.
[0085] In Figure 19, first, the acquisition unit 31 acquires attack data including the next attack method to be performed against the target, information indicating the target, and the results of the current attack (step S31).
[0086] Next, the search unit 33 searches for information on how to use a tool associated with the following attack method (step S32). The search unit 33 searches for information on how to use a tool from the database 330. The search unit 33 may be configured to search for information on how to use a tool via the internet.
[0087] Next, the search unit 33 searches for past attack records related to the next attack method (step S33). The search unit 33 searches for past attack records from the database 330. The search unit 33 may be configured to search for past attack records via the internet.
[0088] Next, the instruction unit 35 executes the attack instruction information generation process (step S34). Details of the attack instruction information generation process in step S34 will be described later.
[0089] Next, the output unit 37 outputs attack instruction data, which includes attack instructions that specify how to use the tools associated with the next attack method (step S35). The attack instruction information output from the information display device 30 is displayed on the screen of the terminal device 380 used to conduct the penetration test.
[0090] [Attack instruction information generation process] Next, an example of the attack instruction information generation process by the information presentation device in this disclosure (step S34 in Figure 19) will be described with reference to the drawings. Figure 20 is a flowchart of an example of the attack instruction information generation process by the information presentation device in this disclosure. In the explanation of the process according to the flowchart in Figure 20, the components of the information presentation device 30 (instruction unit 35) will be considered the main operating entity. The main operating entity of the process according to the flowchart in Figure 20 may also be the information presentation device 30.
[0091] In Figure 20, first, the instruction unit 35 generates a prompt that instructs the system to provide a method for attacking the target (step S341). The prompt includes instructions on how to use a tool associated with the next attack method, past attack records including the next attack method and the current attack record, and instructions to generate an attack instruction using information indicating the target.
[0092] Next, the instruction unit 35 inputs the generated prompt to the LLM system 350 (step S342).
[0093] Next, the instruction unit 35 acquires text information, including attack instructions, output from the LLM system 350 in response to the prompt input (step S343). Following step S343, the process proceeds to step S35 in the flowchart of Figure 19.
[0094] As described above, the information presentation device of this embodiment comprises an acquisition unit, a search unit, an instruction unit, and an output unit. The acquisition unit acquires attack data, including attack methods, in cyberattack tests (penetration tests). The search unit searches for how to use security tools associated with attack methods. The search unit searches for how to use security tools associated with attack methods from a database that stores tool information, including how to use multiple security tools used in cyberattack tests. The instruction unit generates an instruction (prompt) requesting the presentation of attack instructions using information indicating how to use security tools associated with attack methods, the results of the current attack, and the target of the attack. The instruction unit inputs the generated instruction into a model (large-scale language model). The output unit outputs attack instruction data, including the attack instructions output from the model in response to the input instruction.
[0095] In this embodiment, the method for using security tools linked to attack methods performed in ongoing cyberattack tests is searched. In this embodiment, based on past and current attack results, the model generates attack instructions that include how to use tools linked to attack methods. The model outputs attack instructions based on past and current attack results. Therefore, according to this embodiment, attack instructions that take into account past and current attack results can be presented to the operator conducting the cyberattack test. In this embodiment, a penetration test, which is one type of cyberattack test, was used as an example. The method of this embodiment can also be applied to vulnerability assessment, which is another type of cyberattack test.
[0096] In one embodiment of this system, the output unit outputs attack instruction data including information indicating the target of the attack, commands indicating how to use the tools for carrying out the attack method, past attack results, and the results of the current attack. According to this embodiment, the operator can be presented with attack instructions including specific instructions on how to use the tools for carrying out the attack method against the target, past attack results, and the results of the current attack.
[0097] (Fourth Embodiment) Next, the information presentation device in the fourth embodiment will be described with reference to the drawings. The information presentation device in this embodiment has a simplified configuration compared to the information presentation devices in the first to third embodiments. For example, the functions of the components of the information presentation device in this disclosure are realized by the functions of the components of the information presentation devices in the first to third embodiments.
[0098] (composition) Figure 21 is a block diagram showing an example of the configuration of an information presentation device in this disclosure. The information presentation device 40 comprises an acquisition unit 41, a search unit 43, a generation unit 45, and an output unit 47.
[0099] The acquisition unit 41 acquires attack data, including attack methods, in cyberattack tests. The search unit 43 searches for how to use security tools associated with attack methods. The generation unit 45 generates instructions requesting the presentation of attack instructions using the searched security tool usage methods. The output unit 47 outputs attack instruction data, including attack instructions output from the model in response to the input instructions.
[0100] (operation) Figure 22 is a flowchart showing an example of the operation (information presentation method) of the information presentation device in this disclosure. In the explanation of the process according to the flowchart in Figure 22, the components of the information presentation device 40 are considered the main operating entities. The main operating entities of the process according to the flowchart in Figure 22 may also be the information presentation device 40.
[0101] In Figure 22, first, the acquisition unit 41 acquires attack data, including attack methods, in the cyberattack test (step S41).
[0102] The search unit 43 searches for information on how to use security tools associated with attack methods (step S42).
[0103] The generation unit 45 generates instructions requesting the presentation of attack instructions using the searched security tools (step S43).
[0104] The output unit 47 outputs attack instruction data, including the attack instruction output from the model in response to the input instruction (step S44).
[0105] In this embodiment, the method of using security tools (tools) associated with the attack methods to be implemented in the ongoing cyberattack test is searched for. In this embodiment, an attack instruction including the method of using the searched security tools is generated using a model (large-scale language model). Therefore, according to this embodiment, the method of using security tools to implement the next attack method can be presented to the worker conducting the cyberattack test.
[0106] (Hardware) Next, the hardware configuration for performing the processing described in this disclosure will be described with reference to the drawings. Figure 23 is a block diagram showing an example of a hardware configuration for performing the processing described in this disclosure. Here, an information processing device 90 (computer) is shown as an example of a hardware configuration. The information processing device in Figure 23 is an example configuration for performing the processing described in this disclosure and does not limit the scope of this disclosure.
[0107] As shown in Figure 23, the information processing device 90 comprises a processor 91, memory 92, auxiliary storage device 93, input / output interface 95, and communication interface 96. In Figure 23, interface is abbreviated as I / F (Interface). The information processing device 90 may include at least one or more of the processor 91, memory 92, auxiliary storage device 93, input / output interface 95, and communication interface 96. The processor 91, memory 92, auxiliary storage device 93, input / output interface 95, and communication interface 96 are connected to each other via a bus 98 so that they can communicate data. In addition, the processor 91, memory 92, auxiliary storage device 93, and input / output interface 95 are connected to a network such as the Internet or an intranet via the communication interface 96.
[0108] The processor 91 loads a program (instruction) stored in an auxiliary storage device 93 or the like into memory 92. For example, the program is a software program for executing the processing described in this disclosure. The processor 91 executes the program loaded into memory 92. The processor 91 executes the processing described in this disclosure by executing the program. The processor 91 may be composed of a single piece of hardware or of multiple pieces of hardware.
[0109] Memory 92 is a storage device having an area where programs are deployed. The processor 91 deploys programs stored in auxiliary storage devices 93, etc., into memory 92. Memory 92 can be implemented using volatile memory such as DRAM (Dynamic Random Access Memory). Alternatively, non-volatile memory such as MRAM (Magnetoresistive Random Access Memory) may be used as memory 92. Memory 92 may be composed of a single piece of hardware or multiple pieces of hardware.
[0110] The auxiliary storage device 93 stores various data, such as programs. For example, the auxiliary storage device 93 can be implemented by a local disk such as a hard disk or flash memory. The auxiliary storage device 93 may be configured by a single piece of hardware or by multiple pieces of hardware. The auxiliary storage device 93 may also be configured as external hardware. It is also possible to configure the system to store various data in memory 92 and omit the auxiliary storage device 93.
[0111] The input / output interface 95 is an interface for connecting the information processing device 90 to peripheral devices based on standards and specifications. The communication interface 96 is an interface for connecting to external systems and devices via a network such as the Internet or an intranet, based on standards and specifications. The input / output interface 95 may be composed of a single piece of hardware or multiple pieces of hardware. The input / output interface 95 and the communication interface 96 may be common as interfaces for connecting to external devices.
[0112] The information processing device 90 may be connected to input devices such as a keyboard, mouse, or touch panel, as needed. These input devices are used to input information and settings. When a touch panel is used as an input device, the screen with touch panel functionality serves as the interface. The processor 91 and the input devices are connected via an input / output interface 95.
[0113] The information processing device 90 may be equipped with a display device for displaying information. If a display device is provided, the information processing device 90 is equipped with a display control device (not shown) for controlling the display of the display device. The information processing device 90 and the display device are connected via an input / output interface 95.
[0114] The information processing device 90 may be equipped with a drive device. The drive device mediates between the processor 91 and the recording medium (program recording medium) by reading data and programs stored on the recording medium and writing the processing results of the information processing device 90 to the recording medium. The information processing device 90 and the drive device are connected via an input / output interface 95.
[0115] The above is an example of a hardware configuration that enables the processing described in this disclosure. The hardware configuration in Figure 23 is an example of a hardware configuration for executing the processing described in this disclosure and does not limit the scope of this disclosure. A program that causes a computer to execute the processing described in this disclosure is also included in the scope of this disclosure.
[0116] A program recording medium that records a program that performs the processing described in this disclosure is also included in the scope of the present invention. For example, the program recording medium is a computer-readable, non-transient recording medium. The recording medium can be implemented as an optical recording medium such as a CD (Compact Disc) or a DVD (Digital Versatile Disc). The recording medium may also be implemented as a semiconductor recording medium such as a USB (Universal Serial Bus) memory or an SD (Secure Digital) card. Furthermore, the recording medium may be implemented as a magnetic recording medium such as a flexible disk, or other recording media.
[0117] The components in this disclosure may be combined in any way. The components in this disclosure may be implemented by cloud computing. The components in this disclosure may be implemented by software. The components in this disclosure may be implemented by circuitry.
[0118] Although the present disclosure has been described above with reference to embodiments, the present disclosure is not limited to the embodiments described above. Various modifications to the structure and details of the present disclosure can be made as can be understood by those skilled in the art within the scope of the present disclosure. Furthermore, each embodiment can be combined with other embodiments as appropriate.
[0119] Some or all of the above embodiments may also be described as follows, but are not limited to the following. In the following appendices, the dependents of each category may also be dependent on other categories. The descriptions included in the following appendices are significant as grounds for amendment. (Note 1) An acquisition unit that acquires attack data, including attack methods, in cyberattack tests, A search unit that searches for how to use security tools associated with the aforementioned attack method, A generation unit that generates instructions requesting the presentation of attack instructions using the searched methods for using the security tools, An information presentation device comprising: an output unit that outputs attack instruction data, including attack instructions output from a model in response to the input of the aforementioned instructions. (Note 2) The aforementioned search unit, An information presentation device as described in Appendix 1, which searches for the usage methods of security tools linked to the attack method from a database containing tool information, including the usage methods of multiple security tools used in the aforementioned cyberattack test. (Note 3) The generating unit is An information presentation device according to Appendix 2 that generates instructions requesting the presentation of attack instructions using the method of using the security tool linked to the aforementioned attack method and information indicating the target of the attack. (Note 4) The output unit is, An information presentation device according to Appendix 3 that outputs attack instruction data including information indicating the target of the attack and commands indicating how to use the security tool to carry out the attack method. (Note 5) The aforementioned search unit, Search past attack records, including the aforementioned attack methods. The generating unit is An information presentation device according to Appendix 2 that generates instructions requesting the presentation of attack instructions using information indicating the method of using the security tool linked to the attack method, past attack records, and the target of the attack. (Note 6) The output unit is, An information presentation device according to Appendix 5 that outputs information indicating the target of the attack, commands indicating how to use the security tool to carry out the attack method, and attack instruction data including past attack records. (Note 7) The acquisition unit is, We obtained the results of this attack, including the aforementioned attack method, The generating unit is An information presentation device according to Appendix 5 that generates instructions requesting the presentation of attack instructions using information indicating the method of using the security tool linked to the attack method, past attack results, current attack results, and the target of the attack. (Note 8) The output unit is, An information presentation device according to Appendix 7 that outputs attack instruction data including information indicating the target of the attack, commands indicating how to use the security tool to carry out the attack method, past attack records, and the current attack records. (Note 9) Computers We obtain attack data, including attack methods, in cyberattack tests. Search for how to use security tools associated with the aforementioned attack method. An instruction is generated requesting the presentation of attack instructions using the searched method of using the security tool, An information presentation method that outputs attack instruction data, including attack instructions output from a model in response to the input of the aforementioned instructions. (Note 10) On the computer, The process of acquiring attack data, including attack methods, in cyberattack testing, A process to search for how to use security tools associated with the aforementioned attack method, A process that generates instructions requesting the presentation of attack instructions using the searched methods for using the security tools, A program that performs the following: a process that outputs attack instruction data, including attack instructions, from a model in response to the input of the aforementioned instructions. Furthermore, some or all of the configurations described in Appendices 2 to 8, which are subordinate to Appendice 1 above, may also be subordinate to Appendices 9 and 10 in the same way as those described in Appendices 2 to 8. Moreover, not limited to Appendices 1, 9, and 10, some or all of the configurations described as appendices may also be subordinate to various hardware, software, various recording means for recording software, or systems, without departing from the embodiments described above. [Explanation of symbols]
[0120] 10, 20, 30, 40 Information presentation device 11, 21, 31, 41 Acquisition section 13, 23, 33, 43 Search section 15, 25, 35 Instruction section 17, 27, 37, 47 Output section 45 Generation part 130, 230, 330 databases 150, 250, 350 LLM system 180, 280, 380 terminal devices
Claims
1. An acquisition unit that acquires attack data, including attack methods, in cyberattack tests, A search unit that searches for how to use security tools associated with the aforementioned attack method, A generation unit that generates instructions requesting the presentation of attack instructions using the searched methods for using the security tools, An information presentation device comprising: an output unit that outputs attack instruction data, including attack instructions output from a model in response to the input of the aforementioned instructions.
2. The aforementioned search unit, The information presentation device according to claim 1, which searches for a method of using a security tool linked to an attack method from a database that stores tool information including methods of using multiple security tools used in the cyberattack test.
3. The generating unit is The information presentation device according to claim 2, which generates an instruction requesting the presentation of an attack instruction using a method for using the security tool linked to the attack method and information indicating the target of the attack.
4. The output unit is, The information presentation device according to claim 3, which outputs attack instruction data including information indicating the target of the attack and commands indicating how to use the security tool for carrying out the attack method.
5. The aforementioned search unit, Search past attack records, including the aforementioned attack methods. The generating unit is The information presentation device according to claim 2, which generates an instruction requesting the presentation of an attack instruction using information indicating the method of using the security tool linked to the attack method, the past attack record, and the target of the attack.
6. The output unit is, The information presentation device according to claim 5, which outputs information indicating the target of the attack, commands indicating how to use the security tool to carry out the attack method, and attack instruction data including past attack records.
7. The acquisition unit is, We obtained the results of this attack, including the aforementioned attack method, The generating unit is The information presentation device according to claim 5, which generates an instruction requesting the presentation of an attack instruction using information indicating the method of using the security tool linked to the attack method, the past attack record, the current attack record, and the target of the attack.
8. The output unit is, The information presentation device according to claim 7, which outputs attack instruction data including information indicating the target of the attack, commands indicating how to use the security tool for carrying out the attack method, past attack records, and the current attack records.
9. Computers We obtain attack data, including attack methods, in cyberattack tests. Search for how to use security tools associated with the aforementioned attack method. An instruction is generated requesting the presentation of attack instructions using the searched method of using the security tool, An information presentation method that outputs attack instruction data, including attack instructions output from a model in response to the input of the aforementioned instructions.
10. On the computer, The process of acquiring attack data, including attack methods, in cyberattack testing, A process to search for how to use security tools associated with the aforementioned attack method, A process that generates instructions requesting the presentation of attack instructions using the searched methods for using the security tools, A program that performs the following: a process that outputs attack instruction data, including attack instructions, from a model in response to the input of the aforementioned instructions.