Abstract: According to one embodiment, an information processing device includes a memory and one or more processors coupled to the memory. The one or more processors are configured to: acquire a violation log violating a normal list from a plurality of logs, and specify, as a head process, a process that has caused a phenomenon a history of which is described in the violation log; acquire a log sequence including a log of the head process and respective logs of processes of multiple generations successively tracing a generation source of the head process back to the past; detect, as a normal subsequence, a newest subsequence in which a predetermined first generation number of normal parent-child relations in the log sequence are consecutive based on a normal graph; and cause an analysis object storage device to store part of the log sequence at least from the violation log to the normal subsequence.

Abstract: An attack control device according to an embodiment is provided with a storage unit and one or more hardware processors configured to function as a selection unit, a determination unit, and a calculation unit. The storage unit associates and stores a normal communication data model representing a model of communication data of a normal system, with each network segment. The selection unit specifies the network segment based on the communication prediction data predicted upon execution of the attack scenario and selects the normal communication data model associated with the network segment. The determination unit determines the similarity degree between the normal communication data represented by the normal communication data model, and the communication prediction data. The calculation unit calculates an effectiveness degree of the attack scenario to be higher as the similarity degree is higher.

Abstract: According to one embodiment, an information processing device includes: a pseudo trace generator configured to employ trace information of a first attack acquired when the first attack is executed on a first apparatus in a communication network and attack method information related to an attack method of a second attack on a second apparatus to generate pseudo trace information of the second attack; and a pseudo trace transmitter configured to transmit the pseudo trace information of the second attack to an evaluation target device which detects an attack based on trace information of the attack.

Abstract: According to one embodiment, an information processing apparatus includes a communication amount predictor. The communication amount predictor acquires relation data in which a variation of a communication amount in a first environment including first devices of a plurality of function types is associated with a varied number of the first devices for each of the plurality of function types in a case where a number of first devices for each of the plurality of function types varies in the first environment. The communication amount predictor predicts a communication amount in a second environment including second devices of the plurality of function types on a basis of the relation data and a number of the second devices for each of the plurality of function types in the second environment.

Abstract: According to one embodiment, an information processing apparatus includes a communication amount predictor. The communication amount predictor acquires relation data in which a variation of a communication amount in a first environment including first devices of a plurality of function types is associated with a varied number of the first devices for each of the plurality of function types in a case where a number of first devices for each of the plurality of function types varies in the first environment. The communication amount predictor predicts a communication amount in a second environment including second devices of the plurality of function types on a basis of the relation data and a number of the second devices for each of the plurality of function types in the second environment.

Abstract: According to an embodiment, an information processing apparatus includes a verification execution unit and a risk calculation unit. The verification execution unit attacks a verification environment in which at least one of attack countermeasures indicated by attack countermeasure information is applied to a verification target system by using each of a plurality of attack scenarios, and creates a possible attack scenario list that is a list of attack scenarios in which an attack has succeeded. The risk calculation unit calculates a risk value representing an evaluation result of the attack countermeasure applied to the verification environment, based on the possible attack scenario list.

Abstract: A detection system 1 includes a control device 10 and a monitoring device 20 communicably connected to the control device 10. An acquisition unit 10A of the control device 10 acquires a target’s observation value by a sensor 30. A first-noise-output unit 10B outputs a first-noise-value changing with time and less than a resolution of the sensor 30. An integration unit 10C outputs an integrated value obtained by integrating the first-noise-value and the observation value. A transmission unit 10D transmits the integrated value to the monitoring device 20. A separation unit 20A of the monitoring device 20 separates the integrated value from the control device 10 into the observation value and the first-noise-value. A second-noise-output unit 20B outputs a second-noise-value as the first-noise-value. A detection unit 20C detects whether the integrated value is a replay attack using the spatial distance between the first-noise-value and the second-noise-value.

Abstract: An attack control device according to an embodiment is provided with a storage unit and one or more hardware processors configured to function as a selection unit, a determination unit, and a calculation unit. The storage unit associates and stores a normal communication data model representing a model of communication data of a normal system, with each network segment. The selection unit specifies the network segment based on the communication prediction data predicted upon execution of the attack scenario and selects the normal communication data model associated with the network segment. The determination unit determines the similarity degree between the normal communication data represented by the normal communication data model, and the communication prediction data. The calculation unit calculates an effectiveness degree of the attack scenario to be higher as the similarity degree is higher.

Abstract: According to an embodiment, an information processing device includes an obtaining unit and a communication generating unit. The obtaining unit obtains first communication data of a first environment, first configuration information, and second configuration information. First identification information of each first device of a plurality of first devices in the first environment is associated with function identification information of a function of the first device in the first configuration information. Second identification information of each second device of a plurality of second devices in a second environment is associated with function identification information of a function of the second device in the second configuration information.

Abstract: According to one embodiment, a communication device belongs to a communication network including a control device and a plurality of communication devices connected to the control device, and transmits a communication packet to a transmission destination communication device. The communication device and the transmission destination communication device are differently one of the plurality of communication devices. In the communication device, a memory stores first information for judging a normality of the communication packet. An analyzing unit judges the normality of a received communication packet based on the received communication packet and the first information. A transmission destination determining unit determines the transmission destination communication device and the control device as transmission destinations of the received communication packet when the analyzing unit judges that the received communication packet is not normal.

Abstract: A control apparatus with automated test suites according to an embodiment includes capability information storage, and at least one hardware processor configured to function as an analyzer, an organizer, and an executor. The capability information storage stores therein a plurality of capabilities defining actions indicating attack methods. The analyzer parses at least one of network structure information of a system under test and vulnerability information of the system under test to extract the actions from the capabilities. The organizer generates an attack path through which an achieved state of an attack goal is reached by combining the actions extracted by the analyzer. The executor executes the actions included in the attack path.

Abstract: According to one embodiment, a communication device belongs to a communication network including a control device and a plurality of communication devices connected to the control device, and transmits a communication packet to a transmission destination communication device. The communication device and the transmission destination communication device are differently one of the plurality of communication devices. In the communication device, a memory stores first information for judging a normality of the communication packet. An analyzing unit judges the normality of a received communication packet based on the received communication packet and the first information. A transmission destination determining unit determines the transmission destination communication device and the control device as transmission destinations of the received communication packet when the analyzing unit judges that the received communication packet is not normal.

Abstract: According to an embodiment, an information processing device includes a processor. The processor is configured to: execute a rewriting process to rewrite some of a plurality of factors, included in data for normal operation of a target device, into a value different from a normal value; execute a correction process that is performed in a course of generating test data to be used for a test of the target device; and determine a method of generating the test data based on a rewriting part that indicates a factor serving as a target of the rewriting process and based on a correction part that indicates a factor serving as a target of the correction process.

Abstract: According to an embodiment, an information processing device includes a first manager, a second manager, and a generator. The first manager loads a first class of a first object that requests execution of methods contained in a second object and a third class of a limiter configured to limit access from the first object to the methods. The second manager loads a second class of the second object. The generator generates the second object from the second class upon receiving a generation request for generating the second object from the first object, generates the limiter from the second object and the third class, and transmits the limiter to the first object.

Abstract: According to an embodiment, a code processing apparatus includes a determining unit, a concealing unit, an instructing unit, and an unconcealing unit. The determining unit is configured to determine, based on relocation information included in first code data that includes a code body and relocation information representing a portion of the code body to be relocated by a linker, a first portion including at least a part of the code body that is other than the portion. The concealing unit is configured to conceal the first portion. The instructing unit is configured to instruct the linker to process the first code data having the first portion concealed. The unconcealing unit is configured to unconceal the concealed portion of second code data that is generated from the first code data by the linker.

Abstract: A condition determination device includes an acquiring unit, a specifying unit, a classifying unit, and a condition determining unit. The acquiring unit acquires a total execution history, which is an execution count for each component included in a program, when a test is performed by supplying a plurality of input data to a target device which executes the program. The specifying unit specifies a shortage component of which the execution count indicated by the total execution history does not satisfy test criteria among components included in the program. The classifying unit classifies each of the input data into first data, which causes the target device to execute the shortage component, and second data, which does not cause the target device to execute the shortage component. The condition determining unit determines a condition of input data having a common characteristic with the first data.

Abstract: According to an embodiment, an information processing device includes a processor. The processor is configured to: execute a rewriting process to rewrite some of a plurality of factors, included in data for normal operation of a target device, into a value different from a normal value; execute a correction process that is performed in a course of generating test data to be used for a test of the target device; and determine a method of generating the test data based on a rewriting part that indicates a factor serving as a target of the rewriting process and based on a correction part that indicates a factor serving as a target of the correction process.

Abstract: An information processing device according to one embodiment includes one or more processors. The processors acquire a total execution history, which is an execution history for each component included in a program, when a test is performed by supplying a plurality of input data to a target device which executes the program, and specify a shortage component of which the total execution history does not satisfy test criteria among plural components included in the program. The processors classify each of the plurality of input data into first data, which causes the target device to execute the shortage component, and second data, which does not cause the target device to execute the shortage component. The processors determine a condition of input data having a common characteristic with the first data.

Abstract: An information processing apparatus includes a result acquiring unit configured to acquire a pair of first test data fed to the test object and a determination result indicating an operating state of the test object when the first test data is fed, and a generating unit configured to generate second test data based on the pair of the first test data and the determination result. The generating unit is configured to select two pieces of first test data with different determination results, and to generate the second test data by generating the test data within an intermediary area between the two selected pieces of the first test data more frequently than the test data outside of the intermediary area.

Abstract: According to an embodiment, a code processing apparatus includes a determining unit, a concealing unit, an instructing unit, and an unconcealing unit. The determining unit is configured to determine, based on relocation information included in first code data that includes a code body and relocation information representing a portion of the code body to be relocated by a linker, a first portion including at least a part of the code body that is other than the portion. The concealing unit is configured to conceal the first portion. The instructing unit is configured to instruct the linker to process the first code data having the first portion concealed. The unconcealing unit is configured to unconceal the concealed portion of second code data that is generated from the first code data by the linker.