Abstract: According to one embodiment, an information processing apparatus includes a communication amount predictor. The communication amount predictor acquires relation data in which a variation of a communication amount in a first environment including first devices of a plurality of function types is associated with a varied number of the first devices for each of the plurality of function types in a case where a number of first devices for each of the plurality of function types varies in the first environment. The communication amount predictor predicts a communication amount in a second environment including second devices of the plurality of function types on a basis of the relation data and a number of the second devices for each of the plurality of function types in the second environment.

Abstract: An information processing apparatus according to an embodiment includes a list storage unit and processor. The list storage unit stores therein allow lists for module processing types, and each allow list describes an execution-permitted system operation. The processor functions as an operation detecting unit, a process specifying unit, a log specifying unit, a type specifying unit, and an output unit. The operation detecting unit detects execution of any of system operations. The process specifying unit specifies a target process that has executed execution-detected system operation. The log specifying unit specifies a target operation log. The type specifying unit specifies a type of target module processing that executed execution-detected system operation by analyzing the target operation log. The output unit outputs anomaly information when the allow list for the target module processing type does not include the execution-detected system operation.

Abstract: According to an embodiment, an information processing apparatus includes a verification execution unit and a risk calculation unit. The verification execution unit attacks a verification environment in which at least one of attack countermeasures indicated by attack countermeasure information is applied to a verification target system by using each of a plurality of attack scenarios, and creates a possible attack scenario list that is a list of attack scenarios in which an attack has succeeded. The risk calculation unit calculates a risk value representing an evaluation result of the attack countermeasure applied to the verification environment, based on the possible attack scenario list.

Abstract: A detection system 1 includes a control device 10 and a monitoring device 20 communicably connected to the control device 10. An acquisition unit 10A of the control device 10 acquires a target’s observation value by a sensor 30. A first-noise-output unit 10B outputs a first-noise-value changing with time and less than a resolution of the sensor 30. An integration unit 10C outputs an integrated value obtained by integrating the first-noise-value and the observation value. A transmission unit 10D transmits the integrated value to the monitoring device 20. A separation unit 20A of the monitoring device 20 separates the integrated value from the control device 10 into the observation value and the first-noise-value. A second-noise-output unit 20B outputs a second-noise-value as the first-noise-value. A detection unit 20C detects whether the integrated value is a replay attack using the spatial distance between the first-noise-value and the second-noise-value.

Abstract: An attack control device according to an embodiment is provided with a storage unit and one or more hardware processors configured to function as a selection unit, a determination unit, and a calculation unit. The storage unit associates and stores a normal communication data model representing a model of communication data of a normal system, with each network segment. The selection unit specifies the network segment based on the communication prediction data predicted upon execution of the attack scenario and selects the normal communication data model associated with the network segment. The determination unit determines the similarity degree between the normal communication data represented by the normal communication data model, and the communication prediction data. The calculation unit calculates an effectiveness degree of the attack scenario to be higher as the similarity degree is higher.

Abstract: According to an embodiment, an attack control device includes a detection unit, an attack result storage control unit, an attack result analysis unit, and an attack instruction unit. The detection unit analyzes an attack result of a multi-stage attack executed based on an attack scenario and detects a failed attack instruction that has failed because of a session interrupted during the multi-stage attack. The attack result storage control unit stores the attack result in a storage device. The attack result analysis unit analyzes an attack instruction that has established the interrupted session from the attack result. The attack instruction unit resumes the multi-stage attack from the attack instruction that has established the interrupted session.

Abstract: According to an embodiment, an information processing device includes an obtaining unit and a communication generating unit. The obtaining unit obtains first communication data of a first environment, first configuration information, and second configuration information. First identification information of each first device of a plurality of first devices in the first environment is associated with function identification information of a function of the first device in the first configuration information. Second identification information of each second device of a plurality of second devices in a second environment is associated with function identification information of a function of the second device in the second configuration information.

Abstract: An information processing apparatus includes one or more managers that manage one or more virtual environments, and a management controller that controls the one or more managers. When the execution of the software is detected in any of the one or more virtual environments, the management controller instructs the manager that manages the detected virtual environment to determine whether to execute the software in the detected virtual environment. The manager reads a file stored in the detected virtual environment, and determines whether to execute the software in the detected virtual environment based on information indicated in the file.

Abstract: An information processing apparatus has a deployment unit configured to deploy an image file and to create files used for a virtual environment, a virtual environment creator configured to create the virtual environment using the files, a recorder configured to record information about a first file included in the files, a manager configured to access the first file stored in the virtual environment and to determine, based on information acquired by accessing the first file, whether to execute software whose execution was detected in the virtual environment, and a normality determinator configured to determine, based on a difference between information acquired by accessing the first file and information about the recorded first file, whether the first file is normal.

Abstract: One embodiment of the present invention provides an apparatus, or the like, which detects an anomaly of a controller of a control system by learning relationship between input and output of the controller. An anomaly detection apparatus which is one embodiment of the present invention includes a first acquirer, a second acquirer, a history recorder, an estimator, and a first anomaly determiner. The first acquirer acquires an input signal to a control apparatus which executes control on a controlled apparatus. The second acquirer acquires an output signal from the control apparatus. The history recorder records information regarding the acquired input signal and the acquired output signal as history. The estimator estimates the output signal using the history and an estimation model. The first anomaly determiner determines an anomaly of the control apparatus by comparing the estimated output signal with the acquired output signal.

Abstract: According to an embodiment, an information processing device includes one or more processors. The one or more processors are configured to: acquire one or more pieces of setting information of a module used for an attack aimed at a target of a penetration test; analyze the acquired setting information to determine a type of the attack; and generate attack step information that defines a condition and a procedure of the attack according to the determined type.

Abstract: An information processing apparatus according to an embodiment includes a list storage unit and processor. The list storage unit stores therein allow lists for module processing types, and each allow list describes an execution-permitted system operation. The processor functions as an operation detecting unit, a process specifying unit, a log specifying unit, a type specifying unit, and an output unit. The operation detecting unit detects execution of any of system operations. The process specifying unit specifies a target process that has executed execution-detected system operation. The log specifying unit specifies a target operation log. The type specifying unit specifies a type of target module processing that executed execution-detected system operation by analyzing the target operation log. The output unit outputs anomaly information when the allow list for the target module processing type does not include the execution-detected system operation.

Abstract: According to an embodiment, an information processing apparatus includes one or more processors. The one or more processors are configured to: estimate a related program related to a computer program identified with a specific program identifier; register, in a prior calculation result list, a calculation result for the related program and a related identifier for identifying the related program so that the calculation result and the related identifier are associated with each other; acquire the program identifier for identifying the program serving as an execution target; and verify whether the program serving as the execution target is permitted to be executed, based on the acquired program identifier, the calculation result corresponding to the related identifier indicating the acquired program identifier in the prior calculation result list, and a white list.

Abstract: According to an embodiment, an information processing apparatus includes one or more processor. The processor is configured to run a process and a process manager to manage the process. The process includes a first key generator, a first authentication code generator, and a first output unit. The first key generator is configured to generate a first message authentication key by using process unique data assigned by the process manager. The first authentication code generator is configured to generate a first message authentication code by using the first message authentication key and a first message. The first output unit is configured to transmit the first message and the first message authentication code to the process manager.

Abstract: According to an embodiment, an information processing apparatus includes processing circuitry. The processing circuitry is configured to detect writing on a first file and register, in a restriction target storage, file information on the first file and perform, when processing on a second file is requested and file information on the second file coincides with the file information stored in the restriction target storage, first restriction to restrict the processing on the second file.

Abstract: According to an embodiment, an information processing apparatus includes processing circuitry configured to function as a start process control unit, a file read detection unit, a determination unit, and a file reading unit. The start process control unit is configured to register at least a specific process of started processes in an identifiable manner into a first list. The file read detection unit is configured to detect a request to read a file by the specific process registered in the first list. The determination unit is configured to determine whether to allow reading of the requested file based on a first condition. The file reading unit is configured to control reading of the file in accordance with a determination result of the determination unit.

Abstract: According to an embodiment, an information processing apparatus includes one or more processors. One or more processors acquire first distinctive information of a first piece of software to be executed. When a whitelist that specifies distinctive information of pieces of software that are permitted to be executed records the distinctive information indicating the first distinctive information, one or more processors distinctively identify, as second distinctive information, the distinctive information of a second piece of software that represents another piece of software relating to the first piece of software in the whitelist.

Abstract: According to one embodiment, a management device includes a management tree storage and one or more processors. The management tree storage stores therein a binary tree including a plurality of nodes that are assigned with respective node keys. The processors update at least one of the node keys. The processors selects at least one of a first subtree and a second subtree, the first subtree and the second subtree being subtrees including leaf nodes of the binary tree, the leaf nodes corresponding to respective communication devices included in a group, the first subtree including only leaf nodes with the respective node keys assigned thereto not having been updated, the second subtree including only leaf nodes with the respective node keys assigned thereto having been updated. The processors transmit a group key encrypted using a node key assigned to a root node of the selected subtree.

Abstract: According to an embodiment, an information processing device includes a processor. The processor is configured to: execute a rewriting process to rewrite some of a plurality of factors, included in data for normal operation of a target device, into a value different from a normal value; execute a correction process that is performed in a course of generating test data to be used for a test of the target device; and determine a method of generating the test data based on a rewriting part that indicates a factor serving as a target of the rewriting process and based on a correction part that indicates a factor serving as a target of the correction process.

Abstract: According to an embodiment, an information processing apparatus includes processing circuitry configured to function as a start process control unit, a file read detection unit, a determination unit, and a file reading unit. The start process control unit is configured to register at least a specific process of started processes in an identifiable manner into a first list. The file read detection unit is configured to detect a request to read a file by the specific process registered in the first list. The determination unit is configured to determine whether to allow reading of the requested file based on a first condition. The file reading unit is configured to control reading of the file in accordance with a determination result of the determination unit.