WO2023175756A1 - Policy control device, zero trust system, policy control method, and policy control program - Google Patents

Policy control device, zero trust system, policy control method, and policy control program Download PDF

Info

Publication number
WO2023175756A1
WO2023175756A1 PCT/JP2022/011815 JP2022011815W WO2023175756A1 WO 2023175756 A1 WO2023175756 A1 WO 2023175756A1 JP 2022011815 W JP2022011815 W JP 2022011815W WO 2023175756 A1 WO2023175756 A1 WO 2023175756A1
Authority
WO
WIPO (PCT)
Prior art keywords
policy
entity
unit
policy control
control device
Prior art date
Application number
PCT/JP2022/011815
Other languages
French (fr)
Japanese (ja)
Inventor
宜秀 仲川
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2022/011815 priority Critical patent/WO2023175756A1/en
Publication of WO2023175756A1 publication Critical patent/WO2023175756A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to a policy control device, a zero trust system, a policy control method, and a policy control program.
  • Zero Trust Architecture described in Non-Patent Documents 1 and 2 is an architecture that verifies access from each entity and executes a policy using untrusted entities as a policy location. This makes it possible to deal with cyber-attacks from internal terminals by subjecting not only external terminals but also internal terminals to verification without trust (zero trust).
  • Non-Patent Document 3 describes i-ZTA (Intelligent ZTA), which is an extension of ZTA. i-ZTA is an extension of ZTA for large-scale networks that uses graph neural networks and reinforcement learning to detect anomalies for dynamic risk assessment and reliability score evaluation. As a result, entities with high risks and entities with low reliability scores are automatically selected as policy locations with priority over other entities.
  • Risks other than security risks include, for example, the risk of violating an SLA (Service Level Agreement) by blocking part of a service by implementing a policy. For example, if an entity with high performance but a low reliability score is eliminated by implementing a policy, the performance of the entire system will decrease as a side effect, and the SLA that guarantees a predetermined standard of TPS (Transaction Per Second) will be It becomes unsatisfying.
  • SLA Service Level Agreement
  • the main objective of the present invention is to formulate a policy that can reduce security risks and risks when providing services in a well-balanced manner.
  • the policy control device of the present invention has the following features.
  • the present invention includes a module verification unit that verifies observation data as a result of observing an entity accessing an asset; a reliability evaluation unit that calculates a reliability score of each entity based on a damage cost caused by a cyber attack from the entity to the asset from the verification result of the module verification unit; Based on the cost that occurs when the policy is applied to the entity and the damage cost that is reduced by applying the policy, the policy is applied to the entity at the point where the policy is applied so that the total cost of both costs is reduced. and a policy determining unit that determines the policy.
  • FIG. 1 is a configuration diagram of a zero trust system according to the present embodiment.
  • FIG. 2 is a configuration diagram when the zero trust system of FIG. 1 according to the present embodiment is applied to a 5G network.
  • FIG. 2 is an explanatory diagram of a policy control device according to the present embodiment.
  • FIG. 2 is a hardware configuration diagram of a policy control device according to the present embodiment.
  • FIG. 1 is a configuration diagram of a zero trust system 80.
  • the zero trust system 80 is configured by an entity 81, a corporate resource 82, a policy control unit 83, and a policy execution unit 84 connected via a network.
  • the corporate resource 82 corresponds to a resource in Non-Patent Document 2, and is also called an asset.
  • corporate resources 82 are objects that need to be protected, such as internal devices that store confidential information.
  • Entity 81 corresponds to entity in Non-Patent Document 2.
  • the entity 81 is a network to which a terminal attempting to access the corporate resource 82 or a set of terminals attempting to access the corporate resource 82 belongs, and is a target to be inspected by the policy control device.
  • the policy control device may not only inspect the entity 81 on a device-by-device basis, but may also inspect the entity 81 on a network-by-network basis, such as the target network 73 in FIG. Then, if a contaminated network is discovered through inspection, the policy control device may apply a policy of separating (disconnecting) the network from the carrier network (disconnecting it and making communication impossible).
  • each device will be described as being classified as either an entity 81 or a corporate resource 82.
  • the same device may correspond to both the entity 81 and the enterprise resource 82.
  • device A that stores secret information A1 and device B that stores secret information B1 belong to the corporate resource 82 when their own secret information is accessed from the outside.
  • device A acquires secret information B1 from device B device A becomes entity 81.
  • the only device that can be truly trusted is the policy control device that performs verification, and other devices, whether internal or external, are not trusted. (Zero Trust) This corresponds to the entity 81 to be inspected.
  • the policy control unit 83 corresponds to a PDP (policy decision point) in Non-Patent Document 2.
  • the policy control unit 83 includes an access permission unit 83A and a policy setting unit 83B.
  • the access permission unit 83A authenticates each entity 81 accessed via the policy execution unit 84 to permit or disallow access by referring to an in-house database (not shown) or the like.
  • the policy setting section 83B sets the authentication result of the access permission section 83A in the policy execution section 84 as a policy (measure).
  • the policy execution unit 84 corresponds to a PEP (policy enforcement point) in Non-Patent Document 2.
  • the policy execution unit 84 allows or disallows access of the entity 81 according to the policy. Entities 81 that pass authentication can access corporate resources 82 . Entities 81 that are not authenticated cannot access corporate resources 82 .
  • FIG. 2 is a configuration diagram when the zero trust system 80 of FIG. 1 is applied to a 5G network.
  • a company resource 82 belongs to the target network 73 .
  • Enterprise resources 82 of FIG. 1 are embodied as carrier networks including the following devices of FIG. ⁇ NEF82A: Network Exposure Function.
  • ⁇ PCF82B Policy Control function.
  • ⁇ AMF82C Access and Mobility management Function.
  • ⁇ UPF82D User Plane Function. This UPF 82D is connected to a DN (Data Network) 82E.
  • DN Data Network
  • the entity 81 in FIG. 1 is embodied as a UE (User Entity) such as the in-vehicle terminal 81A, the smartphone 81B, and the tablet terminal 81C in FIG. Further, the target network 73 itself may also be one entity 81.
  • UE User Entity
  • the policy control device is one or more casings that include a module verification section 10, a reliability evaluation section 20, a policy determination section 30, and a scheduler section 40.
  • the four processing units are distributed in separate housings (four housings), but the four processing units may be housed in one housing.
  • the policy control unit 83 in FIG. 1 is embodied as the reliability evaluation unit 20 and the scheduler unit 40 in the core network 71 in FIG. 2 .
  • the policy execution unit 84 in FIG. 1 is embodied as a module verification unit 10 and a policy determination unit 30 in the access network 72 in FIG. 2 .
  • the policy execution unit 84 in FIG. 1 may include a gNB (next generation NodeB) 84A, which is a base station of the 5G communication standard in FIG. 2.
  • gNB next generation NodeB
  • the module verification unit 10 includes an observation data DB 12 that stores the results of observing the entity 81 (observation data 73D in FIG. 3), and a verification module that verifies the entity 81 in module units based on the data stored in the observation data DB 12. 11.
  • the verification module 11 performs one or more verifications illustrated below. ⁇ Verify the communication performed by the module. - Verify the System Calls used by the module. - Verify that the memory area rewritten by the module has been tampered with.
  • the reliability evaluation unit 20 includes a reliability calculation unit 21 and a network DB 22.
  • the reliability calculation unit 21 calculates a reliability score for each entity 81 by applying a quantitative risk management method to the verification results of the module verification unit 10. This reliability score is an index based on the cost of damage caused by a cyberattack from the entity 81 to the corporate resource 82. Note that the cyber attack is, for example, unauthorized access from the entity 81 or a denial of service attack such as DoS (Denial of Services).
  • the network DB 22 stores inventory information of the target network 73 and asset information of the corporate resources 82.
  • the policy determining unit 30 includes a policy control unit 31 as the policy control unit 83 in FIG.
  • the policy control unit 31 determines whether the total cost of both costs will be lower based on the cost that occurs when applying the policy to the entity 81 (hereinafter referred to as "application cost") and the damage cost that is reduced by applying the policy. So, decide on the policy.
  • the policy control unit 31 uses a unified index to evaluate the security risk (reliability score) calculated by the reliability evaluation unit 20 and the risk of providing a service (risk of not being able to comply with SLA, etc.). , determine the policy.
  • the policy determined by the policy control unit 31 is at least one of "policy content”, which is what kind of policy is to be executed, and "policy location", which is to which entity 81 the policy is to be executed. .
  • policy control unit 31 determines an optimal combination among the sets.
  • "optimal” here refers to the viewpoint that not only security risks (reliability scores) but also risks when providing services can be reduced in a well-balanced manner.
  • the policy control unit 31 applies the determined policy to the target network 73 (policy execution unit 84 in FIG. 1).
  • the policy determining unit 30 applies the policy to access from the entity 81 to the corporate resource 82 by setting the determined policy in the policy execution unit 84 .
  • the strategy determining unit 30 may present the determined strategy to the operator on a display screen to make the operator understand the strategy.
  • the scheduler unit 40 includes an operation unit 41 that operates each processing unit (module verification unit 10, reliability evaluation unit 20, policy determination unit 30) of the policy control device.
  • the operation unit 41 schedules processing for each entity 81 by each processing unit of the policy control device according to the security risk indicated by the reliability score.
  • the operation unit 41 may perform scheduling according to this operation phase periodically or may perform it sporadically at non-regular timing.
  • the operation unit 41 may receive the reliability score evaluated by the reliability evaluation unit 20 and increase or decrease the verification load when the verification module 11 verifies the entity 81. For example, the operation unit 41 allocates fewer types of verification functions to an entity 81 with a higher reliability score in order to reduce the load of verifying the observed data 73D. As a result, a large amount of finite system resources (verification capacity) is concentrated and allocated to the entity 81 with a low reliability score, so that even in a system with a large number of entities 81, appropriate verification can be performed with low delay. Alternatively, the operation unit 41 may perform the verification process for a predetermined entity 81 for which low delay is required later than for other entities 81. The operation unit 41 may assign a provisional verification result (communication permission or communication cutoff) to the predetermined entity 81 for the elapsed period until the verification process of the predetermined entity 81 is performed.
  • a provisional verification result communication permission or communication cutoff
  • the network settings 21F in the network DB 22 are information on the target network 73, and are referenced to identify the impact on the surroundings when the risk of e[m] becomes apparent.
  • An asset of the corporate resource 82 is indicated by a variable a.
  • the first asset be a[1] and the nth asset be a[n].
  • the value of asset a[n] is denoted by v(a[n]).
  • the intrusion probability 21D is represented by the probability p(a[i]) that asset a[i] will be intruded.
  • Observation data 73D obtained by observing the entity 81 (e[m]) of the target network 73 is registered in the observation data DB 12. Therefore, each entity 81 has a log output function, and the module verification unit 10 (observation data DB 12) has a log collection function that collects logs from the log output function.
  • the reliability calculation section 21 includes a risk manifestation evaluation section 21A, an influence range evaluation section 21C, and a reliability calculation section 21E.
  • the risk manifestation evaluation unit 21A calculates the risk manifestation probability 21B (P(e[m]) from the event I output by the verification module 11 using an algorithm such as machine learning or mathematical statistical processing.
  • the influence range evaluation unit 21C evaluates the intrusion probability 21D (p(a[i])) based on the event I output by the verification module 11, the risk manifestation probability 21B, and the network settings 21F. Then, the influence range evaluation unit 21C calculates the influence cost Im(e[m]) that the actualized risk has on the surroundings from the intrusion probability 21D and the asset value v(a[i]).
  • the reliability calculation unit 21E calculates the reliability score 21H based on the intrusion probability 21D and the resource information 21G.
  • the reliability score 21H is a scale for uniformly measuring risks such as security risks and SLA violation risks.
  • the intrusion probability 21D p(a[i])
  • the intrusion probability 21D is the sum of the products of the influence cost and the probability of being infiltrated (the sum of expected cost values of all assets).
  • the reliability calculation unit 21E calculates the final expected damage cost value Ex(e[m]) according to (Equation 2).
  • the process by which the reliability calculation unit 21 outputs the reliability score 21H has been described above with reference to FIG.
  • the strategy determining unit 30 determines the optimal strategy based on the reliability score 21H.
  • the processing of the policy determining unit 30 will be explained below.
  • each variable used to explain the policy The policy is indicated by the variable m.
  • M ⁇ m[1], m[2], ...m[l] ⁇ .
  • - e(m[i]) indicates the entity 81 at the policy location to which policy m[i] is applied.
  • ⁇ d(m[i]) indicates the policy content of policy m[i]. Examples of the policy content include content to filter communications and content to stop attacks such as shutting down the entity 81.
  • ⁇ c(m[i]) indicates the application cost when policy m[i] is applied. This application cost includes the cost for implementing the policy content, the cost when implementing the policy content affects the SLA, etc.
  • ⁇ i(m[i]) is the policy effect and is the expected value of damage cost indicating the security risk reduced by executing m[i].
  • This policy effect i(m[i]) is related to the influence cost Im(e[m]) calculated using (Formula 1). Then, the policy set M(e[m]) to be applied to e[m] is shown as (Equation 3).
  • the policy determining unit 30 uses (Formula 3) to evaluate both the policy effect obtained by executing each policy m[i] and the application cost that will be a burden, so that the overall cost is as low as possible. Decide on strategies. In other words, when the policy content d(m[i]) is implemented, the damage cost will be reduced even if the risk materializes, so the expected cost value Ex(e[m]) is calculated as the policy effect i(m[i] ) can be lowered by the amount. On the other hand, by executing policy content d(m[i]), the cost increases by the application cost c(m[i]).
  • the policy determining unit 30 uses (Formula 3) to offset the amount of reduction in damage cost with the amount of increase in application cost, thereby reducing the amount of damage that can be achieved between when the policy is comprehensively implemented and when it is not implemented.
  • the feasibility of implementing each strategy m[i] is selected based on the cost. This allows for total risk management, including security and SLA.
  • FIG. 4 is a hardware configuration diagram of the policy control device.
  • the policy control device is configured as a computer 900 having a CPU 901, a RAM 902, a ROM 903, an HDD 904, a communication I/F 905, an input/output I/F 906, and a media I/F 907.
  • Communication I/F 905 is connected to external communication device 915.
  • the input/output I/F 906 is connected to the input/output device 916.
  • the media I/F 907 reads and writes data from the recording medium 917.
  • the CPU 901 controls each unit by executing a program (also called an application or an abbreviated application) read into the RAM 902 .
  • This program can also be distributed via a communication line or recorded on a recording medium 917 such as a CD-ROM.
  • the policy control device may include a container platform 920 having a H/W (HardWare) accelerator 921 and a TPM (Trusted Platform Module) 922. Furthermore, each component of the container platform 920 may be implemented within the CPU 901.
  • the container runtime functions of the H/W accelerator 921 and the container platform 920 are preferably applied to each processing unit (module verification unit 10, reliability evaluation unit 20, policy determination unit 30, scheduler unit 40) of the policy control device. . This makes it possible to speed up and scale out each processing unit, making it possible to support a system equipped with a large-scale entity 81.
  • the TPM 922 is also applied to each processing unit (module verification unit 10, reliability evaluation unit 20, policy determination unit 30, scheduler unit 40) of the policy control device. This prevents falsification of the reliability score 21H and the policy m[i].
  • the policy control device of the present invention includes a module verification unit 10 that verifies observation data 73D as a result of observing an entity 81 accessing a corporate resource 82; a reliability evaluation unit 20 that calculates a reliability score of each entity 81 based on the damage cost caused by a cyber attack from the entity 81 to the corporate resource 82 from the verification result of the module verification unit 10; Based on the application cost that occurs when the policy is applied to the entity 81 and the damage cost that is reduced by applying the policy, the policy is applied to the entity 81 in such a way that the total cost of both costs is reduced.
  • the system is characterized by having a policy determining unit 30 that determines.
  • the policy control device evaluates the security risk of leaving the entity 81 with a low reliability score and the service risk of falling below the SLA when applying the policy to the entity 81, using the same metric of cost. . Therefore, it is possible to formulate measures that can reduce security risks and risks when providing services in a well-balanced manner.
  • the policy control device further includes a scheduler section 40,
  • the scheduler unit 40 is characterized in that the higher the reliability score of an entity 81, the lower the load on the module verification unit 10 for verifying the observation data 73D observed from that entity 81.
  • the total verification load is reduced by focusing on verifying only a small number of entities 81 with high security risks. Therefore, even in a large-scale system where the number of target entities 81 is hundreds of millions, the verification load on the policy control device is reduced, and strict delay requirements imposed on the policy control device can be complied with.
  • the scheduler unit 40 performs the verification process of a predetermined entity 81 later than other entities 81, and the scheduler unit 40 performs the verification process of the predetermined entity 81 later than the other entities 81. It is characterized by assigning provisional verification results.
  • a provisional verification result is assigned instead of provisionally skipping the verification process of the entity 81, making it possible to comply with strict delay requirements imposed on the policy control device.
  • the present invention is characterized in that the processing of the module verification section 10, the processing of the reliability evaluation section 20, and the processing of the policy determination section 30 are executed by the TPM 922.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

Provided is a policy control device comprising: a module verification unit (10) that verifies observation data (73D); a reliability evaluation unit (20) that calculates, from a result of the verification by the module verification unit (10), a reliability score for each entity (81) based on the cost of damage caused by cyberattacks on a corporate resource (82) from the entity (81); and a strategy determination unit (30) that determines, on the basis of a cost incurred when a policy is applied to the entity (81) and a damage cost to be reduced through application of the policy, the entity (81) at a strategic location where the policy is to be applied so that the total cost of the both costs is low.

Description

ポリシ制御装置、ゼロトラストシステム、ポリシ制御方法、および、ポリシ制御プログラムPolicy control device, zero trust system, policy control method, and policy control program
 本発明は、ポリシ制御装置、ゼロトラストシステム、ポリシ制御方法、および、ポリシ制御プログラムに関する。 The present invention relates to a policy control device, a zero trust system, a policy control method, and a policy control program.
 テレコムネットワーク、大規模エンタープライズネットワーク、IoT(Internet of Things)ネットワークなどの大規模システムが普及している。外部端末などのエンティティから大規模システムへのサイバー攻撃のリスクに対処するための方策(ポリシ)を実行することが、セキュリティオペレーションとして重要となる。方策を策定するときには、非友好的な外国に存在するなどの高リスクな方策箇所のエンティティに対して、通信を遮断するなどの適切な方策内容を選択することが求められる。 Large-scale systems such as telecom networks, large-scale enterprise networks, and IoT (Internet of Things) networks are becoming widespread. It is important for security operations to implement measures (policies) to deal with the risk of cyberattacks on large-scale systems from entities such as external terminals. When formulating measures, it is necessary to select appropriate measures, such as cutting off communication, for entities in high-risk areas such as those located in unfriendly foreign countries.
 以下、方策を策定するときに役立つ技術を示す。
 非特許文献1,2に記載のゼロトラストアーキテクチャ(ZTA:Zero Trust Architecture)は、各エンティティからのアクセスを検証し、信頼できないエンティティを方策箇所として方策を実行するアーキテクチャである。これにより、社外の端末だけでなく、社内の端末も信頼せずに(ゼロトラスト)検証対象とすることで、社内の端末からのサイバー攻撃にも対処できる。
 非特許文献3には、ZTAの拡張であるi-ZTA(Intelligent ZTA)が記載されている。i-ZTAは、大規模ネットワーク向けにZTAを拡張するものであり、動的なリスクの評価と信頼性スコアの評価を行うために、グラフニューラルネットワークおよび強化学習を用いた異常検出を行う。これにより、リスクが高いエンティティや、信頼性スコアが低いエンティティを、他のエンティティよりも優先的に方策箇所として自動で選択する。 Below are some techniques that can be useful when formulating strategies.
Zero Trust Architecture (ZTA) described in Non-Patent Documents 1 and 2 is an architecture that verifies access from each entity and executes a policy using untrusted entities as a policy location. This makes it possible to deal with cyber-attacks from internal terminals by subjecting not only external terminals but also internal terminals to verification without trust (zero trust).
Non-Patent Document 3 describes i-ZTA (Intelligent ZTA), which is an extension of ZTA. i-ZTA is an extension of ZTA for large-scale networks that uses graph neural networks and reinforcement learning to detect anomalies for dynamic risk assessment and reliability score evaluation. As a result, entities with high risks and entities with low reliability scores are automatically selected as policy locations with priority over other entities.
 方策の実行には、セキュリティリスクを下げるという作用が期待できるが、同時に、セキュリティリスク以外のリスクを上げてしまうという副作用も発生する。セキュリティリスク以外のリスクとは、例えば、方策の実行によりサービスの一部を遮断することで、SLA(Service Level Agreement)を違反してしまうリスクである。
 例えば、高性能だが信頼性スコアが低いエンティティを方策の実行により排除した場合に、副作用としてのシステム全体の性能が低下してしまい、所定基準のTPS(Transaction Per Second)を保証する旨のSLAを満たさなくなる。 The implementation of these measures can be expected to have the effect of lowering security risks, but at the same time, it also has the side effect of increasing risks other than security risks. Risks other than security risks include, for example, the risk of violating an SLA (Service Level Agreement) by blocking part of a service by implementing a policy.
For example, if an entity with high performance but a low reliability score is eliminated by implementing a policy, the performance of the entire system will decrease as a side effect, and the SLA that guarantees a predetermined standard of TPS (Transaction Per Second) will be It becomes unsatisfying.
 なお、以下に例示する方策を実行することで、エンティティが排除される。
 ・フォールスポジティブによる通信遮断(ブロック)
 ・フォールスポジティブ以外の通信遮断(ブロック)
 ・信頼性スコアが低い装置の一時的退避 Note that entities are eliminated by executing the measures exemplified below.
・Communication interruption (block) due to false positive
- Block communication other than false positives
・Temporary evacuation of devices with low reliability scores
 セキュリティオペレータという役割は、セキュリティリスクを下げるという職務だけに責任を持てばよいことが多い。よって、セキュリティリスクを下げるほど良い仕事をしたことになるので、方策の実行には積極的である。
 一方、会社の経営者には、顧客のサービスを継続させて収益を得るという職務がある。よって、セキュリティリスクを下げるという1つの指標だけでなく、SLAを順守して顧客を守るという指標や、方策の実行に要するコストを下げて収益性を上げるという指標も、併せて達成する必要がある。
 非特許文献1~3などの従来の技術は、セキュリティリスクを下げるというセキュリティオペレータ向けの技術であり、他のリスクとのバランスを取るという視点に欠けていた。よって、サービスを顧客に提供するときの総合的なリスクを反映して、方策を策定するツールが求められる。 The role of security operator is often only responsible for reducing security risks. Therefore, the lower the security risk, the better the job, so be proactive in implementing measures.
On the other hand, company managers have the job of continuing to provide customer service and earn profits. Therefore, it is necessary to achieve not only one metric of reducing security risks, but also the metric of complying with SLAs and protecting customers, and the metric of increasing profitability by lowering the cost required to implement measures. .
Conventional techniques such as those disclosed in Non-Patent Documents 1 to 3 are techniques aimed at security operators that reduce security risks, and lack the perspective of balancing other risks. Therefore, there is a need for a tool to formulate policies that reflect the comprehensive risks when providing services to customers.
 そこで、本発明は、セキュリティリスクおよびサービスを提供するときのリスクをバランスよく低減できる方策を策定することを主な課題とする。 Therefore, the main objective of the present invention is to formulate a policy that can reduce security risks and risks when providing services in a well-balanced manner.
 前記課題を解決するために、本発明のポリシ制御装置は、以下の特徴を有する。
 本発明は、アセットにアクセスするエンティティを観測した結果の観測データを検証するモジュール検証部と、
 前記モジュール検証部の検証結果から、前記エンティティから前記アセットへのサイバー攻撃による被害コストに基づく、前記各エンティティの信頼性スコアを計算する信頼性評価部と、
 ポリシを前記エンティティに適用したときに発生するコストと、ポリシの適用により軽減させる前記被害コストとをもとに、双方のコストのトータルコストが低くなるように、ポリシを適用する方策箇所の前記エンティティを決定する方策決定部とを有することを特徴とする。 In order to solve the above problems, the policy control device of the present invention has the following features.
The present invention includes a module verification unit that verifies observation data as a result of observing an entity accessing an asset;
a reliability evaluation unit that calculates a reliability score of each entity based on a damage cost caused by a cyber attack from the entity to the asset from the verification result of the module verification unit;
Based on the cost that occurs when the policy is applied to the entity and the damage cost that is reduced by applying the policy, the policy is applied to the entity at the point where the policy is applied so that the total cost of both costs is reduced. and a policy determining unit that determines the policy.
 本発明によれば、セキュリティリスクおよびサービスを提供するときのリスクをバランスよく低減できる方策を策定することができる。 According to the present invention, it is possible to formulate measures that can reduce security risks and risks when providing services in a well-balanced manner.
本実施形態に関するゼロトラストシステムの構成図である。FIG. 1 is a configuration diagram of a zero trust system according to the present embodiment. 本実施形態に関する図1のゼロトラストシステムを5Gネットワークに適用したときの構成図である。FIG. 2 is a configuration diagram when the zero trust system of FIG. 1 according to the present embodiment is applied to a 5G network. 本実施形態に関するポリシ制御装置の説明図である。FIG. 2 is an explanatory diagram of a policy control device according to the present embodiment. 本実施形態に関するポリシ制御装置のハードウェア構成図である。FIG. 2 is a hardware configuration diagram of a policy control device according to the present embodiment.
 以下、本発明の一実施形態について、図面を参照して詳細に説明する。 Hereinafter, one embodiment of the present invention will be described in detail with reference to the drawings.
 図1は、ゼロトラストシステム80の構成図である。
 ゼロトラストシステム80は、エンティティ81と、企業リソース82と、ポリシ制御部83と、ポリシ実行部84とがネットワークで接続されて構成される。
 企業リソース82は、非特許文献2ではResourceに該当し、アセットとも呼ばれる。企業リソース82は、秘密情報を保存する社内の装置などの、保護すべき対象である。
 エンティティ81は、非特許文献2ではentityに該当する。エンティティ81は、企業リソース82にアクセスしようとする端末、または、企業リソース82にアクセスしようとする端末の集合が属するネットワークであり、ポリシ制御装置により検査される対象である。
 なお、ポリシ制御装置は、装置単位でエンティティ81を検査するだけでなく、図2の対象ネットワーク73などのネットワーク単位のエンティティ81を検査してもよい。そして、ポリシ制御装置は、汚染されたネットワークが検査で発見された場合、そのネットワークをキャリアネットワークから切り離す(切断し、通信不可とする)という方策内容を適用してもよい。 FIG. 1 is a configuration diagram of a zero trust system 80.
The zero trust system 80 is configured by an entity 81, a corporate resource 82, a policy control unit 83, and a policy execution unit 84 connected via a network.
The corporate resource 82 corresponds to a resource in Non-Patent Document 2, and is also called an asset. Corporate resources 82 are objects that need to be protected, such as internal devices that store confidential information.
Entity 81 corresponds to entity in Non-Patent Document 2. The entity 81 is a network to which a terminal attempting to access the corporate resource 82 or a set of terminals attempting to access the corporate resource 82 belongs, and is a target to be inspected by the policy control device.
Note that the policy control device may not only inspect the entity 81 on a device-by-device basis, but may also inspect the entity 81 on a network-by-network basis, such as the target network 73 in FIG. Then, if a contaminated network is discovered through inspection, the policy control device may apply a policy of separating (disconnecting) the network from the carrier network (disconnecting it and making communication impossible).
 なお、本明細書では、わかりやすくするために、各装置がエンティティ81か、企業リソース82かのいずれか一方に分類されるものとして説明する。一方、同じ装置が、エンティティ81にも企業リソース82にも該当することもある。
 例えば、秘密情報A1を保存する装置Aと、秘密情報B1を保存する装置Bとは、それぞれ自身の秘密情報に外部からアクセスされるときには、企業リソース82に属する。一方、装置Aが装置Bから秘密情報B1を取得する場合には、装置Aはエンティティ81となる。
 このように、ゼロトラストシステム80では、真に信頼できる装置は検証を行うポリシ制御装置のみであり、その他の装置は、社内の装置であっても社外の装置であっても、信頼せずに(ゼロトラスト)検査する対象のエンティティ81に該当する。 Note that, in this specification, for the sake of clarity, each device will be described as being classified as either an entity 81 or a corporate resource 82. On the other hand, the same device may correspond to both the entity 81 and the enterprise resource 82.
For example, device A that stores secret information A1 and device B that stores secret information B1 belong to the corporate resource 82 when their own secret information is accessed from the outside. On the other hand, when device A acquires secret information B1 from device B, device A becomes entity 81.
In this way, in the zero trust system 80, the only device that can be truly trusted is the policy control device that performs verification, and other devices, whether internal or external, are not trusted. (Zero Trust) This corresponds to the entity 81 to be inspected.
 ポリシ制御部83は、非特許文献2ではPDP(policy decision point)に該当する。ポリシ制御部83は、アクセス許可部83Aと、ポリシ設定部83Bとを有する。
 アクセス許可部83Aは、ポリシ実行部84を経由してアクセスした各エンティティ81に対して、社内のデータベース(図示省略)などを参照して、アクセスの許可または不許可を認証する。ポリシ設定部83Bは、アクセス許可部83Aの認証結果を、ポリシ実行部84にポリシ(方策)として設定する。 The policy control unit 83 corresponds to a PDP (policy decision point) in Non-Patent Document 2. The policy control unit 83 includes an access permission unit 83A and a policy setting unit 83B.
The access permission unit 83A authenticates each entity 81 accessed via the policy execution unit 84 to permit or disallow access by referring to an in-house database (not shown) or the like. The policy setting section 83B sets the authentication result of the access permission section 83A in the policy execution section 84 as a policy (measure).
 ポリシ実行部84は、非特許文献2ではPEP(policy enforcement point)に該当する。ポリシ実行部84は、ポリシに従ってエンティティ81のアクセスを許可または不許可とする。認証に合格したエンティティ81は、企業リソース82にアクセスできる。認証で不可のエンティティ81は、企業リソース82にアクセスできない。 The policy execution unit 84 corresponds to a PEP (policy enforcement point) in Non-Patent Document 2. The policy execution unit 84 allows or disallows access of the entity 81 according to the policy. Entities 81 that pass authentication can access corporate resources 82 . Entities 81 that are not authenticated cannot access corporate resources 82 .
 図2は、図1のゼロトラストシステム80を5Gネットワークに適用したときの構成図である。
 対象ネットワーク73には、企業リソース82が属する。図1の企業リソース82は、図2の以下の装置を含むキャリアネットワーク群として具体化される。
 ・NEF82A:Network Exposure Function。
 ・PCF82B:Policy Control function。
 ・AMF82C:Access and Mobility management Function。
 ・UPF82D:User Plane Function。このUPF82Dは、DN(Data Network)82Eに接続される。 FIG. 2 is a configuration diagram when the zero trust system 80 of FIG. 1 is applied to a 5G network.
A company resource 82 belongs to the target network 73 . Enterprise resources 82 of FIG. 1 are embodied as carrier networks including the following devices of FIG.
・NEF82A: Network Exposure Function.
・PCF82B: Policy Control function.
・AMF82C: Access and Mobility management Function.
・UPF82D: User Plane Function. This UPF 82D is connected to a DN (Data Network) 82E.
 図1のエンティティ81は、図2の車載端末81A、スマートフォン81B、タブレット端末81CなどのUE(User Entity)として具体化される。また、対象ネットワーク73そのものも、1つのエンティティ81としてもよい。 The entity 81 in FIG. 1 is embodied as a UE (User Entity) such as the in-vehicle terminal 81A, the smartphone 81B, and the tablet terminal 81C in FIG. Further, the target network 73 itself may also be one entity 81.
 ポリシ制御装置は、モジュール検証部10と、信頼性評価部20と、方策決定部30と、スケジューラ部40とを有する1台以上の筐体である。図2では、4つの処理部を別々の筐体(4台の筐体)に分散させて構成したが、4つの処理部を1つの筐体に収容してもよい。
 図1のポリシ制御部83は、図2では、コアネットワーク71内の信頼性評価部20と、スケジューラ部40として具体化される。
 図1のポリシ実行部84は、図2では、アクセスネットワーク72内のモジュール検証部10と、方策決定部30として具体化される。さらに、図1のポリシ実行部84は、図2の通信規格5Gの基地局であるgNB(next Generation NodeB)84Aを含めてもよい。 The policy control device is one or more casings that include a module verification section 10, a reliability evaluation section 20, a policy determination section 30, and a scheduler section 40. In FIG. 2, the four processing units are distributed in separate housings (four housings), but the four processing units may be housed in one housing.
The policy control unit 83 in FIG. 1 is embodied as the reliability evaluation unit 20 and the scheduler unit 40 in the core network 71 in FIG. 2 .
The policy execution unit 84 in FIG. 1 is embodied as a module verification unit 10 and a policy determination unit 30 in the access network 72 in FIG. 2 . Further, the policy execution unit 84 in FIG. 1 may include a gNB (next generation NodeB) 84A, which is a base station of the 5G communication standard in FIG. 2.
 モジュール検証部10は、エンティティ81を観測した結果(図3では観測データ73D)を格納する観測データDB12と、観測データDB12に格納されたデータをもとにエンティティ81をモジュール単位で検証する検証モジュール11とを有する。検証モジュール11は、以下に例示する検証を1つ以上実行する。
 ・モジュールが行う通信を検証する。
 ・モジュールが使用するSystem Callを検証する。
 ・モジュールが書き換えするメモリ領域の改ざんなどを検証する。 The module verification unit 10 includes an observation data DB 12 that stores the results of observing the entity 81 (observation data 73D in FIG. 3), and a verification module that verifies the entity 81 in module units based on the data stored in the observation data DB 12. 11. The verification module 11 performs one or more verifications illustrated below.
・Verify the communication performed by the module.
- Verify the System Calls used by the module.
- Verify that the memory area rewritten by the module has been tampered with.
 信頼性評価部20は、信頼性計算部21と、ネットワークDB22とを有する。
 信頼性計算部21は、モジュール検証部10の検証結果に対して、定量的リスクマネジメント手法を適用することで、エンティティ81ごとの信頼性スコアを計算する。この信頼性スコアは、エンティティ81から企業リソース82へのサイバー攻撃による被害コストに基づく指標である。なお、サイバー攻撃は、例えば、エンティティ81からの不正アクセスや、DoS(Denial of Services)などのサービス妨害攻撃である。
 ネットワークDB22には、対象ネットワーク73のインベントリ情報および企業リソース82のアセット情報が格納される。 The reliability evaluation unit 20 includes a reliability calculation unit 21 and a network DB 22.
The reliability calculation unit 21 calculates a reliability score for each entity 81 by applying a quantitative risk management method to the verification results of the module verification unit 10. This reliability score is an index based on the cost of damage caused by a cyberattack from the entity 81 to the corporate resource 82. Note that the cyber attack is, for example, unauthorized access from the entity 81 or a denial of service attack such as DoS (Denial of Services).
The network DB 22 stores inventory information of the target network 73 and asset information of the corporate resources 82.
 方策決定部30は、図1のポリシ制御部83として、方策制御部31を有する。
 方策制御部31は、ポリシをエンティティ81に適用したときに発生するコスト(以下「適用コスト」)と、ポリシの適用により軽減させる被害コストとをもとに、双方のコストのトータルコストが低くなるように、方策を決定する。つまり、方策制御部31は、信頼性評価部20が算出したセキュリティリスク(信頼性スコア)と、サービスを提供するときのリスク(SLAが順守できないリスクなど)とを統一した指標で評価することで、方策を決定する。 The policy determining unit 30 includes a policy control unit 31 as the policy control unit 83 in FIG.
The policy control unit 31 determines whether the total cost of both costs will be lower based on the cost that occurs when applying the policy to the entity 81 (hereinafter referred to as "application cost") and the damage cost that is reduced by applying the policy. So, decide on the policy. In other words, the policy control unit 31 uses a unified index to evaluate the security risk (reliability score) calculated by the reliability evaluation unit 20 and the risk of providing a service (risk of not being able to comply with SLA, etc.). , determine the policy.
 なお、方策制御部31が決定する方策は、どのような方策を実行するかという「方策内容」と、どのエンティティ81に方策を実行するかという「方策箇所」とのうちの少なくとも1つである。方策制御部31は、方策内容および方策箇所の組が複数存在するときに、その組のうちの最適な組み合わせを求める。ここでの「最適」とは、図3で後記するように、セキュリティリスク(信頼性スコア)だけでなく、サービスを提供するときのリスクをバランスよく低減できるという観点である。 Note that the policy determined by the policy control unit 31 is at least one of "policy content", which is what kind of policy is to be executed, and "policy location", which is to which entity 81 the policy is to be executed. . When a plurality of sets of policy contents and policy locations exist, the policy control unit 31 determines an optimal combination among the sets. As described later in FIG. 3, "optimal" here refers to the viewpoint that not only security risks (reliability scores) but also risks when providing services can be reduced in a well-balanced manner.
 方策制御部31は、決定した方策を対象ネットワーク73(図1のポリシ実行部84)に適用する。
 方策決定部30は、決定した方策をポリシ実行部84に設定することで、エンティティ81から企業リソース82へのアクセスに方策を適用する。または、方策決定部30は、決定した方策をオペレータに表示画面で提示することで、オペレータに方策を理解させてもよい。 The policy control unit 31 applies the determined policy to the target network 73 (policy execution unit 84 in FIG. 1).
The policy determining unit 30 applies the policy to access from the entity 81 to the corporate resource 82 by setting the determined policy in the policy execution unit 84 . Alternatively, the strategy determining unit 30 may present the determined strategy to the operator on a display screen to make the operator understand the strategy.
 スケジューラ部40は、ポリシ制御装置の各処理部(モジュール検証部10、信頼性評価部20、方策決定部30)を運用する運用部41を有する。
 運用部41は、運用フェーズにて、各エンティティ81に対して、信頼性スコアで示されるセキュリティリスクに応じたポリシ制御装置の各処理部による処理をスケジューリングする。運用部41は、この運用フェーズによるスケジューリングについて、定期的に実行してもよいし、非定期のタイミングで単発的に実行してもよい。 The scheduler unit 40 includes an operation unit 41 that operates each processing unit (module verification unit 10, reliability evaluation unit 20, policy determination unit 30) of the policy control device.
In the operation phase, the operation unit 41 schedules processing for each entity 81 by each processing unit of the policy control device according to the security risk indicated by the reliability score. The operation unit 41 may perform scheduling according to this operation phase periodically or may perform it sporadically at non-regular timing.
 さらに、運用部41は、信頼性評価部20が評価した信頼性スコアを受け、検証モジュール11がエンティティ81を検証するときの検証負荷を増減させてもよい。例えば、運用部41は、信頼性スコアが高いエンティティ81ほど、観測データ73Dを検証する負荷を低くために、検証機能の種類を少なく割り当てる。
 これにより、信頼性スコアが低いエンティティ81に集中して有限のシステムリソース(検証能力)が多く割り当てられるので、エンティティ81の数が多いシステムでも、低遅延で妥当な検証が可能となる。または、運用部41は、低遅延が求められる所定のエンティティ81についての検証処理を、他のエンティティ81よりも後で行うこととしてもよい。運用部41は、その所定のエンティティ81の検証処理が行われるまでの経過期間について、所定のエンティティ81に暫定的な検証結果(通信許可または通信遮断)を割り当ててもよい。 Further, the operation unit 41 may receive the reliability score evaluated by the reliability evaluation unit 20 and increase or decrease the verification load when the verification module 11 verifies the entity 81. For example, the operation unit 41 allocates fewer types of verification functions to an entity 81 with a higher reliability score in order to reduce the load of verifying the observed data 73D.
As a result, a large amount of finite system resources (verification capacity) is concentrated and allocated to the entity 81 with a low reliability score, so that even in a system with a large number of entities 81, appropriate verification can be performed with low delay. Alternatively, the operation unit 41 may perform the verification process for a predetermined entity 81 for which low delay is required later than for other entities 81. The operation unit 41 may assign a provisional verification result (communication permission or communication cutoff) to the predetermined entity 81 for the elapsed period until the verification process of the predetermined entity 81 is performed.
 図3は、ポリシ制御装置の説明図である。
 まず、図3の説明に使用する各変数を説明する。
 エンティティ81は、変数eで示される。1つめのエンティティ81をe[1]とし、m番目のエンティティ81をe[m]とする。リスク顕在化確率21Bは、e[m]のリスクが顕在化した確率P(e[m]=malicious | I)で示される。リスクの顕在化とは、例えば、エンティティ81がサイバー攻撃で企業リソース82を攻撃する行為が実際に発生したことである。
 ネットワークDB22内のネットワーク設定21Fは、対象ネットワーク73の情報であり、e[m]のリスクが顕在化した時に、周囲に及ぼす影響を特定するために参照される。 FIG. 3 is an explanatory diagram of the policy control device.
First, each variable used in the explanation of FIG. 3 will be explained.
Entity 81 is indicated by variable e. Let the first entity 81 be e[1] and the m-th entity 81 be e[m]. The risk manifestation probability 21B is represented by the probability P (e[m]=malicious | I) that the risk of e[m] has manifested. The manifestation of a risk is, for example, the actual occurrence of an act in which the entity 81 attacks the corporate resource 82 with a cyber attack.
The network settings 21F in the network DB 22 are information on the target network 73, and are referenced to identify the impact on the surroundings when the risk of e[m] becomes apparent.
 企業リソース82のアセットは、変数aで示される。1つめのアセットをa[1]とし、n番目のアセットをa[n]とする。アセットa[n]の価値は、v(a[n])で示される。侵入確率21Dは、アセットa[i]が侵入される確率p(a[i])で示される。
 ネットワークDB22内のリソース情報21Gは、アセットの価値集合V={v(a[1]),v(a[2]), …v(a[n])}で示される。 An asset of the corporate resource 82 is indicated by a variable a. Let the first asset be a[1] and the nth asset be a[n]. The value of asset a[n] is denoted by v(a[n]). The intrusion probability 21D is represented by the probability p(a[i]) that asset a[i] will be intruded.
The resource information 21G in the network DB 22 is represented by an asset value set V={v(a[1]),v(a[2]), ...v(a[n])}.
 以下、図3の各構成要素を説明する。
 観測データDB12には、対象ネットワーク73のエンティティ81(e[m])を観測した観測データ73Dが登録されている。そのため、各エンティティ81はログ出力機能を有しており、モジュール検証部10(観測データDB12)には、ログ出力機能からのログを収集するログ収集機能を有している。
 検証モジュール11は、観測データ73Dの入力を受けて検証を行い、その検証結果をイベントI={i[1], i[2], …i[k]}として信頼性計算部21に出力する。 Each component in FIG. 3 will be explained below.
Observation data 73D obtained by observing the entity 81 (e[m]) of the target network 73 is registered in the observation data DB 12. Therefore, each entity 81 has a log output function, and the module verification unit 10 (observation data DB 12) has a log collection function that collects logs from the log output function.
The verification module 11 receives the observation data 73D, performs verification, and outputs the verification result to the reliability calculation unit 21 as an event I={i[1], i[2], ...i[k]}. .
 信頼性計算部21は、リスク顕在化評価部21Aと、影響範囲評価部21Cと、信頼性算出部21Eとを有する。
 リスク顕在化評価部21Aは、検証モジュール11が出力したイベントIから、機械学習、数理統計処理などのアルゴリズムにより、リスク顕在化確率21B(P(e[m])を計算する。
 影響範囲評価部21Cは、検証モジュール11が出力したイベントIと、リスク顕在化確率21Bと、ネットワーク設定21Fとをもとに、侵入確率21D(p(a[i]))を評価する。そして、影響範囲評価部21Cは、侵入確率21Dと、アセットの価値v(a[i])とから、顕在化したリスクが周囲に及ぼす影響コストIm(e[m])を計算する。
 信頼性算出部21Eは、侵入確率21Dと、リソース情報21Gとをもとに、信頼性スコア21Hを計算する。信頼性スコア21Hは、セキュリティリスク、SLA違反リスクなどのリスクを統一的に計測するための尺度である。以下では、信頼性スコア21Hの例としてコスト期待値Ex(e[m])=P(e[m]×Im(e[m])を用いるが、コスト期待値に限らず、統一的な尺度であれば何を用いてもよい。 The reliability calculation section 21 includes a risk manifestation evaluation section 21A, an influence range evaluation section 21C, and a reliability calculation section 21E.
The risk manifestation evaluation unit 21A calculates the risk manifestation probability 21B (P(e[m]) from the event I output by the verification module 11 using an algorithm such as machine learning or mathematical statistical processing.
The influence range evaluation unit 21C evaluates the intrusion probability 21D (p(a[i])) based on the event I output by the verification module 11, the risk manifestation probability 21B, and the network settings 21F. Then, the influence range evaluation unit 21C calculates the influence cost Im(e[m]) that the actualized risk has on the surroundings from the intrusion probability 21D and the asset value v(a[i]).
The reliability calculation unit 21E calculates the reliability score 21H based on the intrusion probability 21D and the resource information 21G. The reliability score 21H is a scale for uniformly measuring risks such as security risks and SLA violation risks. In the following, expected cost value Ex(e[m])=P(e[m]×Im(e[m]) is used as an example of reliability score 21H, but it is not limited to expected cost value, You can use anything.
 なお、ポリシ制御装置は、e[m]のリスクが顕在化した時に、周囲に及ぼす影響を算出することで信頼性スコア21Hの精度を上げることも可能である。
 そのため、まず影響範囲評価部21Cは、e[m]のリスクが顕在化した場合、そのe[m]から到達しうるすべてのアセットA={a[1], a[2], …a[n]}、および、アセットの価値集合V={v(a[1]),v(a[2]), …v(a[n])}を列挙する。影響範囲評価部21Cは、列挙したアセットを基に、e[m]のリスクが周囲に及ぼす影響コストIm(e[m])を(数式1)の通り計算する。ここで、侵入確率21D(p(a[i]))は、影響コストと侵入される確率の積の総和(全アセットのコスト期待値の総和)となる。 Note that the policy control device can also improve the accuracy of the reliability score 21H by calculating the influence on the surroundings when the risk of e[m] becomes apparent.
Therefore, first, when the risk of e[m] becomes apparent, the influence range evaluation unit 21C first evaluates all assets A={a[1], a[2], ...a[ that can be reached from e[m]. n]} and the asset value set V={v(a[1]),v(a[2]), ...v(a[n])}. The influence range evaluation unit 21C calculates the influence cost Im(e[m]) that the risk of e[m] has on the surroundings based on the listed assets according to (Formula 1). Here, the intrusion probability 21D (p(a[i])) is the sum of the products of the influence cost and the probability of being infiltrated (the sum of expected cost values of all assets).
Figure JPOXMLDOC01-appb-M000001
Figure JPOXMLDOC01-appb-M000001
 次に、信頼性算出部21Eは、最終的な被害コスト期待値Ex(e[m])を、(数式2)の通り計算する。
 Ex(e[m])=P(e[m]=malicious | I)×Im(e[m]) …(数式2)
 以上、図3を参照して信頼性計算部21が信頼性スコア21Hを出力する処理を説明した。 Next, the reliability calculation unit 21E calculates the final expected damage cost value Ex(e[m]) according to (Equation 2).
Ex(e[m])=P(e[m]=malicious | I)×Im(e[m])…(Formula 2)
The process by which the reliability calculation unit 21 outputs the reliability score 21H has been described above with reference to FIG.
 方策決定部30は、信頼性スコア21Hをもとに最適な方策を決定する。以下、方策決定部30の処理を説明する。
 まず、方策の説明に使用する各変数を説明する。方策は、変数mで示される。1つめのエンティティ81をm[1]とし、l番目のエンティティ81をm[l]とする。つまり、方策集合M={m[1], m[2], …m[l]}を定義する。 The strategy determining unit 30 determines the optimal strategy based on the reliability score 21H. The processing of the policy determining unit 30 will be explained below.
First, we will explain each variable used to explain the policy. The policy is indicated by the variable m. Let the first entity 81 be m[1], and let the l-th entity 81 be m[l]. In other words, define a policy set M={m[1], m[2], ...m[l]}.
 各方策は、m[i]={e(m[i]), d(m[i]), c(m[i]), i(m[i])}と定義される。
 ・e(m[i])は方策m[i]が適用される方策箇所のエンティティ81を示す。
 ・d(m[i])は方策m[i]の方策内容を示す。方策内容の例として、通信をフィルタリングする内容、エンティティ81をシャットダウンするなどの攻撃を止める内容などが挙げられる。
 ・c(m[i])は方策m[i]が適用されるときの適用コストを示す。この適用コストには、方策内容を実行するためのコスト、方策内容を実行することでSLAに影響するときのコストなどが含まれる。
 ・i(m[i])は、方策効果であり、m[i]を実行することによって軽減されるセキュリティリスクを示す被害コストの期待値である。この方策効果i(m[i])は、(数式1)で計算した影響コストIm(e[m])に関連する。
 そして、e[m]に対して行う方策集合M(e[m])は(数式3)のように示される。 Each policy is defined as m[i]={e(m[i]), d(m[i]), c(m[i]), i(m[i])}.
- e(m[i]) indicates the entity 81 at the policy location to which policy m[i] is applied.
・d(m[i]) indicates the policy content of policy m[i]. Examples of the policy content include content to filter communications and content to stop attacks such as shutting down the entity 81.
・c(m[i]) indicates the application cost when policy m[i] is applied. This application cost includes the cost for implementing the policy content, the cost when implementing the policy content affects the SLA, etc.
・i(m[i]) is the policy effect and is the expected value of damage cost indicating the security risk reduced by executing m[i]. This policy effect i(m[i]) is related to the influence cost Im(e[m]) calculated using (Formula 1).
Then, the policy set M(e[m]) to be applied to e[m] is shown as (Equation 3).
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000002
 方策決定部30は、(数式3)を用いて各方策m[i]の実行により得られる方策効果と、負担となる適用コストとの双方を評価し、総合的なコストがなるべく低くなるように方策を決定する。つまり、方策内容d(m[i])を実行したときには、リスクが顕在化したとしても被害コストが低減されるので、コスト期待値Ex(e[m])を方策効果i(m[i])の分だけ下げられる。一方、方策内容d(m[i])の実行により、適用コストc(m[i])分のコストが増える。
 方策決定部30は、(数式3)を用いて、この被害コストの低減量と適用コストの増加量とを相殺することで、総合的に方策を実行する場合と、実行しない場合とで、低コストになるように各方策m[i]の実行可否を選択する。
 これにより、セキュリティもSLAも含めたトータルでのリスクマネジメントを実現できる。 The policy determining unit 30 uses (Formula 3) to evaluate both the policy effect obtained by executing each policy m[i] and the application cost that will be a burden, so that the overall cost is as low as possible. Decide on strategies. In other words, when the policy content d(m[i]) is implemented, the damage cost will be reduced even if the risk materializes, so the expected cost value Ex(e[m]) is calculated as the policy effect i(m[i] ) can be lowered by the amount. On the other hand, by executing policy content d(m[i]), the cost increases by the application cost c(m[i]).
The policy determining unit 30 uses (Formula 3) to offset the amount of reduction in damage cost with the amount of increase in application cost, thereby reducing the amount of damage that can be achieved between when the policy is comprehensively implemented and when it is not implemented. The feasibility of implementing each strategy m[i] is selected based on the cost.
This allows for total risk management, including security and SLA.
 図4は、ポリシ制御装置のハードウェア構成図である。
 ポリシ制御装置は、CPU901と、RAM902と、ROM903と、HDD904と、通信I/F905と、入出力I/F906と、メディアI/F907とを有するコンピュータ900として構成される。
 通信I/F905は、外部の通信装置915と接続される。入出力I/F906は、入出力装置916と接続される。メディアI/F907は、記録媒体917からデータを読み書きする。さらに、CPU901は、RAM902に読み込んだプログラム(アプリケーションや、その略のアプリとも呼ばれる)を実行することにより、各部を制御する。そして、このプログラムは、通信回線を介して配布したり、CD-ROM等の記録媒体917に記録して配布したりすることも可能である。 FIG. 4 is a hardware configuration diagram of the policy control device.
The policy control device is configured as a computer 900 having a CPU 901, a RAM 902, a ROM 903, an HDD 904, a communication I/F 905, an input/output I/F 906, and a media I/F 907.
Communication I/F 905 is connected to external communication device 915. The input/output I/F 906 is connected to the input/output device 916. The media I/F 907 reads and writes data from the recording medium 917. Further, the CPU 901 controls each unit by executing a program (also called an application or an abbreviated application) read into the RAM 902 . This program can also be distributed via a communication line or recorded on a recording medium 917 such as a CD-ROM.
 さらに、ポリシ制御装置は、H/W(HardWare)アクセラレータ921と、TPM(Trusted Platform Module)922とを有するコンテナ基盤920を有していてもよい。また、コンテナ基盤920の各構成要素は、CPU901内に実装してもよい。
 H/Wアクセラレータ921およびコンテナ基盤920のコンテナランタイムの機能は、ポリシ制御装置の各処理部(モジュール検証部10、信頼性評価部20、方策決定部30、スケジューラ部40)に適用することが望ましい。これにより、各処理部の高速化やスケールアウトが可能となり、大規模なエンティティ81を搭載したシステムに対応可能となる。
 TPM922も、ポリシ制御装置の各処理部(モジュール検証部10、信頼性評価部20、方策決定部30、スケジューラ部40)に適用することが望ましい。これにより、信頼性スコア21Hや方策m[i]の改ざんを防げる。 Further, the policy control device may include a container platform 920 having a H/W (HardWare) accelerator 921 and a TPM (Trusted Platform Module) 922. Furthermore, each component of the container platform 920 may be implemented within the CPU 901.
The container runtime functions of the H/W accelerator 921 and the container platform 920 are preferably applied to each processing unit (module verification unit 10, reliability evaluation unit 20, policy determination unit 30, scheduler unit 40) of the policy control device. . This makes it possible to speed up and scale out each processing unit, making it possible to support a system equipped with a large-scale entity 81.
It is desirable that the TPM 922 is also applied to each processing unit (module verification unit 10, reliability evaluation unit 20, policy determination unit 30, scheduler unit 40) of the policy control device. This prevents falsification of the reliability score 21H and the policy m[i].
[効果]
 本発明のポリシ制御装置は、企業リソース82にアクセスするエンティティ81を観測した結果の観測データ73Dを検証するモジュール検証部10と、
 モジュール検証部10の検証結果から、エンティティ81から企業リソース82へのサイバー攻撃による被害コストに基づく、各エンティティ81の信頼性スコアを計算する信頼性評価部20と、
 ポリシをエンティティ81に適用したときに発生する適用コストと、ポリシの適用により軽減させる被害コストとをもとに、双方のコストのトータルコストが低くなるように、ポリシを適用する方策箇所のエンティティ81を決定する方策決定部30とを有することを特徴とする。 [effect]
The policy control device of the present invention includes a module verification unit 10 that verifies observation data 73D as a result of observing an entity 81 accessing a corporate resource 82;
a reliability evaluation unit 20 that calculates a reliability score of each entity 81 based on the damage cost caused by a cyber attack from the entity 81 to the corporate resource 82 from the verification result of the module verification unit 10;
Based on the application cost that occurs when the policy is applied to the entity 81 and the damage cost that is reduced by applying the policy, the policy is applied to the entity 81 in such a way that the total cost of both costs is reduced. The system is characterized by having a policy determining unit 30 that determines.
 これにより、ポリシ制御装置は、信頼性スコアが低いエンティティ81を残存させることのセキュリティリスクと、ポリシをエンティティ81に適用したときにSLAを下回るなどのサービスリスクとを、コストという同一尺度で評価する。よって、セキュリティリスクおよびサービスを提供するときのリスクをバランスよく低減できる方策を策定できる。 With this, the policy control device evaluates the security risk of leaving the entity 81 with a low reliability score and the service risk of falling below the SLA when applying the policy to the entity 81, using the same metric of cost. . Therefore, it is possible to formulate measures that can reduce security risks and risks when providing services in a well-balanced manner.
 本発明は、ポリシ制御装置が、さらに、スケジューラ部40を有しており、
 スケジューラ部40が、信頼性スコアが高いエンティティ81ほど、モジュール検証部10がそのエンティティ81から観測した観測データ73Dを検証する負荷を低くすることを特徴とする。 In the present invention, the policy control device further includes a scheduler section 40,
The scheduler unit 40 is characterized in that the higher the reliability score of an entity 81, the lower the load on the module verification unit 10 for verifying the observation data 73D observed from that entity 81.
 これにより、セキュリティリスクの高いごく一部のエンティティ81だけを重点的に検証することで、トータルの検証負荷が軽減する。よって、対象となるエンティティ81が数億規模のような大規模なシステムにおいても、ポリシ制御装置による検証負荷が軽減され、ポリシ制御装置に課せされる厳しい遅延要件を順守できるようになる。 As a result, the total verification load is reduced by focusing on verifying only a small number of entities 81 with high security risks. Therefore, even in a large-scale system where the number of target entities 81 is hundreds of millions, the verification load on the policy control device is reduced, and strict delay requirements imposed on the policy control device can be complied with.
 本発明は、スケジューラ部40が、所定のエンティティ81の検証処理を他のエンティティ81よりも後で行うこととし、その所定のエンティティ81の検証処理が行われるまでの経過期間について所定のエンティティ81に暫定的な検証結果を割り当てることを特徴とする。 According to the present invention, the scheduler unit 40 performs the verification process of a predetermined entity 81 later than other entities 81, and the scheduler unit 40 performs the verification process of the predetermined entity 81 later than the other entities 81. It is characterized by assigning provisional verification results.
 これにより、エンティティ81の検証処理が暫定的にスキップされる代わりに暫定的な検証結果が割り当てられることで、ポリシ制御装置に課せされる厳しい遅延要件を順守できるようになる。 As a result, a provisional verification result is assigned instead of provisionally skipping the verification process of the entity 81, making it possible to comply with strict delay requirements imposed on the policy control device.
 本発明は、モジュール検証部10の処理、信頼性評価部20の処理、および、方策決定部30の処理が、TPM922により実行されることを特徴とする。 The present invention is characterized in that the processing of the module verification section 10, the processing of the reliability evaluation section 20, and the processing of the policy determination section 30 are executed by the TPM 922.
 これにより、ポリシ制御装置の各処理部による計算内容への改ざんを防げる。 This prevents tampering with the calculation contents by each processing unit of the policy control device.
 10  モジュール検証部
 11  検証モジュール
 12  観測データDB
 20  信頼性評価部
 21  信頼性計算部
 21A リスク顕在化評価部
 21B リスク顕在化確率
 21C 影響範囲評価部
 21D 侵入確率
 21E 信頼性算出部
 21F ネットワーク設定
 21G リソース情報
 21H 信頼性スコア
 22  ネットワークDB
 30  方策決定部
 31  方策制御部
 40  スケジューラ部
 41  運用部
 71  コアネットワーク
 72  アクセスネットワーク
 73  対象ネットワーク
 73D 観測データ
 80  ゼロトラストシステム
 81  エンティティ
 82  企業リソース(アセット)
 83  ポリシ制御部
 83A アクセス許可部
 83B ポリシ設定部
 84  ポリシ実行部 10 Module Verification Department 11 Verification Module 12 Observation Data DB
20 Reliability evaluation unit 21 Reliability calculation unit 21A Risk manifestation evaluation unit 21B Risk manifestation probability 21C Influence range evaluation unit 21D Intrusion probability 21E Reliability calculation unit 21F Network settings 21G Resource information 21H Reliability score 22 Network DB
30 Policy Determination Unit 31 Policy Control Unit 40 Scheduler Unit 41 Operation Unit 71 Core Network 72 Access Network 73 Target Network 73D Observation Data 80 Zero Trust System 81 Entity 82 Corporate Resources (Assets)
83 Policy control unit 83A Access permission unit 83B Policy setting unit 84 Policy execution unit

Claims (7)

  1.  アセットにアクセスするエンティティを観測した結果の観測データを検証するモジュール検証部と、
     前記モジュール検証部の検証結果から、前記エンティティから前記アセットへのサイバー攻撃による被害コストに基づく、前記各エンティティの信頼性スコアを計算する信頼性評価部と、
     ポリシを前記エンティティに適用したときに発生するコストと、ポリシの適用により軽減させる前記被害コストとをもとに、双方のコストのトータルコストが低くなるように、ポリシを適用する方策箇所の前記エンティティを決定する方策決定部とを有することを特徴とする
     ポリシ制御装置。     a module verification unit that verifies observation data as a result of observing entities accessing assets;
    a reliability evaluation unit that calculates a reliability score of each entity based on a damage cost caused by a cyber attack from the entity to the asset from the verification result of the module verification unit;
    Based on the cost that occurs when the policy is applied to the entity and the damage cost that is reduced by applying the policy, the policy is applied to the entity at the point where the policy is applied so that the total cost of both costs is reduced. A policy control device comprising: a policy determining unit that determines a policy.
  2.  前記ポリシ制御装置は、さらに、スケジューラ部を有しており、
     前記スケジューラ部は、前記信頼性スコアが高い前記エンティティほど、前記モジュール検証部がそのエンティティから観測した前記観測データを検証する負荷を低くすることを特徴とする
     請求項1に記載のポリシ制御装置。     The policy control device further includes a scheduler section,
    The policy control device according to claim 1, wherein the scheduler unit lowers the load on the module verification unit to verify the observation data observed from the entity as the reliability score is higher.
  3.  前記スケジューラ部は、所定のエンティティの検証処理を他の前記エンティティよりも後で行うこととし、その所定のエンティティの検証処理が行われるまでの経過期間について前記所定のエンティティに暫定的な検証結果を割り当てることを特徴とする
     請求項2に記載のポリシ制御装置。     The scheduler section performs a verification process on a predetermined entity later than the other entities, and sends provisional verification results to the predetermined entity regarding the elapsed period until the verification process on the predetermined entity is performed. The policy control device according to claim 2, characterized in that the policy control device allocates.
  4.  前記モジュール検証部の処理、前記信頼性評価部の処理、および、前記方策決定部の処理は、TPM(Trusted Platform Module)により実行されることを特徴とする
     請求項1に記載のポリシ制御装置。     The policy control device according to claim 1, wherein the processing of the module verification section, the processing of the reliability evaluation section, and the processing of the policy determination section are executed by a TPM (Trusted Platform Module).
  5.  請求項1ないし請求項4のいずれか1項に記載のポリシ制御装置と、前記エンティティと、前記アセットとがネットワークで接続されており、
     前記エンティティから前記アセットへのアクセスには、前記方策決定部が決定したポリシが適用されることを特徴とする
     ゼロトラストシステム。     The policy control device according to any one of claims 1 to 4, the entity, and the asset are connected via a network,
    A zero trust system, wherein a policy determined by the policy determining unit is applied to access from the entity to the asset.
  6.  ポリシ制御装置は、モジュール検証部と、信頼性評価部と、方策決定部とを有しており、
     前記モジュール検証部は、アセットにアクセスするエンティティを観測した結果の観測データを検証し、
     前記信頼性評価部は、前記モジュール検証部の検証結果から、前記エンティティから前記アセットへのサイバー攻撃による被害コストに基づく、前記各エンティティの信頼性スコアを計算し、
     前記方策決定部は、ポリシを前記エンティティに適用したときに発生するコストと、ポリシの適用により軽減させる前記被害コストとをもとに、双方のコストのトータルコストが低くなるように、ポリシを適用する方策箇所の前記エンティティを決定することを特徴とする
     ポリシ制御方法。     The policy control device includes a module verification section, a reliability evaluation section, and a policy determination section,
    The module verification unit verifies observation data as a result of observing an entity accessing an asset;
    The reliability evaluation unit calculates a reliability score of each entity based on a damage cost caused by a cyber attack from the entity to the asset from the verification result of the module verification unit,
    The policy determining unit applies the policy based on the cost that occurs when the policy is applied to the entity and the damage cost that is reduced by applying the policy, so that the total cost of both costs is low. A policy control method, characterized in that the entity of the policy location is determined.
  7.  コンピュータを、請求項1ないし請求項4のいずれか1項に記載のポリシ制御装置として機能させるためのポリシ制御プログラム。 A policy control program for causing a computer to function as the policy control device according to any one of claims 1 to 4.
PCT/JP2022/011815 2022-03-16 2022-03-16 Policy control device, zero trust system, policy control method, and policy control program WO2023175756A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/011815 WO2023175756A1 (en) 2022-03-16 2022-03-16 Policy control device, zero trust system, policy control method, and policy control program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/011815 WO2023175756A1 (en) 2022-03-16 2022-03-16 Policy control device, zero trust system, policy control method, and policy control program

Publications (1)

Publication Number Publication Date
WO2023175756A1 true WO2023175756A1 (en) 2023-09-21

Family

ID=88022531

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/011815 WO2023175756A1 (en) 2022-03-16 2022-03-16 Policy control device, zero trust system, policy control method, and policy control program

Country Status (1)

Country Link
WO (1) WO2023175756A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005234840A (en) * 2004-02-19 2005-09-02 Nec Micro Systems Ltd Method for evaluating risk and method for support selection of security management measures and program
WO2008004498A1 (en) * 2006-07-06 2008-01-10 Nec Corporation Security risk management system, device, method, and program
JP2008507757A (en) * 2004-07-20 2008-03-13 リフレクテント ソフトウェア, インコーポレイテッド End user risk management

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005234840A (en) * 2004-02-19 2005-09-02 Nec Micro Systems Ltd Method for evaluating risk and method for support selection of security management measures and program
JP2008507757A (en) * 2004-07-20 2008-03-13 リフレクテント ソフトウェア, インコーポレイテッド End user risk management
WO2008004498A1 (en) * 2006-07-06 2008-01-10 Nec Corporation Security risk management system, device, method, and program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
KAZATO YUTA, YOSHIDE NAKAGAWA: "A study on a dynamic allocation method for security functions assuming toward zero trust-based large scale networks", DICOMO 2021, INFORMATION PROCESSING SOCIETY OF JAPAN, vol. 2021, no. 1, 1 June 2021 (2021-06-01), pages 1459 - 1465, XP093092202 *

Similar Documents

Publication Publication Date Title
CA3055978C (en) Prioritized remediation of information security vulnerabilities based on service model aware multi-dimensional security risk scoring
Halabi et al. A broker-based framework for standardization and management of Cloud Security-SLAs
US9672348B2 (en) Risk-based credential management
US9948652B2 (en) System for resource-centric threat modeling and identifying controls for securing technology resources
US11868483B2 (en) Device-based security scoring
US7613625B2 (en) Overall risk in a system
US11050773B2 (en) Selecting security incidents for advanced automatic analysis
US9832201B1 (en) System for generation and reuse of resource-centric threat modeling templates and identifying controls for securing technology resources
CN116074843A (en) Zero trust security trusted audit method for 5G dual-domain private network
WO2023175756A1 (en) Policy control device, zero trust system, policy control method, and policy control program
Xu et al. DR@ FT: efficient remote attestation framework for dynamic systems
Kolouch et al. Cyber security: Lessons learned from cyber-attacks on hospitals in the COVID-19 pandemic
CN117254918A (en) Zero trust dynamic authorization method and device, electronic equipment and readable storage medium
Duy et al. Toward a trust-based authentication framework of Northbound interface in Software Defined Networking
CN114285664A (en) Abnormal user identification method, system, device and medium
Pescatore SANS 2021 top new attacks and threat report
Viegas et al. Security metrics
Hon Attack and defence
Rencelj Ling et al. Estimating time-to-compromise for industrial control system attack techniques through vulnerability data
Gheorghică et al. A new framework for enhanced measurable cybersecurity in computer networks
Sailakshmi Analysis of Cloud Security Controls in AWS, Azure, and Google Cloud
CN117290823B (en) APP intelligent detection and safety protection method, computer equipment and medium
Viegas et al. Corporate information security processes and services
JP6857627B2 (en) White list management system
Musa et al. Survey of Cybersecurity Risks in Online Gambling Industry

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22932036

Country of ref document: EP

Kind code of ref document: A1