Abstract: In an SNS server (103) corresponding to a false submission filter device, an event specifying unit (604) analyzes contents of a submission informing of an occurrence of an event and specifies a location (721) of occurrence of the event. A query destination specifying unit (605) searches a query destination database (613) and specifies a query destination corresponding to the location (721) specified by the event specifying unit (604). A query unit (606) transmits a request for checking the presence or absence of occurrence of the event from the observation result of one or more machines to the query destination specified by the query destination specifying unit (605). The query unit (606) receives a response to the request. A result reflecting unit (607) determines whether the contents of the submission are true or false from a check result indicated by the response received by the query unit (606).

Abstract: An evaluation tree generation unit (101) generates as an evaluation tree, an attack tree about an information system, which is based on inference using predicate logic. A gold tree generation unit (102) generates a gold tree which covers an intrusion route to the information system and reflects an intrusion procedure for the information system, by using network configuration information indicating a network configuration of the information system and intrusion procedure information indicating an intrusion procedure assumed in intrusion into the information system. A tree comparison unit (103) compares the evaluation tree with the gold tree.

Abstract: A disclosed feature generation unit (110) collects information related to an assessment target whose security risk is to be assessed, as disclosure target information from disclosed information that has been disclosed, and generates disclosed feature information (F1) expressing a feature of the disclosure target information. An email feature generation unit (120) generates email feature information F2 expressing a feature of an assessment target email contained in an email box of the assessment target. An assessment unit (130) calculates a similarity degree between the disclosed feature information (F1) and the email feature information (F2). The assessment unit (130) outputs an assessment result 31 being a result of assessment on the security risk of the assessment target, based on the similarity degree.

Abstract: An acquisition unit (10) acquires normal sample data and non-normal sample data. A model generation unit (120) generates a normal model representing the normal sample data. A change unit (141) generates a non-normal feature vector of the non-normal sample data, and generates a non-normal changed vector obtained by changing an element of the non-normal feature vector. When the non-normal changed vector and the normal model are similar to each other, a verification unit (142) executes a process using sample data represented by the non-normal changed vector. The verification unit (142) verifies whether an anomalous event is detected by a detection device. Upon verification that an anomalous event is not detected, the verification unit (142) determines whether an anomalous event is present, independently of the detection device.

Abstract: A state replication apparatus (200) generates communication, between a main apparatus (421) and each sub-apparatus (422, 423), to cause a state combination to transit in accordance with transition order specified in an acquisition scenario. The state replication apparatus records each of the communication generated between the main apparatus and the each sub-apparatus. The state replication apparatus acquires a snapshot combination at each of acquisition timings specified in the acquisition scenario. The state replication apparatus replicates each of the main apparatus and the each sub-apparatus in states of a replication state combination based on the acquired each snapshot combination and the recorded each communication.

Abstract: In an email inspection device (10), a learning unit (20) learns a relationship between a feature of each email included in a plurality of emails and a feature of a resource accompanying each email. The resource accompanying each email includes at least either one of a file attached to each email and a resource specified by a URL in a message body of each email. A determination unit (30) extracts a feature of an inspection-target email and a feature of a resource accompanying the inspection-target email, and determines whether or not the inspection-target email is a suspicious email depending on whether or not the relationship learned by the learning unit (20) exists between the extracted features.

Abstract: An operation unit (120) calculates a feature quantity of an object mail which is an email to be tested. Then, the operation unit acquires, based on the feature quantity of the object mail, a status identifier of the object mail from a status definition file. Then, the operation unit selects a mail thread which the object mail belongs to, from one mail thread or more as an object thread, and adds the status identifier of the object mail to a status group of the object thread. Then, the operation unit decides whether the status group, to which the status identifier of the object mail has been added, of the object thread complies with a detection rule. When the status group of the object thread complies with the detection rule, the operation unit produces an alert.

Abstract: A fraudulent email decision device (10) is provided with a consistency analysis unit (24). The consistency analysis unit (24) identifies an intention of a subject email by, for example, a method of, with respect to a newly received incoming email as a subject email, extracting a function term, being a word expressing a reason the subject email was sent, from a body of the subject email. The consistency analysis unit (24) decides whether or not the subject email is a fraudulent email, from a relationship between another incoming email received in the past from the same sender as the sender of the subject email, and the identified intention of the subject email.

Abstract: A correlation value calculation unit calculates a correlation value between input data input to an inspection-targeted apparatus whose internal specifications are unknown and output data for the input data from the inspection-targeted apparatus. A state transition determination unit analyzes in a time-series manner, a plurality of correlation values calculated by the correlation value calculation unit for a plurality of pieces of input data and a plurality of pieces of output data for the plurality of pieces of input data, and determines whether or not a state transition has occurred in the inspection-targeted apparatus.

Abstract: A people network detection unit (110) detects, based on public information of a target person, a people network that indicates a connection between the target person and a group of related persons. A disclosure risk calculation unit (120) calculates a disclosure risk of the target person based on the public information of the target person, and calculates a group of disclosure risks corresponding to the group of related persons based on a group of public information corresponding to the group of related persons. A connection risk determination unit (130) determines a representative value of the group of disclosure risks as a connection risk of the target person based on the group of disclosure risks corresponding to the group of related persons. A security risk calculation unit (140) calculates a security risk of the target person with respect to a cyberattack, using the disclosure risk of the target person and the connection risk of the target person.

Abstract: In an evaluation apparatus (10), a profile database (31) is a database to store profile information indicating an individual characteristic of each of a plurality of persons. A security database (32) is a database to store security information indicating a behavior characteristic of each of the plurality of persons, which may become a security incident factor. A model generation unit (22) derives a relationship between the characteristic indicated by the profile information stored in the profile database (31) and the characteristic indicated by the security information stored in the security database (32), as a model. Upon receipt of an input of information indicating a characteristic of a different person, an estimation unit (23) estimates a behavior characteristic of the different person, which may become the security incident factor, by using the model derived by the model generation unit (22).

Abstract: In an exchange-type attack simulation device (10), an e-mail reception unit (22) receives a reply e-mail to an e-mail transmitted by an e-mail transmission unit (26). A state transition unit (24) refers to correspondence information (31) indicating feature of e-mails corresponding to each of state transitions in a state transition model and thereby identifies a state transition corresponding to the reply e-mail received by the e-mail reception unit (22). An e-mail generation unit (25) generates an e-mail corresponding to the state transition identified by the state transition unit (24). The e-mail generation unit (25) makes the e-mail transmission unit (26) transmit the generated e-mail.

Abstract: A packet format inference apparatus includes a classification unit and an inference unit. The classification unit classifies, among a plurality of packets which are included in a packet data set as packet data and of which formats are unknown, relevant packets transmitted in a fixed cycle, as a packet group having a same arrival cycle. The inference unit infers a packet format for each packet group having the same arrival cycle.

Abstract: In an evaluation device (100), an attack generation unit (111) generates an attack sample. The attack sample is data for simulating an unauthorized act on a system. A comparison unit (112) compares the attack sample generated by the attack generation unit (111) and a normal state model. The normal state model is data acquired by modeling an authorized act on the system. Based on the comparison result, the comparison unit (112) generates information for generating an attack sample similar to the normal state model, and feeds back the generated information to the attack generation unit (111). A verification unit (113) checks whether the attack sample generated by the attack generation unit (111) satisfies a requirement for simulating an unauthorized act, and verifies, by using the attack sample satisfying the requirement, a detection technique implemented in a security product.

Abstract: The present invention relates to a process analysis apparatus for analyzing a process executed in an information processing unit and extracting encryption logic such as an encryption function or a decryption function used in the process.

Abstract: A test memory extracting unit 110 extracts a test memory image 191 from a memory area of a target system. A template memory extracting unit 120 extracts a template memory image 192 from a template system not infected with malware. An injected code detecting unit 130 compares the test memory image 191 with the template memory image 192, and generates an injected code list 193. An injected code testing unit 140 generates a malicious code list 195 based on the injected code list 193 and a test rule list 194. A test result output unit 150 generates a test result file 196 based on the malicious code list 195.

Abstract: The present invention relates to a cryptographic block identification apparatus which, in order to analyze encryption logic used by malware to conceal communication, identifies a cryptographic block where encryption logic is stored within a program of the malware. The cryptographic block identification apparatus includes a block candidate extraction part and a cryptographic block identification part. The block candidate extraction part analyzes an execution trace in which an execution step of malware is recorded, calculates an evaluation value representing cipher likeliness of the execution step based on whether or not an operation type that characterizes cipher likeliness of the execution step is included in the execution step, and extracts an execution step where the evaluation value exceeds a threshold L, as a block candidate which is a candidate of a cryptographic block.

Abstract: The present invention relates to a cryptographic block identification apparatus which, in order to analyze encryption logic used by malware to conceal communication, identifies a cryptographic block where encryption logic is stored within a program of the malware. The cryptographic block identification apparatus includes a block candidate extraction part and a cryptographic block identification part. The block candidate extraction part analyzes an execution trace in which an execution step of malware is recorded, calculates an evaluation value representing cipher likeliness of the execution step based on whether or not an operation type that characterizes cipher likeliness of the execution step is included in the execution step, and extracts an execution step where the evaluation value exceeds a threshold L, as a block candidate which is a candidate of a cryptographic block.

Abstract: The present invention relates to a process analysis apparatus for analyzing a process executed in an information processing unit and extracting encryption logic such as an encryption function or a decryption function used in the process.

Abstract: A necessary information extraction unit extracts, from variables used in a target program, an output variable to which output information to be output by an output function defined in an output function list is set. The necessary information extraction unit extracts, from the variables used in the target program, an encryption variable to which encrypted information encrypted by an encrypting function defined in an encryption function list is set. A protected state analysis unit refers to an assignment statement included in the target program, and extracts an encrypted state variable to which the encrypted information is assigned. A vulnerability determination unit determines whether or not the encrypted state variable and the output variable are the same variable, and outputs a program verification result based on a result of determination.