System design equipment, system design method, program
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Patents
- Current Assignee / Owner
- NEC CORP
- Filing Date
- 2022-08-26
- Publication Date
- 2026-06-09
AI Technical Summary
【0010】 本発明によれば、コンピュータのシステム設計において、ユーザにより入力されたシステム要件を具体化したシステム構成のうち、非セキュアであると判定されないシステム構成の設計結果を効率よく出力することのできるシステム設計装置、システム設計方法、記憶媒体を提供する。
Smart Images

Figure 0007871879000001 
Figure 0007871879000002 
Figure 0007871879000003
Abstract
Claims
1. Acquisition means for acquiring first configuration information which includes at least information about the topology of the computer system using components in the computer system, Configuration concretization means for generating second configuration information that concretizes the topology configuration in the first configuration information, A threat embodiment means that determines whether or not a security threat may occur in the components of the embodiment topology, and generates third configuration information by adding, if a threat may occur, an identifier of the threat, the components in which the threat may occur, identifiers of other threats contributing to the occurrence of the threat, and information showing the relationship between the other components in which the other threat may occur, to the second configuration information. An analysis means that determines whether the content of each threat is specific or abstract in the threat chain path based on the relationship between the threat and other threats contributing to the occurrence of the threat in the third configuration information, and determines whether the design of the computer system in the third configuration information is insecure in the cases where the content of the threat is specific or abstract, Equipped with, The analysis means determines that the design of the computer system of the third configuration information is insecure if the content of the threat is concrete in all parts of the threat chain path, or if the content of the threat is abstract in any component of the threat chain path but there is no means to prevent that abstract threat from being replaced by a concrete threat. System design device.
2. The aforementioned means for concretizing the configuration is, The second configuration information is generated, which embodies one of the predetermined units of the constituent elements in the topology of the computer system of the first configuration information input at the start of processing. The process of generating new second configuration information by taking the third configuration information generated based on the second configuration information and the third configuration information that was not determined to be insecure as new first configuration information, and then repeatedly generating new second configuration information that embodies one of the predetermined units of the constituent elements in the topology of the computer system of the first configuration information, and then repeatedly generating the third configuration information based on the second configuration information, If none of the predetermined units of the constituent elements in the topology of the computer system of the third configuration information can be further concretized, and the design of the computer system of the third configuration information is not determined to be insecure, the design of the third configuration information Output as a result The system design apparatus according to claim 1.
3. The threat concretization means adds to the third configuration information information indicating whether the threat information to be added to the second configuration information is specific or abstract, based on threat concretization rules that indicate threats defined according to the topology. The analysis means determines that the computer system design of the third configuration information is insecure if, based on the information assigned to the third configuration information, the content of the threat is concrete in all parts of the threat chain path, or if the content of the threat is abstract in any part of the threat chain path but there is no means to prevent that abstract threat from being replaced by a concrete threat. A system design apparatus according to claim 1 or claim 2.
4. The analysis means identifies the path in the threat chain as an abstract attack path, indicating a path in the threat chain where a security attack may occur based on the threats included in that path, if the abstract threat is included in that path. The analysis means identifies the path in the threat chain as a specific attack path, indicating a path in the threat chain where a security attack may occur based on the threats included in that path, if the abstract threat is not included in that path. The system design apparatus according to claim 3.
5. The analysis means determines that if the content of the threat is such that any component of the abstract attack path is abstract, and all components that could give rise to the abstract threat cannot be given the characteristics to prevent the threat, then there is no means to prevent the abstract threat from being replaced by a concrete threat, and the computer system design of the third configuration information is insecure. The system design apparatus according to claim 4.
6. A system design device, First configuration information is obtained, which includes at least information about the topology of the computer system using its components. Second configuration information is generated, which embodies the topology configuration in the first configuration information. The system determines whether a security threat may occur in the constituent elements of the specified topology, and if a threat may occur, it generates third configuration information by adding the identifier of the threat, the constituent elements in which the threat may occur, the identifiers of other threats contributing to the occurrence of the threat, and information showing the relationship between these other constituent elements in which the other threats may occur, to the second configuration information. In the threat chain path based on the relationship between the threat and other threats contributing to the occurrence of the threat in the third configuration information, it is determined whether the content of each threat is specific or abstract, and in the cases where the content of the threat is specific or abstract, it is determined whether the design of the computer system in the third configuration information is insecure or not. The design of the computer system of the third configuration information is determined to be insecure if the content of the threat is concrete in all parts of the threat chain path, or if the content of the threat is abstract in any part of the threat chain path but there is no means to prevent that abstract threat from being replaced by a concrete threat. System design methodology.
7. The computer of the system design device Acquisition means for acquiring first configuration information which includes at least information about the topology of the computer system using components in the computer system, Configuration concretization means for generating second configuration information that embodies the topology configuration in the first configuration information, A threat embodiment means that determines whether or not a security threat may occur in the components of the embodiment topology, and generates third configuration information by adding, if a threat may occur, an identifier of the threat, the component in which the threat may occur, identifiers of other threats that contribute to the occurrence of the threat, and information showing the relationship between the other components in which the other threat may occur, to the second configuration information. Analysis means for determining whether the content of each threat is specific or abstract in the threat chain path based on the relationship between the threat and other threats contributing to the occurrence of the threat in the third configuration information, and determining whether the design of the computer system in the third configuration information is insecure in the cases where the content of the threat is specific or abstract. To make it function as, The analysis means determines that the design of the computer system of the third configuration information is insecure if the content of the threat is concrete in all parts of the threat chain path, or if the content of the threat is abstract in any component of the threat chain path but there is no means to prevent that abstract threat from being replaced by a concrete threat. program.