Inspection device, inspection program, and inspection method
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Patents
- Current Assignee / Owner
- OKI ELECTRIC INDUSTRY CO LTD
- Filing Date
- 2022-06-20
- Publication Date
- 2026-06-30
Smart Images

Figure 0007882008000001 
Figure 0007882008000002 
Figure 0007882008000003
Abstract
Description
Technical Field
[0001] The present invention relates to an inspection apparatus, an inspection program, and an inspection method, and can be applied to, for example, an apparatus for remotely monitoring and managing devices connected to a network (such as an apparatus for detecting network connections of vulnerable devices).
Background Art
[0002] In the operating system (OS) and software of a computer, there are vulnerability problems, which are security defects caused by program malfunctions or design mistakes. If a computer continues to be used with vulnerabilities left unattended, there is a risk of being used for unauthorized access or being infected with a virus.
[0003] Thus, vulnerabilities have become one of the major problems in information security in computers connected to a network (such as the Internet).
[0004] By the way, there is IT (Information Technology) asset management as software for knowing what devices are permitted to be connected within a company or organization. IT asset management is to collect information on devices connected to a network within a company or organization, such as personal computers (PCs), servers, and other printers, and manage it in a database. IT asset management manages information such as the IP (Internet Protocol) address, MAC (Media Access Control) address, computer name, OS installed software, open port number, and user of the connected devices, for example.
[0005] There are methods for directly describing the information of each device in asset management software, or installing dedicated software on a terminal and transmitting terminal information such as the OS to an IT asset management device.
[0006] One way to utilize IT asset management is to monitor whether unauthorized devices are connected to the network, or whether devices have malicious or vulnerable operating systems or software installed.
[0007] As software for discovering vulnerabilities in devices, there are vulnerability testing tools, such as those disclosed in Non-Patent Documents 1-3. By using vulnerability testing tools to discover and remove vulnerabilities, the risk of virus infection and other problems can be reduced. In addition, there are other methods of vulnerability testing, such as the following tests (OS scans).
[0008] OS scanning involves polling target devices connected to the network and examining their responses. This allows the system to determine which operating system (OS) the target device is using. [Prior art documents] [Non-patent literature]
[0009] [Non-Patent Document 1] “Nmap Changelog” [Searched June 1, 2022], [Online], INTERNET,<URL: https: / / nmap.org / changelog.html> [Non-Patent Document 2] “NESSUS” [Searched June 1, 2022], [Online], INTERNET,<URL: https: / / www.tenable.com / products / nessus> [Non-Patent Document 3] “OWASP ZAP(Zed Attack Proxy)” [Searched on June 1, 2022], [Online], INTERNET,<URL: https: / / owasp.org / www-project-zap / > [Overview of the project] [Problems that the invention aims to solve]
[0010] Incidentally, from an information security standpoint, companies and other organizations want to immediately isolate devices with vulnerable operating systems installed from the network if they are connected. Furthermore, they want to be able to immediately detect potentially vulnerable or unauthorized devices without using lists of permitted or prohibited devices, such as those found in IT asset management software.
[0011] The method of installing asset management software on each device (terminal) has the problem that terminal information cannot be collected from unauthorized terminals that do not have the software installed.
[0012] Therefore, regardless of whether the terminal is managed by asset management software, there is a need for inspection devices, inspection programs, and inspection methods that can detect the connection of potentially vulnerable or unauthorized terminals to the network. [Means for solving the problem]
[0013] The first aspect of the present invention is an inspection device for inspecting the vulnerabilities and / or malicious activity of one or more target devices connected via a network at a predetermined timing, comprising: (1) related information collection means for collecting information including at least the content of the operating system inspection as information necessary for inspecting the target devices; (2) operating system determination means for determining the operating system of the target devices using the information collected by the related information collection means; (3) vulnerability determination result storage means for storing vulnerability determination results including the operating system information of the target devices determined by the operating system determination means; and (4) vulnerability determination means for determining the vulnerability of the target devices using the operating system information of each target device determined by the operating system determination means and past operating system information of the target devices stored in the vulnerability determination result storage means. (5) The vulnerability determination means determines the vulnerability of the device under test based on whether or not information about the same operating system as the operating system of the device under test determined by the operating system determination means is stored in the vulnerability determination result storage means, and (6) the information about the operating system of the device under test stored in the vulnerability determination result storage means is information about an operating system that is already in operation. It is characterized by the following:
[0014] The second inspection program of the present invention functions as a computer mounted on an inspection device that inspects the vulnerabilities and / or malicious activity of one or more target devices connected via a network at predetermined timings, comprising: (1) related information collection means for collecting information including at least the content of the operating system inspection as information necessary for inspecting the target devices; (2) operating system determination means for determining the operating system of the target devices using the information collected by the related information collection means; (3) vulnerability determination result storage means for storing vulnerability determination results including the operating system information of the target devices determined by the operating system determination means; and (4) vulnerability determination means for determining the vulnerability of the target devices using the operating system information of each target device determined by the operating system determination means this time and past operating system information of the target devices stored in the vulnerability determination result storage means. (5) The vulnerability determination means determines the vulnerability of the device under test based on whether or not information about the same operating system as the operating system of the device under test determined by the operating system determination means is stored in the vulnerability determination result storage means, and (6) the information about the operating system of the device under test stored in the vulnerability determination result storage means is information about an operating system that is already in operation. It is characterized by the following:
[0015] The third aspect of the present invention is an inspection method for use in an inspection device that inspects for vulnerabilities and / or malicious activity of one or more target devices connected via a network at predetermined timings, comprising: (1) related information collection means collecting information including at least the content of the operating system inspection as information necessary for inspecting the target devices; (2) operating system determination means determining the operating system of the target devices using the information collected by the related information collection means; (3) vulnerability determination result storage means storing vulnerability determination results including the operating system information of the target devices determined by the operating system determination means; and (4) vulnerability determination means determining the vulnerability of the target devices using the operating system information of each target device determined this time by the operating system determination means and past operating system information of the target devices stored in the vulnerability determination result storage means. (5) The vulnerability determination means determines the vulnerability of the device under test based on whether or not information about the same operating system as the operating system of the device under test determined by the operating system determination means is stored in the vulnerability determination result storage means, and (6) the information about the operating system of the device under test stored in the vulnerability determination result storage means is information about an operating system that is already in operation. It is characterized by the following: [Effects of the Invention]
[0016] According to the present invention, regardless of whether a terminal is managed by asset management software, it is possible to detect the connection of a terminal with a risk of vulnerability or fraud to a network.
Brief Description of Drawings
[0017] [Figure 1] It is a block diagram showing the internal configuration of a vulnerability detection device according to the first embodiment. [Figure 2] It is an overall configuration diagram showing the overall configuration of a vulnerability inspection system according to the first embodiment. [Figure 3] It is an explanatory diagram showing an example of an IT asset information storage unit according to the first embodiment. [Figure 4] It is an explanatory diagram showing an example of an OS information storage unit according to the first embodiment. [Figure 5] It is an explanatory diagram showing an example of a determination result storage unit according to the first embodiment. [Figure 6] It is a flowchart showing vulnerability inspection in a vulnerability inspection system (mainly a vulnerability detection device) according to the first embodiment. [Figure 7] It is an overall configuration diagram showing the overall configuration of a vulnerability inspection system according to the second embodiment. [Figure 8] It is an explanatory diagram showing an example of device traffic management information according to the second embodiment [Figure 9] It is a flowchart showing vulnerability inspection in a vulnerability inspection system (mainly a vulnerability detection device) according to the second embodiment.
Modes for Carrying Out the Invention
[0018] (A) First Embodiment Hereinafter, a first embodiment of an inspection device, an inspection program, and an inspection method according to the present invention will be described in detail with reference to the drawings.
[0019] (A-1) Configuration of the First Embodiment (A-1-1) Overall Configuration Figure 2 is an overall configuration diagram showing the overall configuration of the vulnerability testing system according to the first embodiment.
[0020] In Figure 2, the vulnerability testing system 100 comprises a vulnerability device detection device 1, an IT asset management device 2, a monitoring result output device 3, and multiple target terminals 4 (4-1 to 4-n), with each device (terminal) connected via a network N.
[0021] Network N can be any communication network to which each device can connect, and its type is not limited. Furthermore, there may be multiple types of networks intervening between each device, and Network N may consist of multiple types of networks (Ethernet, Internet, etc.). In this embodiment, Network N primarily refers to a network also known as an intranet, which can be managed and used within a company or organization.
[0022] The vulnerability detection device 1 has the function of checking whether or not the target terminal 4, which is the terminal to be inspected, contains a vulnerability.
[0023] The IT asset management device 2 is a device that collects and manages network-related information of devices connected to network N (such as the terminal 4 to be inspected). As an alternative, the IT asset management device 2 (IT asset information storage unit 17) may be excluded from the vulnerability inspection system 100.
[0024] Furthermore, the IT asset management device 2 has an IT asset information storage unit 17 that stores information collected from the terminals 4 under inspection. Details of the IT asset information storage unit 17 will be described later in the detailed configuration of the vulnerability device detection device 1.
[0025] The monitoring result output device 3 is a device involved in the monitoring and management of network-connected devices and has the function of outputting and displaying the results of vulnerability testing. For example, the monitoring result output device 3 has a web browser built into the device and can use this browser to display information (results of vulnerability testing) sent from the vulnerability device detection device 1 on its screen, or it can input information into the displayed screen and send that input information to the vulnerability device detection device 1.
[0026] The device under inspection (device 4) is a communication terminal that has been assigned an IP address or MAC address and is capable of connecting to network N. For example, device under inspection (device 4) is an information processing terminal with communication capabilities, such as a PC, tablet, or smartphone.
[0027] (A-1-2) Detailed configuration of vulnerability device detection device 1 Figure 1 is a block diagram showing the internal configuration of a vulnerability detection device according to the first embodiment. In Figure 1, the vulnerability device detection device 1 includes a data receiving unit 11, a control unit 12, a related information collection unit 13, a vulnerability detection unit 14, an inspection result generation unit 15, an inspection information storage unit 16, a judgment result storage unit 18, and an OS information storage unit 19.
[0028] The vulnerability device detection device 1 may be configured entirely in hardware (for example, using a dedicated semiconductor chip), or it may be configured partially or entirely in software.
[0029] The data receiving unit 11 has the function of inputting new device detection data when it detects a new connection of a device (such as the terminal 4 to be inspected) to the network N. Alternatively, the vulnerability device detection device 1 itself may have a packet monitoring function on the network N and perform new device detection on its own.
[0030] The control unit 12 has the function of determining the timing for starting the vulnerability test and, when the timing for starting the vulnerability test arrives, issuing a request to the related information collection unit 13 to execute the test.
[0031] The related information collection unit 13 has the function of extracting information necessary for vulnerability testing from the inspection information storage unit 16, the IT asset information storage unit 17, and the judgment result storage unit 18 (described later) for the terminal 4 to be inspected, and providing it to the vulnerability detection unit 14.
[0032] The vulnerability detection unit 14 has the function of performing vulnerability testing using data input from the related information collection unit 13. The test results are stored in the judgment result storage unit 18. The vulnerability detection unit 14 also provides the test results to the test result generation unit 15.
[0033] The inspection result generation unit 15 has the function of generating inspection results that can be reviewed by an administrator, using data from the vulnerability detection unit 14.
[0034] The IT asset information storage unit 17 has the function of holding information collected by the IT asset management device 2 from the terminals under inspection 4. When the vulnerability device detection device 1 obtains information from the IT asset information storage unit 17, it obtains the information via the network N.
[0035] Figure 3 is an explanatory diagram showing an example of an IT asset information storage unit according to the first embodiment. As shown in Figure 3, the IT asset information storage unit 17 has the following items: "ID" which identifies the terminal (inspection target terminal 4) connected to the network N, "IP address" which indicates the IP address of each terminal, "MAC address" which indicates the MAC address of each terminal, "computer name" which indicates the name of each terminal, "OS" which indicates the OS installed on each terminal, "user ID" which identifies the user who uses each terminal, "update time" which indicates the time when each record (data) stored in the IT asset information storage unit 17 was updated, and "last used time" which indicates the time when each terminal was last used. Note that Figure 3 is just one example, and various configurations can be applied to the IT asset information storage unit 17.
[0036] The inspection information storage unit 16 is configured to acquire inspection details when an inspection type is specified. In this embodiment, the inspection type is limited to OS scans only. The configuration of the inspection information storage unit 16 is not particularly limited.
[0037] The OS information storage unit 19 is a functional unit that holds information related to the OS. The OS information storage unit 19 may be stored inside the vulnerability device detection device 1 or in an external device.
[0038] Figure 4 is an explanatory diagram showing an example of an OS information storage unit according to the first embodiment. As shown in Figure 4, the OS information storage unit 19 has items for "ID" to identify each OS, "OS name" indicating the name of each OS, and "permission ID" indicating network connection permission for each OS. Note that Figure 4 is just one example, and various configurations can be applied to the OS information storage unit 19.
[0039] The permission ID mentioned above will contain values ranging from "0" to "2". "0" indicates permission to connect to the network, "1" indicates that network connection should be approached with caution, and "2" indicates that network connection is prohibited.
[0040] The judgment result storage unit 18 is a functional unit that stores the inspection results performed by the vulnerability detection unit 14.
[0041] Figure 5 is an explanatory diagram showing an example of a determination result storage unit according to the first embodiment.
[0042] As shown in Figure 5, the judgment result storage unit 18 has the following items: "ID" which identifies the terminal connected to network N (inspection target terminal 4), "IP address" which indicates the IP address of each terminal, "MAC address" which indicates the MAC address of each terminal, "OS" which indicates the OS installed on each terminal, "timestamp" which indicates the time of the judgment, and "permitted" which indicates the judgment result (permitted or prohibited) of the network connection of each terminal. The judgment result storage unit 18 may be managed in the same table as the IT asset information storage unit 17.
[0043] The "ID" in Figure 5 and the "ID" in Figure 3 are the same. However, terminals that are not registered in the IT asset information storage unit 17 and are newly connected to the network will be assigned an ID from 101 onwards. Terminal identifiers (IP address, MAC address) can be omitted as they are stored in the IT asset information storage unit 17, but they are included because some terminals are not registered in the IT asset information storage unit 17. In addition, the OS in Figure 5 may be to register either the OS ID or the OS name.
[0044] (A-2) Operation of the first embodiment Next, the characteristic operation of the vulnerability testing system 100 according to the first embodiment will be described in detail with reference to the drawings.
[0045] Figure 6 is a flowchart showing vulnerability testing in the vulnerability testing system (mainly a vulnerability detection device) according to the first embodiment.
[0046] <s101>New detection When the control unit 12 receives detection information via the data receiving unit 11 indicating that a target terminal 4 has newly connected to network N, it starts the vulnerability testing process. This detection information includes a device identifier (IP address or MAC address).
[0047] <s102>Refer to the equipment permission list. The related information collection unit 13 searches the IT asset information storage unit 17 using the input device identifier as a key.
[0048] <s103>Determination of whether OS has been checked or not. The related information collection unit 13 determines whether or not to perform an OS check on the target terminal 4 based on the information from the IT asset information storage unit 17 referenced in step S102 described above. Specifically, if the related information collection unit 13 finds that OS information is written in the OS column of the hit data, it skips the OS check and proceeds to step S106, which will be described later. On the other hand, if the related information collection unit 13 finds that OS information is not written in the OS column of the hit data, it proceeds to the next step S104. For example, in the example in Figure 3, the data for ID1 has an OS registered, so no OS check is performed, but the data for ID5 does not have an OS registered, so an OS check is performed. As a modification, if the IT asset management device 2 does not exist (if the IT asset information storage unit 17 does not exist), step S103 may be skipped and the process may proceed from step S102 to step S104.
[0049] <s104>Determination of whether permission has been granted or not. The related information collection unit 13 uses the input device identifier as a key to search the judgment result storage unit 18 and determine whether the OS has authorized it or not. If the authorization column of the hit data is marked "OK", the related information collection unit 13 determines that it is authorized and proceeds to step S106. On the other hand, if the authorization column of the hit data is marked "NG", the related information collection unit 13 determines that it is not authorized and proceeds to step S105 (performs an OS check). If the check is performed periodically, the related information collection unit 13 may refer to the update time column of the hit data and proceed to step S105 if a predetermined amount of time has elapsed since the update time.
[0050] For example, in the example in Figure 5, when the IP address is "192.168.100.10" (registered with ID 1), it is permitted, so the process proceeds to step S106. On the other hand, when the IP address is "192.168.100.35" (registered with ID 102), it is not permitted, so the process proceeds to step S105. Similarly, if the IP address is not registered, such as "192.168.100.36", the process also proceeds to step S105.
[0051] <s105>OS check The vulnerability detection unit 14 obtains the OS inspection details from the inspection information storage unit 16 and performs an OS inspection on the target terminal 4. The OS inspection is not particularly limited, but for example, it is performed using nmap as described in Non-Patent Document 1. A packet is sent to the target terminal 4 using nmap, the response content is obtained, and the OS is determined using the obtained response content (and the OS information in the OS information storage unit 19, if one exists).
[0052] <s106>Referencing the judgment results The vulnerability detection unit 14 investigates whether the OS identified in step S105 above exists in the OS stored in the judgment result storage unit 18.
[0053] <s107>Vulnerability determination In the process of step S106 described above, the vulnerability detection unit 14 determines whether the OS is permitted if it already exists in the past test results in the judgment result storage unit 18, or if it is a newly appearing OS, it determines whether it is permitted or prohibited. Alternatively, as a modification, the unit may also determine whether an OS is permitted or prohibited by referring to the permitted OS database (OS information storage unit 19, etc.).
[0054] For example, in the example in Figure 5, if the OS is newly determined to be Windows 10 (registered trademark) in step S105, the vulnerability assessment is considered "OK" because data already exists in ID1, ID2, and ID5. On the other hand, if the OS is newly determined to be Windows XP (registered trademark) in step S105, it is considered "NG" because it does not exist in the assessment result storage unit 18. In this way, unique operating systems (for example, operating systems whose official support period has expired) are not used within the company or organization, and are considered to have vulnerabilities or to have been accessed illegally, and are therefore judged as NG.
[0055] <s108>Description of judgment information The vulnerability detection unit 14 writes the OS vulnerability determination result to the determination result storage unit 18.
[0056] <s109>Output of judgment results The inspection result generation unit 15 generates the OS vulnerability assessment results in email or HTML (Hypertext Markup Language) format and sends them to the monitoring result output device 3 for provision to the administrator. Once sent to the monitoring result output device 3, the administrator can view the vulnerability assessment results.
[0057] (A-3) Effects of the first embodiment According to the first embodiment, the system uses the information of the network under inspection within the OS inspection result information to determine whether or not it is a unique OS, and performs an OS vulnerability assessment. As a result, terminals that are not on the IT asset management list or that may be vulnerable or are acting maliciously can be detected immediately without using IT asset management software.
[0058] (B) Second Embodiment A second embodiment of the inspection apparatus, inspection program, and inspection method according to the present invention will be described in detail below with reference to the drawings.
[0059] (B-1) Configuration of the second embodiment Figure 7 is an overall configuration diagram showing the overall configuration of the vulnerability testing system according to the second embodiment.
[0060] In Figure 7, the vulnerability testing system 200 includes a vulnerability device detection device 1, an IT asset management device 2, a monitoring result output device 3, multiple target terminals 4 (4-1 to 4-n), and a traffic monitoring device 5, with each device (terminal) connected via a network N. The vulnerability testing system 200 of the second embodiment has the configuration of the vulnerability testing system 100 of the first embodiment with the addition of a traffic monitoring device 5.
[0061] The traffic monitoring device 5 collects packets on the network N and estimates the communication status of the terminal 4 under inspection. The traffic monitoring device 5 also maintains a device traffic information management unit 51.
[0062] The equipment traffic information management unit 51 manages the inspection results from the traffic monitoring device 5 by describing them in equipment traffic management information 52. Figure 8 is an explanatory diagram showing an example of equipment traffic management information according to the second embodiment.
[0063] In Figure 8, the device traffic management information 52 includes the following items: "Source Address," which indicates the IP address of the source of the communication packet; "Destination Address," which indicates the IP address of the destination of the communication packet; "Packet Size," which indicates the size of the communication packet; and "Timestamp," which indicates the time the communication packet was inspected. Note that Figure 8 is just one example, and various configurations can be applied to the device traffic management information 52. For example, the amount of data transmitted may be used instead of the packet size, or other information obtainable from the packet, such as the source port number, destination port number, and TCP / IP service name, may be included.
[0064] The processing of the vulnerability device detection device 1 (vulnerability detection unit 14) in the second embodiment differs in part from that of the first embodiment, and these differences will be described in the section on operation.
[0065] (B-2) Operation of the second embodiment Next, the characteristic operation of the vulnerability testing system 200 according to the second embodiment will be described in detail with reference to the drawings.
[0066] Figure 9 is a flowchart showing vulnerability testing in a vulnerability testing system (mainly a vulnerability detection device) according to the second embodiment. If a vulnerability is determined to be present after performing a vulnerability determination in step S107 of Figure 6 described above, the following process is initiated.
[0067] <s201>Obtaining traffic information The traffic monitoring device 5 constantly monitors packets flowing through the network N of the terminal under inspection 4 (the IP address under inspection). The device traffic information management unit 51 then obtains the source address, destination address, packet size, etc. from the packets and stores them in the device traffic management information 52.
[0068] Furthermore, the device traffic information management unit 51 calculates a traffic risk value, which indicates whether there is a possibility of malicious communication, based on the packet monitoring status and device traffic management information 52. The method for calculating the traffic risk value is not particularly limited, and various methods can be applied.
[0069] For example, the device traffic information management unit 51 sets the value to "0" if it determines there is no risk, and to "10" if it determines the risk is the highest. Each time the traffic risk value is calculated, traffic information including the traffic risk value is sent to the vulnerability device detection device 1, which is acquired by the data receiving unit 11 and temporarily stored. The vulnerability device detection device 1 performs the following processing when it acquires the traffic risk value.
[0070] <s202>Vulnerability Countermeasure Risk Calculation The vulnerability detection unit 14 uses the vulnerability risk value and the traffic risk value to calculate a risk value that indicates the need for vulnerability countermeasures. In the case of a vulnerability risk value obtained only from an OS scan, for example, the three levels of permission ID values shown in Figure 4 (OS information storage unit 19) are used.
[0071] Alternatively, instead of calculating new risk values (risk values indicating the need for vulnerability countermeasures), it would be better to create a list of existing risk values. In other words, the need for vulnerability countermeasures can be determined from the listed values (vulnerability risk values, traffic risk values).
[0072] example) [Device identifier (IP address), vulnerability risk value, traffic risk value] = [192.168.100.13, 1, 50] <s203>Countermeasure determination The vulnerability detection unit 14 uses the aforementioned risk value to determine whether or not countermeasures should be taken. The vulnerability detection unit 14 will take countermeasures if the risk value exceeds a predetermined risk value for each countermeasure.
[0073] The higher the vulnerability risk score, the more immediate countermeasures are needed. Similarly, high traffic risk scores also necessitate countermeasures. If both the vulnerability risk score and traffic risk score are high, it could indicate that an older OS is being used, leading to a virus infection and abnormal communication, or that unauthorized devices are connecting within the company or organization and engaging in malicious activity. In such cases, immediate countermeasures should be taken.
[0074] The vulnerability detection device 1 takes countermeasures as follows, for example: If the vulnerability risk value is 2 and the traffic anomaly risk value is 50 or higher, it forcibly blocks communication from the terminal in question. If the vulnerability risk value is 1 and the traffic risk value is 30 or higher, it determines that no urgent countermeasures are necessary and simply notifies the administrator by email. If the vulnerability risk value is 1 and the traffic risk value is 10, no countermeasures are required.
[0075] <S204、S205> Implementation of countermeasures If the vulnerability detection unit 14 determines in step S203 above that there is a risk and countermeasures are required, it executes the determined countermeasures.
[0076] (B-3) Effects of the second embodiment According to the second embodiment, in addition to the effects of the first embodiment, the following effects are achieved.
[0077] The vulnerability detection device 1 performs a determination using the OS vulnerability assessment result and information on actual abnormal traffic, thereby improving the accuracy of vulnerability and abnormal communication detection, and making it easier to take countermeasures in the event of an anomaly compared to the first embodiment.
[0078] (C) Other embodiments Although various modified embodiments were mentioned in the first and second embodiments described above, the present invention can also be applied to the following modified embodiments.
[0079] In the vulnerability testing system 100 of the first embodiment and the vulnerability testing system 200 of the second embodiment described above, the vulnerability device detection device 1, the IT asset management device 2, and the traffic monitoring device 5 are shown as separate devices, but they may also be configured within the same hardware. [Explanation of Symbols]
[0080] 1...Vulnerability detection device, 2...IT asset management device, 3...Monitoring result output device, 4...Terminal to be inspected, 5...Traffic monitoring device, 11...Data receiving unit, 12...Control unit, 13...Related information collection unit, 14...Vulnerability detection unit, 15...Inspection result generation unit, 16...Inspection information storage unit, 17...IT asset information storage unit, 18...Judgment result storage unit, 19...OS information storage unit, 51...Device traffic information management unit, 52...Device traffic management information, 100...Vulnerability inspection system, 200...Vulnerability inspection system, N...Network.
Claims
1. An inspection device that inspects the vulnerabilities and / or malicious activity of one or more devices connected via a network at predetermined timings, Related information collection means for collecting information that includes at least the operating system inspection details as information necessary for inspecting the equipment to be inspected, An operating system determination means that uses the information collected by the aforementioned related information collection means to determine the operating system of the device to be inspected, A vulnerability determination result storage means for storing vulnerability determination results including information on the operating system of the device under test determined by the operating system determination means, The system includes a vulnerability determination means that determines the vulnerability of each device under test using the operating system information of each device under test determined by the operating system determination means and past operating system information of the devices under test stored in the vulnerability determination result storage means. The vulnerability determination means determines the vulnerability of the device under test based on whether or not information about the same operating system as the operating system of the device under test determined by the operating system determination means is stored in the vulnerability determination result storage means. The information on the operating system of the device under inspection stored in the vulnerability assessment result storage means is information on an operating system that is already in operation. An inspection device characterized by the following features.
2. The inspection device according to claim 1, characterized in that the vulnerability determination means determines the vulnerability of the equipment to be inspected by also taking IT asset management information into consideration.
3. Each operating system maintains network connection permission information, which includes at least information on whether or not to allow connection to the network. The vulnerability determination means determines the vulnerability of the device under test, taking into account the network connection permission information. The inspection apparatus according to feature 1.
4. The vulnerability determination means further performs a communication anomaly determination of the device under inspection using the vulnerability determination result of the device under inspection and traffic information. The inspection apparatus according to feature 1.
5. The inspection apparatus according to claim 1, characterized in that the predetermined timing is the timing at which the equipment to be inspected is newly connected to the network.
6. The inspection apparatus according to any one of claims 1 to 5, further comprising an inspection result output means for generating and outputting inspection results based on the vulnerability determination results performed by the vulnerability determination means.
7. A computer installed in a testing device that tests for vulnerabilities and / or malicious activity in one or more devices connected via a network at predetermined intervals, Related information collection means for collecting information that includes at least the operating system inspection details as information necessary for inspecting the equipment to be inspected, An operating system determination means that uses the information collected by the aforementioned related information collection means to determine the operating system of the device to be inspected, A vulnerability determination result storage means for storing vulnerability determination results including information on the operating system of the device under test determined by the operating system determination means, The operating system information of each device under test determined by the operating system determination means and the past operating system information of the devices under test stored in the vulnerability determination result storage means are used to perform vulnerability determination of the devices under test. The vulnerability determination means determines the vulnerability of the device under test based on whether or not information about the same operating system as the operating system of the device under test determined by the operating system determination means is stored in the vulnerability determination result storage means. The information on the operating system of the device under inspection stored in the vulnerability assessment result storage means is information on an operating system that is already in operation. A testing program characterized by the following features.
8. A testing method used in a testing device that tests for vulnerabilities and / or malicious activity in one or more devices connected via a network at predetermined timings, The related information gathering means collects information including at least the operating system inspection details as information necessary for inspecting the equipment under inspection, The operating system determination means uses the information collected by the related information collection means to determine the operating system of the device under inspection, The vulnerability determination result storage means stores the vulnerability determination result, which includes information on the operating system of the device under test, as determined by the operating system determination means. The vulnerability determination means uses the operating system information of each device under test determined by the operating system determination means and the past operating system information of the devices under test stored in the vulnerability determination result storage means to determine the vulnerability of the device under test. The vulnerability determination means determines the vulnerability of the device under test based on whether or not information about the same operating system as the operating system of the device under test determined by the operating system determination means is stored in the vulnerability determination result storage means. The information on the operating system of the device under inspection stored in the vulnerability assessment result storage means is information on an operating system that is already in operation. A testing method characterized by the following features.