Abstract: A scenario generation device (100) generates an attack scenario (32). An attack means storage unit (130) has stored therein attack means data (131) including a precondition and an attack effect of attack means. An edit screen display unit (110) arranges attack means to be included in the attack scenario (32) on a scenario edit screen (200). By using the attack means data (131), an attack scenario generation unit (20) extracts, from the attack means storage unit (130), another attack means whose attack effect is a precondition of attack means arranged on the scenario edit screen (200). The attack scenario generation unit (20) generates the attack scenario (32) by complementing the attack means arranged on the scenario edit screen (200) with the other attack means.

Abstract: A security monitoring apparatus (100) includes a content category deducing unit (122), a category comparing unit (123), and an information assignment unit (130). The content category deducing unit (122) deduces a first deduced category that is a result of deducing a category of content that a target device that a monitoring target system (200) includes has, using a content category deducing model that is a learning model that deduces using content data that indicates content, a category of content indicated in the content data, and data that indicates content that the target device has. The category comparing unit (123) verifies whether or not the first deduced category and a category for comparison match. The information assignment unit (130) generates assignment information that is in accordance with whether or not the first deduced category and the category for comparison match.

Abstract: A system dividing unit (110) divides a target system into a plurality of sub-systems. A root system selection unit (122) selects a sub-system in which a threat on security occurs, as a root system from among the plurality of sub-systems. A root tree generation unit (131) generates an attack tree of the root system, as a root tree. A descendant system selection unit (132) selects one sub-system or more located on an intrusion course to the root system, as one descendent system or more from among the plurality of sub-systems. A descendant tree generation unit (133) generates one attack tree or more corresponding to the one descendent system or more, as one descendent tree or more. A sub-attack tree integration unit (140) integrates the root tree and the one descendent tree or more, to thereby generate an attack tree of the target system.

Abstract: An attack estimation device includes a storage unit configured to hold an attack tree, an abstract attack tree, and log check management information, and a prediction unit configured to predict, when a detection alert is received, a range of compromise from the attack by referring to the information in the storage unit. The prediction unit is configured to: determine that an attack of an unknown pattern has occurred as the attack when indicators of compromise that correspond to the attack are not successfully identified; identify an abstract attack name by referring to the abstract attack tree; and predict a range of compromise from the attack of an unknown pattern by identifying a device in which indicators of the attack of an unknown pattern are likely to be left, and by identifying a specific place in the log of the identified device, by referring to the log check management information.

Abstract: An attack status evaluation apparatus (100) that emulates a cyberattack that steals information includes a degree of goal achievement calculation unit (105) and an attack route change determination unit (106). The degree of goal achievement calculation unit (105) calculates a degree of goal achievement that indicates a degree to which a goal is achieved in the cyberattack based on information that the attack status evaluation apparatus stole. The attack route change determination unit (106) determines whether or not to change an attack route of the cyberattack according to the degree of goal achievement.

Abstract: An acquisition unit (10) acquires normal sample data and non-normal sample data. A model generation unit (120) generates a normal model representing the normal sample data. A change unit (141) generates a non-normal feature vector of the non-normal sample data, and generates a non-normal changed vector obtained by changing an element of the non-normal feature vector. When the non-normal changed vector and the normal model are similar to each other, a verification unit (142) executes a process using sample data represented by the non-normal changed vector. The verification unit (142) verifies whether an anomalous event is detected by a detection device. Upon verification that an anomalous event is not detected, the verification unit (142) determines whether an anomalous event is present, independently of the detection device.

Abstract: A log generation apparatus (100) includes an object search unit (111), a user search unit (112), and a specific operation log generation unit. The object search unit (111) uses a target operation log, which is a log of operations actually performed on objects owned by a target system, to search for a target object from among the objects owned by the target system. The user search unit (112) uses the target operation log to search for, as a target user, a user who can operate the target object from among users of the target system. The specific operation log generation unit receives specific operation information indicating a specific operation that a specific user performs in the target system, and uses the specific operation information and the target operation log to generate a specific operation log, which is a virtual log indicating a specific operation that the target user has performed on the target object.

Abstract: A normal classification unit (101) extracts a true positive access that is known to be an access aimed to attack and that has been determined by a detection unit (102) to be an access aimed to attack. A modification unit (107) modifies a feature of the true positive access by using a feature of a true negative access that is known to be a normal access and that has been determined by the detection unit (102) to be a normal access.

Abstract: An attack means evaluation apparatus (100) evaluates an attack means used in a cyberattack. A score value calculation unit (110) obtains a plurality of attack means, and for each attack means of the plurality of attack means, calculates a score value that shows validity of an attack on an attack target system. A means selection unit (120) selects an attack means that is valid as an attack on the attack target system from the plurality of attack means using the score value of each attack means of the plurality of attack means and a threshold (173). A means execution unit (130) executes the attack means that is selected on the attack target system, and verifies whether or not an attack for achieving a final aim of the cyberattack is possible based an execution result of the attack means that is selected.

Abstract: An attack/abnormality detection device includes: a command extraction unit configured to extract elements having the same command destination as a command destination of an additionally received actual manufacturing command from among each of a set of normal manufacturing commands and a set of actual manufacturing commands, which contain information on a command destination and an arrival order, and are stored in a command storage region; and a detection unit configured to detect an attack or an abnormality by comparing details of the commands with each other for each arrival order of both extracted elements.

Abstract: An attribute-value extraction unit (101) extracts as a plurality of model-generation attribute values, a plurality of attribute values belonging to an attribute associated with a monitoring subject for anomaly detection. A division-data generation unit (102) extracts for each model-generation attribute value, a normal event associated with the model-generation attribute value from normal data indicating a plurality of normal events each of which is found out to be normal, each of which is associated with one attribute value of the plurality of attribute values, and each of which includes a plurality of characteristics, and generates for each model-generation attribute value, division data indicating the extracted normal event. A characteristic selection unit (103) selects a combination of characteristics to be used for generation of a normal model to be used for anomaly detection, from a plurality of characteristics included in a plurality of normal events indicated in a plurality of pieces of division data.

Abstract: An attribute-value acquisition unit (203) acquires an attribute value of an attribute associated with a monitoring subject for anomaly detection. A normal-model acquisition unit (204) acquires from among a plurality of normal models generated corresponding to a plurality of attribute values, a normal model generated corresponding to the attribute value acquired by the attribute-value acquisition unit (203). An anomaly detection unit (205) performs the anomaly detection, using the normal model acquired by the normal-model acquisition unit (204).

Abstract: A fraudulent email decision device (10) is provided with a consistency analysis unit (24). The consistency analysis unit (24) identifies an intention of a subject email by, for example, a method of, with respect to a newly received incoming email as a subject email, extracting a function term, being a word expressing a reason the subject email was sent, from a body of the subject email. The consistency analysis unit (24) decides whether or not the subject email is a fraudulent email, from a relationship between another incoming email received in the past from the same sender as the sender of the subject email, and the identified intention of the subject email.

Abstract: An attribute selection section (101) selects as a recommended attribute, based on analysis status in a past anomaly analysis on each of a plurality of attributes of a new anomaly which is a newly detected anomaly, an attribute being recommended to be emphasized in an analysis on the new anomaly, from among the plurality of attributes. An attribute presentation section (103) presents the recommended attribute selected by the attribute selection section (101).

Abstract: An apparatus for identifying a path pattern of devices that produces a defective product in a production line where a product is produced via a plurality of device is provided. The device is configured to estimate a path pattern quality indicating a quality of a group of products produced through a production path included in a path pattern, based on a production path quality and an association relationship between a path pattern and a production path indicating devices via which the product is produced and an order of passing through the devices; and to identify a path pattern suspected to be defective based on the estimated path pattern quality.

Abstract: In an SNS server (103) corresponding to a false submission filter device, an event specifying unit (604) analyzes contents of a submission informing of an occurrence of an event and specifies a location (721) of occurrence of the event. A query destination specifying unit (605) searches a query destination database (613) and specifies a query destination corresponding to the location (721) specified by the event specifying unit (604). A query unit (606) transmits a request for checking the presence or absence of occurrence of the event from the observation result of one or more machines to the query destination specified by the query destination specifying unit (605). The query unit (606) receives a response to the request. A result reflecting unit (607) determines whether the contents of the submission are true or false from a check result indicated by the response received by the query unit (606).

Abstract: An attack estimation device includes a storage unit configured to hold an attack tree, an abstract attack tree, and log check management information, and a prediction unit configured to predict, when a detection alert is received, a range of compromise from the attack by referring to the information in the storage unit. The prediction unit is configured to: determine that an attack of an unknown pattern has occurred as the attack when indicators of compromise that correspond to the attack are not successfully identified; identify an abstract attack name by referring to the abstract attack tree; and predict a range of compromise from the attack of an unknown pattern by identifying a device in which indicators of the attack of an unknown pattern are likely to be left, and by identifying a specific place in the log of the identified device, by referring to the log check management information.

Abstract: An erroneous detection amount obtaining unit (110) obtains using an overall detection rule group corresponding to an overall phase group that configures a series of attack activities, an erroneous detection amount of each phase of when attack detection is performed. A final stages verification unit (121) verifies whether or not an erroneous detection amount of a final phases group satisfies a final stages limitation. An overall verification unit (123) verifies whether or not the erroneous detection amount of the overall phase group satisfies an overall limitation. In a case where the erroneous detection amount of the final phases group does not satisfy the final stages limitation, a final stages adjustment unit (122) adjusts a parameter value of each detection rule of a final stages detection rule group.

Abstract: A system dividing unit (110) divides a target system into a plurality of sub-systems. A root system selection unit (122) selects a sub-system in which a threat on security occurs, as a root system from among the plurality of sub-systems. A root tree generation unit (131) generates an attack tree of the root system, as a root tree. A descendant system selection unit (132) selects one sub-system or more located on an intrusion course to the root system, as one descendent system or more from among the plurality of sub-systems. A descendant tree generation unit (133) generates one attack tree or more corresponding to the one descendent system or more, as one descendent tree or more. A sub-attack tree integration unit (140) integrates the root tree and the one descendent tree or more, to thereby generate an attack tree of the target system.

Abstract: Provided is an attack detection device including: an abnormality detection unit configured to detect, by acquiring an abnormality detection result which includes a facility ID, occurrence of an abnormality in a facility associated with the facility ID; a storage unit configured to store, as adjustment history data, data that associates the facility ID and an adjustment time; and an attack determination unit configured to determine that there is an attack on the facility associated with the facility ID, by obtaining an adjustment frequency of the facility from the adjustment history data which is stored in the storage unit, based on a result of detection by the abnormality detection unit, when the adjustment frequency exceeds an allowable number of times set in advance for the facility.