System design equipment, system design method, program

JP7871879B2Active Publication Date: 2026-06-09NEC CORP

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Patents
Current Assignee / Owner
NEC CORP
Filing Date
2022-08-26
Publication Date
2026-06-09

AI Technical Summary

Benefits of technology

【0010】 本発明によれば、コンピュータのシステム設計において、ユーザにより入力されたシステム要件を具体化したシステム構成のうち、非セキュアであると判定されないシステム構成の設計結果を効率よく出力することのできるシステム設計装置、システム設計方法、記憶媒体を提供する。

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 0007871879000001
    Figure 0007871879000001
  • Figure 0007871879000002
    Figure 0007871879000002
  • Figure 0007871879000003
    Figure 0007871879000003
Patent Text Reader

Abstract

The present invention acquires first configuration information including topology information that uses any one component of nodes in a computer system and edges indicating the relationship among the nodes. The topology configuration in the first configuration information is embodied. A determination is made as to whether an event could occur that would constitute a security threat at a node or an edge in the embodied topology configuration, and if an event that would constitute a threat could occur, configuration information is generated, the configuration information including the addition of information indicating the relationship between a component in which the given threat could occur and another component in which another threat contributing to the occurrence of the given threat could occur. For a path of a chain of threats based on the relationship between a given threat in the configuration information and other threats contributing to the occurrence of the given threat, the contents of each threat are determined to be concrete or abstract, and a determination is made as to whether the design is secure or not for a case in which the contents of the threat are concrete and for a case in which the contents of the threat are abstract.
Need to check novelty before this filing date? Find Prior Art

Claims

1. Acquisition means for acquiring first configuration information which includes at least information about the topology of the computer system using components in the computer system, Configuration concretization means for generating second configuration information that concretizes the topology configuration in the first configuration information, A threat embodiment means that determines whether or not a security threat may occur in the components of the embodiment topology, and generates third configuration information by adding, if a threat may occur, an identifier of the threat, the components in which the threat may occur, identifiers of other threats contributing to the occurrence of the threat, and information showing the relationship between the other components in which the other threat may occur, to the second configuration information. An analysis means that determines whether the content of each threat is specific or abstract in the threat chain path based on the relationship between the threat and other threats contributing to the occurrence of the threat in the third configuration information, and determines whether the design of the computer system in the third configuration information is insecure in the cases where the content of the threat is specific or abstract, Equipped with, The analysis means determines that the design of the computer system of the third configuration information is insecure if the content of the threat is concrete in all parts of the threat chain path, or if the content of the threat is abstract in any component of the threat chain path but there is no means to prevent that abstract threat from being replaced by a concrete threat. System design device.

2. The aforementioned means for concretizing the configuration is, The second configuration information is generated, which embodies one of the predetermined units of the constituent elements in the topology of the computer system of the first configuration information input at the start of processing. The process of generating new second configuration information by taking the third configuration information generated based on the second configuration information and the third configuration information that was not determined to be insecure as new first configuration information, and then repeatedly generating new second configuration information that embodies one of the predetermined units of the constituent elements in the topology of the computer system of the first configuration information, and then repeatedly generating the third configuration information based on the second configuration information, If none of the predetermined units of the constituent elements in the topology of the computer system of the third configuration information can be further concretized, and the design of the computer system of the third configuration information is not determined to be insecure, the design of the third configuration information Output as a result The system design apparatus according to claim 1.

3. The threat concretization means adds to the third configuration information information indicating whether the threat information to be added to the second configuration information is specific or abstract, based on threat concretization rules that indicate threats defined according to the topology. The analysis means determines that the computer system design of the third configuration information is insecure if, based on the information assigned to the third configuration information, the content of the threat is concrete in all parts of the threat chain path, or if the content of the threat is abstract in any part of the threat chain path but there is no means to prevent that abstract threat from being replaced by a concrete threat. A system design apparatus according to claim 1 or claim 2.

4. The analysis means identifies the path in the threat chain as an abstract attack path, indicating a path in the threat chain where a security attack may occur based on the threats included in that path, if the abstract threat is included in that path. The analysis means identifies the path in the threat chain as a specific attack path, indicating a path in the threat chain where a security attack may occur based on the threats included in that path, if the abstract threat is not included in that path. The system design apparatus according to claim 3.

5. The analysis means determines that if the content of the threat is such that any component of the abstract attack path is abstract, and all components that could give rise to the abstract threat cannot be given the characteristics to prevent the threat, then there is no means to prevent the abstract threat from being replaced by a concrete threat, and the computer system design of the third configuration information is insecure. The system design apparatus according to claim 4.

6. A system design device, First configuration information is obtained, which includes at least information about the topology of the computer system using its components. Second configuration information is generated, which embodies the topology configuration in the first configuration information. The system determines whether a security threat may occur in the constituent elements of the specified topology, and if a threat may occur, it generates third configuration information by adding the identifier of the threat, the constituent elements in which the threat may occur, the identifiers of other threats contributing to the occurrence of the threat, and information showing the relationship between these other constituent elements in which the other threats may occur, to the second configuration information. In the threat chain path based on the relationship between the threat and other threats contributing to the occurrence of the threat in the third configuration information, it is determined whether the content of each threat is specific or abstract, and in the cases where the content of the threat is specific or abstract, it is determined whether the design of the computer system in the third configuration information is insecure or not. The design of the computer system of the third configuration information is determined to be insecure if the content of the threat is concrete in all parts of the threat chain path, or if the content of the threat is abstract in any part of the threat chain path but there is no means to prevent that abstract threat from being replaced by a concrete threat. System design methodology.

7. The computer of the system design device Acquisition means for acquiring first configuration information which includes at least information about the topology of the computer system using components in the computer system, Configuration concretization means for generating second configuration information that embodies the topology configuration in the first configuration information, A threat embodiment means that determines whether or not a security threat may occur in the components of the embodiment topology, and generates third configuration information by adding, if a threat may occur, an identifier of the threat, the component in which the threat may occur, identifiers of other threats that contribute to the occurrence of the threat, and information showing the relationship between the other components in which the other threat may occur, to the second configuration information. Analysis means for determining whether the content of each threat is specific or abstract in the threat chain path based on the relationship between the threat and other threats contributing to the occurrence of the threat in the third configuration information, and determining whether the design of the computer system in the third configuration information is insecure in the cases where the content of the threat is specific or abstract. To make it function as, The analysis means determines that the design of the computer system of the third configuration information is insecure if the content of the threat is concrete in all parts of the threat chain path, or if the content of the threat is abstract in any component of the threat chain path but there is no means to prevent that abstract threat from being replaced by a concrete threat. program.