Cause isolation system and cause isolation method

Abstract

This cause isolation system for isolating a cause of an occurrence of a detected event manages a path formation determination graph in which, among components constituting a target system, components to which an abnormality may spread due to a prescribed cause are set as nodes and the nodes are connected by edges. The cause isolation system associates an abnormal event pertaining to the abnormality extracted from a detected event with the nodes related to the abnormal event in the path formation determination graph, and performs path formation determination for determining whether a prescribed path is formed by the associated abnormal event in the path formation determination graph. On the basis of the determination result of the path formation determination, the cause isolation system assesses the possibility that the cause of the occurrence of the detected event is the prescribed cause.

Description

Cause Classification System and Cause Classification Method 【0001】 The present invention relates to a cause classification system and a cause classification method. 【0002】 In recent years, the application of information and communication technology has expanded in the automotive field, and connected cars have become popular. Since a connected car communicates with the outside, the risk of cyberattacks from the outside to the vehicle is high. Therefore, a VSOC (Vehicle Security Operation Center) that detects, analyzes, and responds to cyberattacks has been introduced into vehicles. 【0003】 The VSOC detects attacks by setting monitoring rules to capture abnormal logs of vehicles and servers. However, since the VSOC also records abnormal logs when a failure occurs in an ECU (Electric Control Unit), communication path, etc., it detects not only attacks but also failures. Thus, the VSOC increases the operation load by detecting attacks and failures equally, and there is a possibility of misidentifying attacks and failures and taking inappropriate countermeasures. Therefore, there is a need for a technology to distinguish events detected by the VSOC into attacks and failures. 【0004】 For example, Patent Document 1 discloses an apparatus that detects an attack by matching a detected event with a pre-defined attack pattern, and classifies an event that does not match the attack pattern as a failure or an unknown attack. Patent Document 2 also discloses an apparatus that estimates an attack path by matching an ECU log with a pre-defined predicted attack path. 【0005】 Japanese Unexamined Patent Application Publication No. 2022-7238, Japanese Unexamined Patent Application Publication No. 2023-6572 【0006】 However, the apparatus disclosed in Patent Document 1 described above requires an exhaustive list of predicted attack patterns, but it is difficult and time-consuming to list all attack patterns in advance. Similarly, the apparatus disclosed in Patent Document 2 also requires an exhaustive list of predicted attack paths, but it is difficult and time-consuming to list all attack paths in advance. 【0007】This invention was made in consideration of the circumstances described above, and aims to enable the proper isolation of the cause of detected events without requiring difficult or time-consuming preparations. 【0008】 As one embodiment of solving the above problem, a cause isolation system for isolating the cause of a detection event detected in a target system, wherein the processor of the cause isolation system manages a path formation determination graph in which components among the components constituting the target system that may be affected by a predetermined cause are designated as nodes and the nodes are connected as edges, associates an abnormal event related to the abnormality extracted from the detection event with the node related to the abnormal event in the path formation determination graph, performs a path formation determination to determine whether a predetermined path is formed in the path formation determination graph by the associated abnormal event, and evaluates the possibility that the cause of the detection event is the predetermined cause based on the determination result of the path formation determination. 【0009】 According to the present invention, it is possible to appropriately isolate the cause of a detected event without requiring difficult or time-consuming preparations. 【0010】 A diagram showing the configuration of the root cause isolation system according to the embodiment. A diagram showing the configuration of the detection event master according to the embodiment. A diagram showing the configuration of abnormal event master a according to the embodiment. A diagram showing the configuration of abnormal event master b according to the embodiment. A diagram showing the configuration of abnormal event master c according to the embodiment. A diagram showing the configuration of abnormal event master d according to the embodiment. A flowchart showing the acquisition and preprocessing of detection events according to the embodiment. A flowchart showing the acquisition of logs and extraction of abnormal events according to the embodiment. A flowchart showing the attack possibility evaluation process according to the embodiment. A flowchart showing the failure possibility evaluation process according to the embodiment. A flowchart showing the possibility comparison and root cause isolation result output process according to the embodiment. A diagram showing an abnormal event according to the embodiment. A diagram showing a graph for determining the formation of an attack path according to the embodiment. A diagram showing a graph for determining the formation of a failure path according to the embodiment. A diagram showing the configuration of the root cause isolation result output screen according to the embodiment. A diagram showing the hardware configuration of the computer. 【0011】 Embodiments of the present invention will be described in detail below with reference to the drawings. In the following embodiments, an example will be described in which the target system to which the present invention is applied is a vehicle system. However, the present invention is not limited to vehicle systems, but is broadly applicable to systems in general in which multiple components cooperate and are configured so that abnormalities propagate via networks or other communication means. 【0012】 (Configuration of the cause isolation system 100 according to the embodiment) Figure 1 is a diagram showing the configuration of the cause isolation system 100 according to the embodiment. The cause isolation system 100 includes a detection event acquisition unit 101, a preprocessing unit 102, a log acquisition unit 103, an abnormal event extraction unit 104, an attack possibility evaluation unit 105, a failure possibility evaluation unit 106, a possibility comparison unit 107, and an isolation result output unit 108. The cause isolation system 100 also includes a detection event master storage unit 109 and an abnormal event master storage unit 110. The cause isolation system 100 is connected to a VSOC (Vehicle Security Operation Center) 111, a vehicle 112, and a server 113 via a network N. There may be multiple VSOCs 111, vehicles 112, and servers 113. 【0013】 The detection event acquisition unit 101 acquires detection events transmitted from the VSOC 111, the vehicle 112, etc. In addition to the detection event ID, which is a unique identifier for the detection event, the detection event type ID 201, which is an identifier for the detected event (event), a timestamp representing the detection time, and a detection location representing the location where the event was detected. The information included in the detection event is not limited to these, and other information such as a description of the detection event may also be included. 【0014】 The preprocessing unit 102 uses the detection event master 200 stored in the detection event master storage unit 109 to perform preprocessing to isolate the cause of detection events that can only occur in the event of an attack to an attack. 【0015】The log acquisition unit 103 acquires vehicle logs and server logs from the vehicle 112 and server 113 for use in the troubleshooting process. The acquired vehicle logs and server logs include, for example, function call logs indicating that a function was executed, and authentication logs indicating that authentication was performed. 【0016】 The abnormal event extraction unit 104 detects abnormal events using the abnormal event master 300a stored in the abnormal event master storage unit 110, as well as the vehicle log and server log. 【0017】 The attack possibility evaluation unit 105 uses the detected abnormal event to evaluate the attack possibility, which indicates the likelihood that the cause of the detected event is an attack. The failure possibility evaluation unit 106 uses the detected abnormal event to evaluate the failure possibility, which indicates the likelihood that the cause of the detected event is a failure. 【0018】 The probability comparison unit 107 compares the attack probability evaluated by the attack probability evaluation unit 105 with the failure probability evaluated by the failure probability evaluation unit 106 to categorize the cause of the detected event into failure, attack, or unknown cause. 【0019】 The isolation result output unit 108 transmits the fault / attack isolation results of the cause of the detected event by the possibility comparison unit 107, as well as attack possibility, fault possibility, etc., to the VSOC 111, vehicle 112, etc. 【0020】 The detection event master storage unit 109 stores the detection event master 200. 【0021】(Configuration of the detection event master 200 according to the embodiment) Figure 2 is a diagram showing the configuration of the detection event master 200 according to the embodiment. The detection event master 200 displays a flag 203 indicating whether the detection event indicated by each detection event type ID 201 may occur for reasons other than an attack. The detection event master 200 may also include a detection event type name 202. The flag 203 for the possibility of a non-attack occurrence is set to "0" for some detection event types 201 because the possibility of detecting something other than an attack as the cause of the detection event is extremely low. For example, it is considered extremely unlikely that an injection attack will be detected if a string that would result in an injection attack is accidentally entered during a malfunction or vehicle maintenance work at a dealer. For this reason, the flag 203 for the possibility of a non-attack occurrence is set to "0" for detection event type 201 that detects injection attacks. 【0022】 (Configuration of the abnormal event master 300 according to the embodiment) The abnormal event master storage unit 110 stores abnormal event masters 300a, 300b, 300c, and 300d. In this embodiment, for the sake of explanation, the abnormal event masters 300 are divided into four tables, such as abnormal event masters 300a to 300d, but the integration and division of the abnormal event masters 300 can be changed as appropriate. 【0023】 Figure 3 shows the configuration of the abnormal event master 300a (abnormal event master a) according to the embodiment. The abnormal event master 300a shows a detection method 303a and a detection log 304a, which is a log used for detection, for each abnormal event type ID 301a. 【0024】 Figure 4 shows the configuration of the abnormal event master 300b (abnormal event master b) according to the embodiment. The abnormal event master 300b displays an attack-related occurrence possibility flag 303b for each abnormal event type ID 301b, indicating the possibility that something other than an attack may be detected as the cause of the abnormal event corresponding to the abnormal event type ID. 【0025】Figure 5 shows the configuration of the abnormal event master 300c (abnormal event master c) according to the embodiment. The abnormal event master 300c shows the mapping type 303c used to determine which node to map each abnormal event type ID 301c to when mapping abnormal events to the attack path formation determination graph 500 and the failure path formation determination graph 600. 【0026】 Figure 6 shows the configuration of the abnormal event master 300d (abnormal event master d) according to the embodiment. The abnormal event master 300d indicates which log the failure log 303d is generated when the cause of the abnormal event type ID 301d is a malfunction. 【0027】 As shown in Figures 3 to 6, abnormal event masters 300a, 300b, 300c, and 300d may include abnormal event type names 302a to 302d corresponding to abnormal event type IDs 301a to 301d. 【0028】 Furthermore, the functional block diagram shown in Figure 1 is illustrative, and the units and names of the functions are not limited thereto. For example, the functions realized by the detection event acquisition unit 101 in this embodiment may be realized by other functional units shown in Figure 1, or by functional units not shown in Figure 1. 【0029】 (Processing flow of the cause isolation system 100 according to the embodiment) Figures 7 to 11 show the processing flow of the cause isolation system 100 according to the embodiment. 【0030】 (Acquisition and preprocessing of detection events according to the embodiment) Figure 7 is a flowchart showing the acquisition and preprocessing of detection events according to the embodiment. 【0031】 First, in step S101, the detection event acquisition unit 101 acquires the detection event transmitted from the VSOC 111. However, events detected by security functions installed in the vehicle 112 or server 113 may also be acquired as detection events. 【0032】Next, in step S102, the pre-processing unit 102 determines whether the detection event acquired in step S101 is an attack or something other than an attack based on the detection event acquisition ID of the detection event. The pre-processing unit 102 determines whether the detection event is an attack or something other than an attack based on the detection event type ID 201 of the detection event master 200 and the flag 203 indicating the possibility of occurrence other than an attack. The purpose of step S102 is to reduce the processing load and improve the accuracy of evaluating the possibility of attack and the possibility of failure by excluding detection events that are clearly caused by an attack from the log (vehicle log, server log)-based cause isolation processing (step S107, Figures 9 and 10). However, "clear cause" is not limited to attacks; it may also be a failure or something else. 【0033】 The preprocessor 102 proceeds to step S103 if the detection event can only occur in the event of an attack (step S102 Yes), and proceeds to steps S105 and S106 (Figure 8) if the detection event can occur in the event of an attack or other event (step S102 No). 【0034】 In step S103, the preprocessor 102 classifies the cause of the detection event acquired in step S101 as "attack". Next, in step S104, the isolation result output unit 108 transmits the isolation result from step S103 to the VSOC 111. It may also transmit that the preprocessor 102 classified it as "attack". The isolation result may also be transmitted to the vehicle 112 or the server 113. 【0035】 Steps S105 and S106, shown in Figure 8 below, are executed in parallel. In step S105, the log acquisition unit 103 sends a vehicle log request to the vehicle 112 and acquires detailed logs (vehicle logs) from each ECU of the vehicle 112. In step S106, the log acquisition unit 103 sends a server log request to the server 113 and acquires detailed logs (server logs) from the server 113. 【0036】Following steps S105 and S106, in step S107, the abnormal event extraction unit 104 inspects the vehicle log and server log based on the abnormal event master 300a. The abnormal event extraction unit 104 inspects the detection log 304a based on the detection method 303a shown in the abnormal event master 300a. The abnormal event extraction unit 104 then detects and extracts abnormal events from the detection log 304a based on the detection method 303a. 【0037】 Note that the abnormal events extracted in step S107 are not limited to one; multiple abnormal events may be extracted. Furthermore, no abnormal events may be extracted at all. An abnormal event includes an abnormal event ID, which is a unique identifier for the abnormal event, as well as an abnormal event type ID, which is an identifier for the detected event, a timestamp indicating the time of detection, and a detection location, which indicates the location (component) where the event was detected. 【0038】 Next, in step S108, the abnormal event extraction unit 104 creates an abnormal event list 400 using the abnormal events extracted in step S107. That is, as shown in Figure 12, the abnormal event extraction unit 104 stores the abnormal event ID 401, abnormal event type ID 402, ..., and failure flag 406 in the abnormal event list 400 for each abnormal event 400-i (i = 1, 2, ...) extracted in step S107. 【0039】 In step S109 shown in Figure 9, the attack possibility evaluation unit 105 measures the abnormal event list length (the number of abnormal events included in the abnormal event list 400) and determines whether it is 0 or not. If the abnormal event list length is 0 (step S110 Yes), the attack possibility evaluation unit 105 moves the process to step S117. If the abnormal event list length is 1 or more (step S110 No), the attack possibility evaluation unit 105 moves the process to step S110. 【0040】In step S110, the attack possibility evaluation unit 105 assigns either "1" or "0" to the attack flag 405 of each abnormal event 400-i in the abnormal event list 400. Based on the abnormal event master 300b, the attack possibility evaluation unit 105 assigns "1" to the attack flag 405 if the abnormal event 400-i included in the abnormal event list 400 can only occur as an attack. On the other hand, based on the abnormal event master 300b, the attack possibility evaluation unit 105 assigns "0" to the attack flag 405 if the abnormal event 400-i included in the abnormal event list 400 can occur for reasons other than an attack. 【0041】 Next, in step S111, the attack possibility evaluation unit 105 determines whether there is an abnormal event 400-i with an attack flag 405 of "1" in the abnormal event list 400. The purpose of step S111 is to reduce the processing load and improve the accuracy of the evaluation of attack possibility and failure possibility by excluding abnormal events that are clearly caused by an attack from the mapping process (step S112). 【0042】 The attack possibility evaluation unit 105 proceeds to step S114 if there is an abnormal event 400-i in the abnormal event list 400 with an attack flag 405 of "1" (step S111 Yes). On the other hand, the attack possibility evaluation unit 105 proceeds to step S112 if the attack flag 405 of all abnormal events 400-i in the abnormal event list 400 is "0" (step S111 No). 【0043】In step S112, the attack possibility evaluation unit 105 maps the abnormal event 400-i in the abnormal event list 400 to the attack path formation determination graph 500 (FIG. 13). Which node the abnormal event 400-i is mapped to is determined from the detection location 404 of the abnormal event 400-i based on the abnormal event master 500c. For example, when an abnormal event 400-i with an abnormal event type ID of "1" (unintended function call) is detected in "ECU A", the abnormal event 400-i is associated with the internal processing abnormal node of "ECU A". The association of the abnormal event 400-i to the node of the attack path formation determination graph 500 is an example of the association between the abnormal event related to the abnormality and the node related to the abnormal event in the attack path formation determination graph 500. 【0044】 FIG. 13 is a diagram showing the attack path formation determination graph 500 according to the embodiment. The attack path formation determination graph 500 is a graph defined based on a vehicle system including a server 113 that provides a connected service to the vehicle 112. In the attack path formation determination graph 500, there are internal processing abnormal nodes representing abnormalities in internal processing such as ECUs and internal servers inside the vehicle 112, and communication abnormal nodes representing abnormalities in communication paths between ECUs and between an ECU and an internal server. Further, in the attack path formation determination graph 500, there are entry point nodes representing traces of an attacker's intrusion into an ECU, a communication path, etc. The nodes in the attack path formation determination graph 500 are connected by directed edges. The direction of the edge in the attack path formation determination graph 500 represents the direction in which the influence of the attack spreads. A communication path in which the influence does not spread in the attack path formation determination graph 500 does not have to be connected by an edge in the attack path formation determination graph 500 even if it is connected as a vehicle system. The nodes shown in FIG. 13 correspond to components constituting the vehicle system and peripheral components of the vehicle system. Note that since FIG. 13 is an example, the node names may be different, nodes may be added, or the connection of the edges may be different. 【0045】Next, in step S113, the attack possibility evaluation unit 105 uses the attack path formation determination graph 500, on which the abnormal event 400-i is mapped, to determine whether an attack path has been formed. If the attack possibility evaluation unit 105 can connect the entry point node to the node where the detected event was detected only with nodes associated with the abnormal event 400-i, it determines that an attack path can be formed and moves the process to step S114. If the abnormal event 400-i is associated with any entry point node, the attack possibility evaluation unit 105 determines that an attack path can be partially formed and moves the process to step S115. If the attack possibility evaluation unit 105 determines that an attack path cannot be formed and moves the process to step S116. 【0046】 The criteria for determining whether an attack path has been formed are not limited to those described above and may be changed to other conditions. For example, the ratio of the number of nodes associated with an abnormal event to the total number of nodes from the entry point node to the detection location of the detected event may be calculated, and the formation of an attack path may be determined by a threshold check. Additionally, the time series of detected events and abnormal events may be considered, and a condition may be added to ensure that they are arranged chronologically from the entry point node to the detection location of the detected event. Furthermore, the determination of whether an attack path has been formed may be performed in multiple stages; for example, if one stage is added, one step of evaluating the possibility of an attack will also be added. 【0047】In step S114, the attack possibility evaluation unit 105 evaluates the attack possibility of the detection event as "Very High" (very high). In step S115, the attack possibility evaluation unit 105 evaluates the attack possibility of the detection event as "High" (high). In step S116, the attack possibility evaluation unit 105 evaluates the attack possibility of the detection event as "Moderate" (normal). In step S117, the attack possibility evaluation unit 105 evaluates the attack possibility of the detection event as "Low" (low). The order of the evaluation levels is "Very High" > "High" > "Moderate" > "Low". When steps S114 to S117 are completed, the attack possibility evaluation unit 105 transfers the process to step S118 (FIG. 10). 【0048】 In step S118, since the failure possibility evaluation unit 106 does not use it for failure possibility evaluation, it deletes the abnormal event 400-i with the attack flag 405 being "1" from the abnormal event list 400. Next, in step S119, the failure possibility evaluation unit 106 measures the length of the abnormal event list and determines whether it is 0 or not. When the length of the abnormal event list is 0 (step S119 Yes), the failure possibility evaluation unit 106 transfers the process to step S126. On the other hand, when the length of the abnormal event list is 1 or more (step S119 No), the failure possibility evaluation unit 106 transfers the process to step S120. 【0049】 In step S120, the failure possibility evaluation unit 106 assigns "1" or "0" to the failure flag 406 of each abnormal event 400-i in the abnormal event list 400. Based on the abnormal event master 300d, the failure possibility evaluation unit 106 assigns "1" to the failure flag 406 when the failure log related to the abnormal event 400-i is included in the vehicle log or the server log, and assigns "0" when it is not included. Step S120 aims to reduce the processing load and improve the accuracy of the evaluation of attack possibility and failure possibility by targeting only the abnormal events where the attack is clearly a failure for the mapping process (step S121). 【0050】Next, in step S121, the failure probability evaluation unit 106 maps the abnormal event 400-i to the failure path formation determination graph 600 (Figure 14) (associating the abnormal event 400-i with a node in the failure path formation determination graph 600). Similar to step S112 (Figure 9), which node the abnormal event 400-i is mapped to is determined by the detection location of the abnormal event 400-i and the abnormal event master 300c. Associating the abnormal event 400-i with a node in the failure path formation determination graph 600 is an example of associating an abnormal event related to a failure with a node in the failure path formation determination graph 600 that is associated with the abnormal event. 【0051】 Figure 14 shows a fault path formation determination graph 600 according to an embodiment. The fault path formation determination graph 600 is a graph composed of the same elements as the attack path formation determination graph 500, but is defined separately from the attack path formation determination graph 500 because the propagation of effects differs depending on whether the cause is a fault or an attack. Note that Figure 14 is just an example, so node names may differ, nodes may be added, or edge connections may differ. 【0052】 Next, in step S122, the failure probability evaluation unit 106 uses the failure path formation determination graph 600, on which the abnormal event 400-i is mapped, to determine whether a failure path has been formed. The failure probability evaluation unit 106 determines that a failure path can be formed if the connection from the node to which the abnormal event 400-i with a failure flag of "1" is associated is made only by nodes associated with the abnormal event 400-i, and proceeds to step S123. The failure probability evaluation unit 106 also determines that a failure path can be partially formed if the abnormal event 400-i with a failure flag of "1" is associated with any node, and proceeds to step S124. The failure probability evaluation unit 106 also determines that a failure path cannot be formed if neither a failure path can be formed nor a failure path can be partially formed, and proceeds to step S125. 【0053】The conditions for determining whether a fault path has been formed are not limited to those described above, and may be changed to other conditions, similar to step S112 (Figure 9). Furthermore, the determination of whether a fault path has been formed may be performed in multiple stages; for example, if an additional stage is added, one additional step will be added to evaluate the likelihood of failure. 【0054】 In step S123, the failure probability evaluation unit 106 evaluates the failure probability of the detected event as "Very High". In step S124, the failure probability evaluation unit 106 evaluates the failure probability of the detected event as "High". In step S125, the failure probability evaluation unit 106 evaluates the failure probability of the detected event as "Moderate". In step S126, the failure probability evaluation unit 106 evaluates the failure probability of the detected event as "Low". After completing steps S123 to S126, the failure probability evaluation unit 106 moves on to step S127 (Figure 11). 【0055】 In step S127, the probability comparison unit 107 compares the attack probability evaluated in steps S114 to S117 (Figure 9) with the failure probability evaluated in steps S123 to S126 (Figure 10). If the probability comparison unit 107 determines that the attack probability is higher than the failure probability, it moves to step S128. If the failure probability is higher than the attack probability, the probability comparison unit 107 moves to step S129. If the failure probability and attack probability are equal, the probability comparison unit 107 moves to step S130. 【0056】 In step S128, the probability comparison unit 107 classifies the detected event as an "attack". In step S129, the probability comparison unit 107 classifies the detected event as a "failure". In step S130, the detected event is classified as "unknown cause" (or "cannot be isolated"). Causes other than "attack" and "failure" include, for example, program bugs or work errors. Therefore, "unknown cause" may also include program bugs or work errors. However, in order to prevent overlooking an attack, it may be classified as an "attack" in step S130. When steps S128 to S130 are completed, the failure probability evaluation unit 106 moves on to step S131. 【0057】 In step S131, the troubleshooting result output unit 108 transmits the troubleshooting results for the cause of the detection event in steps S128 to S130 to the VSOC 111. The troubleshooting result output unit 108 may also transmit the attack possibility and failure possibility, the abnormal event list 400, and the attack path formation determination graph 500 and failure path formation determination graph 600 associated with the abnormal event 400-i. The troubleshooting result output unit 108 may also transmit these to the vehicle 112 or the server 113. 【0058】 (Cause isolation result output screen D108 according to the embodiment) Figure 15 is a diagram showing the configuration of the cause isolation result output screen D108 according to the embodiment. In the example shown in Figure 15, the cause isolation result output screen D108 includes a display area D500 that shows how the abnormal event 400-i included in the detection event of detection event ID "1" is mapped to the attack path formation determination graph 500. The cause isolation result output screen D108 also includes a display area D600 that shows how it is mapped to the fault path formation determination graph 600. 【0059】 The formation of an attack path is determined according to the mapping status of the abnormal event 400-i shown in display area D500. The result of the attack path formation determination shows that the probability of attack was determined to be "Very High". On the other hand, the formation of a fault path is determined according to the mapping status of the abnormal event 400-i shown in display area D600. The result of the fault path formation determination shows that the probability of failure was determined to be "Moderate". Therefore, as a result of the probability comparison, the probability of attack "Very High" is more likely than the probability of failure "Moderate", so it is determined that the cause isolation result is an "attack". The cause isolation result output screen D108 also has a display area D400 of the abnormal event list 400 at the bottom. 【0060】 In other words, the cause isolation result output screen D108 is output by the processor of the cause isolation system 100, which includes the cause of the detected event, the extracted abnormal event, and the attack path and failure path that are estimated to have been affected by the cause of the detected event. 【0061】 (Modification of the Embodiment) In the embodiment described above, an abnormal event is associated with a node related to the abnormal event in the attack path formation determination graph 500, and it is determined whether an attack path has been formed in the attack path formation determination graph 500 based on the associated abnormal event. Based on the attack path formation determination result, the likelihood that the cause of the abnormality is an "attack" is evaluated. Similarly, the same processing is performed for "abnormalities" as for "attacks". The possibility of an "attack" and the possibility of a "failure" are compared, and based on the comparison result, it is determined whether the cause of the abnormality is an "attack", a "failure", or "other (unidentifiable)". In this embodiment described above, the cause of the abnormality is identified from two perspectives, "attack" and "failure", but it is not limited to just these two; other causes are also possible. Furthermore, the cause of the abnormality may be identified from three or more perspectives (for example, attack, failure, program bug, work error, etc.). 【0062】 The embodiments described above provide the following effects and benefits. 【0063】 The attack possibility evaluation unit 105 determines the attack possibility of a detected event by mapping the extracted abnormal events 400-i to the attack path formation determination graph 500. In other words, it can estimate the attack path, including the possibility that the attacker infiltrated from the server, and evaluate the attack possibility without enumerating attack patterns or attack paths, which are combinations of abnormal events 400-i. This reduces the man-hours required to enumerate attack patterns and attack paths, and avoids a decrease in accuracy due to omissions during enumeration. The effects of the processing of the failure possibility evaluation unit 106 using the failure path formation determination graph 600 are the same as those of the attack possibility evaluation unit 105. 【0064】 Furthermore, since the attack path formation determination graph 500 includes nodes such as communication channels other than the vehicle 112 and server 113, it is possible to estimate attack paths that take into account the possibility of passing from vehicle 112 to server 113. The estimation of fault paths using the fault path formation determination graph 600 is similar to that of the attack path formation determination graph 500. 【0065】(Hardware configuration of computer 1000) Figure 16 shows the hardware configuration of computer 1000. Computer 1000 implements each part of the root cause isolation system 100 by executing a predetermined program. 【0066】 The computer 1000 comprises a processor 1001 including a CPU, a main memory 1002, an auxiliary memory 1003, a network interface 1004, an input device 1005, and an output device 1006, all interconnected via an internal communication line 1007 such as a bus. 【0067】 The processor 1001 controls the operation of the entire computer 1000. The main memory 2002 is composed of, for example, volatile semiconductor memory and is used as the work memory of the processor 1001. The auxiliary storage device 1003 is composed of a large-capacity non-volatile storage device such as a hard disk drive, SSD (Solid State Drive), or flash memory and is used to retain various programs and data for a long period of time. 【0068】 The executable program 1003a stored in the auxiliary storage device 1003 is loaded into the main memory device 1002 when the computer 2000 starts up or when needed, and is executed by the processor 1001. 【0069】 The executable program 1003a may be recorded on a non-temporary recording medium, read from the non-temporary recording medium by a media reader, and loaded into the main memory 1002. Alternatively, the executable program 1003a may be obtained from an external computer via a network and loaded into the main memory 1002. 【0070】 The auxiliary storage device 1003 stores various executable programs 1003a. 【0071】The network interface 1004 is an interface device for connecting computer 1000 to network N or for communicating with other computers. The network interface 1004 is composed of, for example, a NIC (Network Interface Card) such as a wired LAN (Local Area Network) or a wireless LAN. 【0072】 The input device 1005 consists of a keyboard, a pointing device such as a mouse, and is used by the user to input various instructions and information into the computer 1000. The output device 1006 consists of a display device such as a liquid crystal display or an organic EL (Electro Luminescence) display, or an audio output device such as a speaker, and is used to present necessary information to the user when needed. 【0073】 The embodiments described above are explained in detail for the purpose of clearly illustrating the present invention, and are not necessarily limited to those having all the configurations described. It is also possible to replace a part of the configuration of one embodiment with the configuration of another embodiment, and it is also possible to add the configuration of another embodiment to the configuration of one embodiment. Furthermore, it is possible to add, delete, or replace parts of the configuration of each embodiment with other configurations. Some or all of the above configurations, functions, processing units, processing means, etc., may be implemented in hardware, for example, by designing them as integrated circuits. Alternatively, the above configurations, functions, etc., may be implemented in software by having a processor interpret and execute a program that realizes each function. Furthermore, information such as programs, tables, files, etc., that realize each configuration can be stored in memory, a recording device such as a hard disk or SSD (Solid State Drive), or a recording medium such as an IC card, SD card, or DVD. 【0074】100: Cause isolation system, 101: Detected event acquisition unit, 102: Pre-processing unit, 103: Log acquisition unit, 104: Abnormal event extraction unit, 105: Attack possibility evaluation unit, 106: Failure possibility evaluation unit, 107: Possibility comparison unit, 108: Isolation result output unit, 109: Detected event master storage unit, 110: Abnormal event master storage unit, 111: VSOC, 112: Vehicle, 113: Server, 1000: Computer, Processor: 1001, 1002: Main memory

Claims

1. A cause isolation system for isolating the cause of a detection event detected in a target system, wherein the processor of the cause isolation system manages a path formation determination graph in which components among the components constituting the target system that may be affected by a predetermined cause are designated as nodes and the nodes are connected as edges, associates an abnormal event related to the abnormality extracted from the detection event with the node related to the abnormal event in the path formation determination graph, performs a path formation determination to determine whether a predetermined path is formed in the path formation determination graph by the associated abnormal event, and evaluates the possibility that the cause of the detection event is the predetermined cause based on the determination result of the path formation determination.

2. A cause isolation system according to claim 1, wherein the processor manages a plurality of path formation determination graphs corresponding to each of the plurality of predetermined causes, performs the path formation determination based on the abnormal event and the plurality of path formation determination graphs, evaluates the possibility that the cause of the detected event is each of the predetermined causes based on the determination result of the path formation determination based on each of the path formation determination graphs, and determines, based on the comparison result of comparing the possibility that the cause of the abnormality is each of the predetermined causes, that the cause of the detected event is isolated to one of the plurality of predetermined causes, or that it is impossible to isolate it to any of the plurality of predetermined causes.

3. A cause isolation system according to claim 2, wherein the processor acquires logs recorded in the target system, and detects and extracts abnormal events from the detection events based on the logs.

4. A cause isolation system according to claim 3, wherein the processor manages the log and detection method used for detecting the abnormal event for each type of abnormal event in an abnormal event master, and detects and extracts the abnormal event from the detected event based on the abnormal event master and the log.

5. A cause isolation system according to claim 4, wherein the predetermined cause is an attack on the target system and a failure of the target system, the path formation determination graph is an attack path formation determination graph in which the nodes to which the abnormality may propagate due to the attack are connected by the edges, and a failure path formation determination graph in which the nodes to which the abnormality may propagate due to the failure are connected by the edges, the processor evaluates the possibility of an attack, where the cause of the detection event is the attack, based on the determination result of the path formation determination based on the attack path formation determination graph, evaluates the possibility of a failure, where the cause of the detection event is the failure, based on the determination result of the path formation determination based on the failure path formation determination graph, and determines, based on the comparison result obtained by comparing the evaluation result of the attack possibility and the evaluation result of the failure possibility, that the cause of the detection event is either the attack or the failure, or that it is impossible to isolate it to either the attack or the failure.

6. A cause isolation system according to claim 5, wherein the processor manages information in the abnormal event master indicating whether the abnormal event may be caused by something other than the attack, performs a non-attack cause determination to determine whether the abnormal event may be caused by something other than the attack based on the abnormal event master, and evaluates the possibility that the cause of the detected event is the attack based on the determination result of the non-attack cause determination and the determination result of the path formation determination based on the attack path formation determination graph.

7. A cause isolation system according to claim 6, wherein the processor manages information in the abnormal event master indicating the log to be recorded when the abnormal event occurs due to the fault; performs a log existence determination based on the abnormal event master to determine whether the log to be recorded when the abnormal event occurs due to the fault exists; and evaluates the possibility that the cause of the detected event is the fault based on the determination result of the log existence determination and the determination result of the path formation determination based on the fault path formation determination graph.

8. A cause isolation system according to claim 5, wherein the processor manages information in a detection event master indicating whether the detection event may be caused by something other than the attack; determines whether the detection event may be caused by something other than the attack based on the detection event master; isolates the cause of the detection event that has been determined not to be caused by anything other than the attack based on the detection event master to the attack; and performs the path formation determination for the detection event that has been determined to be caused by something other than the attack based on the detection event master, based on the abnormal event extracted from the detection event and the attack path formation determination graph.

9. A cause isolation system according to claim 5, wherein the processor causes the output unit to output the cause of the detected event, the extracted abnormal event, and the predetermined path on which the effects of the cause are presumed to have spread.

10. A cause isolation method executed by a cause isolation system for isolating the cause of a detection event detected in a target system, the method comprising: a processor of the cause isolation system managing a path formation determination graph in which components constituting the target system that may be affected by a predetermined cause are designated as nodes and connected as edges; associating an abnormal event related to the abnormality extracted from the detection event with the node related to the abnormal event in the path formation determination graph; performing a path formation determination to determine whether a predetermined path is formed in the path formation determination graph by the associated abnormal event; and evaluating the possibility that the cause of the detection event is the predetermined cause based on the determination result of the path formation determination.

Images