Abstract: When a hash expected value, which is an expected value of a hash value of activation software, is stored in a storing unit (111), a security calculation unit (110) compares the hash value of the activation software with the hash expected value. A main calculation unit (109) activates the activation software when the hash value and the hash expected value match, and stops a process when both do not match. The main calculation unit (109) performs signature verification for the activation software when the hash expected value is not stored in the storing unit (111), and stores in the storing unit (111) as the hash value expected value, the hash value of the activation software as well as activates the activation software when the signature verification is successful. The main calculation unit (109) stops a process when the signature verification is not successful.

Abstract: An intrusion detection device (101) includes a fragment calculation unit (103) and a determination unit (105). The fragment calculation unit (103) receives a fragmented packet that conforms to the Internet protocol suite as a received packet. The determination unit (105) determines whether each of entries included in a whitelist is a partial match entry that is decided depending on the received packet. A transmission source IP address and a target partial payload that are indicated in the partial match entry respectively match a transmission source IP address and a payload that are indicated in the received packet. The target partial payload is data located in an area that is in a payload of the partial match entry and starts at a location corresponding to a fragment offset indicated in the received packet.

Abstract: An object of this invention is to obtain a whitelist generator with which the accuracy of data relating to the specifications of normal communication serving as an automatic generation source can be guaranteed, whereby the accuracy of a generated whitelist can be guaranteed over an entire whitelist generation flow. The whitelist generator is applied to a system formed from a plurality of devices, the plurality of devices being configured to exchange data with each other, in order to generate a whitelist used for whitelisting intrusion detection, and includes a model verification unit that verifies, on the basis of an input model, at least one of whether or not normal communication in the system has been modeled correctly and whether or not the model is logically consistent, and a model conversion unit that converts the verified model into a whitelist.

Abstract: A relay device includes a first input/output unit (111), a second input/output unit (112), a security monitoring unit (121) that determines whether or not a packet input to the first input/output unit (111) or the second input/output unit (112) is normal, and a relay unit (113) that outputs a packet determined to be normal by the security monitoring unit (121) from the first input/output unit (111) or the second input/output unit (112); the security monitoring unit (121) uses a whitelist to perform whitelist-based attack detection to determine whether or not a packet is normal, and uses a learning model learned through machine learning to perform machine-learning-based attack detection on a packet that is not determined to be normal through the whitelist-based attack detection, to determine whether or not the packet is normal.

Abstract: A key management apparatus receives a key request including a first device identification information and a second device identification information, encrypts a common key using the first device identification information to generate a first encrypted common key, encrypts the common key using the second device identification information to generate a second encrypted common key, and transmits a key response including the first encrypted common key and the second encrypted common key. A first device receives the key response, decrypts the first encrypted common key using the first device identification information to obtain the common key, and transmits the second encrypted common key. A second device receives the second encrypted common key and decrypts the second encrypted common key using the second device identification information to obtain the common key.

Abstract: A state detection section (105) detects states of a plurality of controllers (300, 400) included in a communication system (600). An attack determination section (103) selects, from among a plurality of whitelists (110) each of which is associated with a combination of states, a whitelist (110) associated with the combination of the states of the plurality of controllers (300, 400) detected by the state detection section (105). The attack determination section (103) detects an attack on the communication system (600) by using the selected whitelist (110).

Abstract: An allowed communication list conversion unit (123) assigns one or more flags to request communication and response communication, between which a correspondence relationship is described in a detection rule, and describes, in an allowed communication list, details of a flag operation specifying a value to be set to the flag and a flag condition for determining whether the value to be set is set in the flag, in association with each other. A determination unit (103) sets the value after determining that communication data on the request communication is normal, determines whether the value is set in the flag based on the flag condition when determining whether communication data on the response communication to the request communication is normal, and determines that the communication data on the response communication is normal when the value is set, to thereby reset the flag.

Abstract: A state detection section (105) detects states of a plurality of controllers (300, 400) included in a communication system (600). An attack determination section (103) selects, from among a plurality of whitelists (110) each of which is associated with a combination of states, a whitelist (110) associated with the combination of the states of the plurality of controllers (300, 400) detected by the state detection section (105). The attack determination section (103) detects an attack on the communication system (600) by using the selected whitelist (110).

Abstract: When a hash expected value, which is an expected value of a hash value of activation software, is stored in a storing unit (111), a security calculation unit (110) compares the hash value of the activation software with the hash expected value. A main calculation unit (109) activates the activation software when the hash value and the hash expected value match, and stops a process when both do not match. The main calculation unit (109) performs signature verification for the activation software when the hash expected value is not stored in the storing unit (111), and stores in the storing unit (111) as the hash value expected value, the hash value of the activation software as well as activates the activation software when the signature verification is successful. The main calculation unit (109) stops a process when the signature verification is not successful.

Abstract: A key management apparatus receives a key request including a first device identification information and a second device identification information, encrypts a common key using the first device identification information to generate a first encrypted common key, encrypts the common key using the second device identification information to generate a second encrypted common key, and transmits a key response including the first encrypted common key and the second encrypted common key. A first device receives the key response, decrypts the first encrypted common key using the first device identification information to obtain the common key, and transmits the second encrypted common key. A second device receives the second encrypted common key and decrypts the second encrypted common key using the second device identification information to obtain the common key.

Abstract: An object of this invention is to obtain a whitelist generator with which the accuracy of data relating to the specifications of normal communication serving as an automatic generation source can be guaranteed, whereby the accuracy of a generated whitelist can be guaranteed over an entire whitelist generation flow. The whitelist generator is applied to a system formed from a plurality of devices, the plurality of devices being configured to exchange data with each other, in order to generate a whitelist used for whitelisting intrusion detection, and includes a model verification unit that verifies, on the basis of an input model, at least one of whether or not normal communication in the system has been modeled correctly and whether or not the model is logically consistent, and a model conversion unit that converts the verified model into a whitelist.

Abstract: A state detection section (105) detects states of a plurality of controllers (300, 400) included in a communication system (600). An attack determination section (103) selects, from among a plurality of whitelists (110) each of which is associated with a combination of states, a whitelist (110) associated with the combination of the states of the plurality of controllers (300, 400) detected by the state detection section (105). The attack determination section (103) detects an attack on the communication system (600) by using the selected whitelist (110).

Abstract: In the present invention, unauthorized access from outside a facility to a device disposed inside the facility is detected by effectively using the output from a mirror port of a network switch. A gateway device has: a monitored data acquisition unit for saving in a monitored data storage unit, as monitored data, packet data that is outputted from a mirror port of a switch, the packet data being outputted from a device being monitored; an unauthorized access detection unit for detecting unauthorized access by determining whether the monitored data is abnormal on the basis of a comparison between the monitored data and assessment rules; and an unauthorized access notification unit for notifying a server of a monitoring center, which is connected to an external network via an external communication unit, that unauthorized access has been detected.

Abstract: In an attack detection device, a white list storage unit correlates and stores, for each system state, a white list defining system information permitted in the system state. A state estimation unit estimates a current system state of a control system on the basis of communication data communicated between a server device and equipment. An attack determination unit acquires the white list corresponding to the current system state from the white list storage unit, and determines whether or not an attack has been detected, on the basis of the acquired white list and the system information in the current system state.

Abstract: An allowed communication list conversion unit (123) assigns one or more flags to request communication and response communication, between which a correspondence relationship is described in a detection rule, and describes, in an allowed communication list, details of a flag operation specifying a value to be set to the flag and a flag condition for determining whether the value to be set is set in the flag, in association with each other. A determination unit (103) sets the value after determining that communication data on the request communication is normal, determines whether the value is set in the flag based on the flag condition when determining whether communication data on the response communication to the request communication is normal, and determines that the communication data on the response communication is normal when the value is set, to thereby reset the flag.

Abstract: A state management unit (210) identifies a state of an operational system, and determines presence or absence of a state transition of the operational system based on the identified state. In a case where there has been a state transition of the operational system, the state management unit determines, with use of a state transition scenario indicating a transition pattern of state transition, whether the state transition of the operational system matches the transition pattern indicated in the state transition scenario. If the state transition of the operational system does not match the transition pattern, an alert output unit (293) outputs an alert. If the state transition of the operational system matches the transition pattern, a whitelist management unit (220) switches whitelists, and an intrusion detection unit (230) performs whitelist-type intrusion detection.

Abstract: A data determination apparatus of the present invention includes a state transition model storage unit to store a state transition model representing a state transition, a state management unit to hold an operating state of an own apparatus based on the state transition model, a communication permission list storage unit to store, as a communication permission list, communication permitted data whose communications are permitted in respective operating states, a communication unit to obtain communication determination data, and a determination unit to determine whether or not the communication determination data is communication permitted data whose communication has been permitted in a current operating state, using the current operating state and the communication permission list.

Abstract: In the present invention, unauthorized access from outside a facility to a device disposed inside the facility is detected by effectively using the output from a mirror port of a network switch. A gateway device has: a monitored data acquisition unit for saving in a monitored data storage unit, as monitored data, packet data that is outputted from a mirror port of a switch, the packet data being outputted from a device being monitored; an unauthorized access detection unit for detecting unauthorized access by determining whether the monitored data is abnormal on the basis of a comparison between the monitored data and assessment rules; and an unauthorized access notification unit for notifying a server of a monitoring center, which is connected to an external network via an external communication unit, that unauthorized access has been detected.

Abstract: The present invention relates to: a packet filtering apparatus that represents a rule set for packet filtering being a technique for preventing a cyber-attack, using a tree structure suitable for calculation of a logical expression, thereby improving processing efficiency; and a packet filtering method thereof. The packet filtering apparatus includes: a rule set containing a rule in which a condition and an action are associated with each other, and a Zero-Suppressed Binary Decision Diagram (ZDD) that represents a logical expression in which the condition of the rule is described using a logical variable; a packet analyzing unit to analyze a packet received from a network and extract collation information being a character string to be collated; and a filtering unit to collate the collation information extracted by the packet analyzing unit with the ZDD, execute the action associated with the condition that the collation information matches, and permit or deny communication of the packet.

Abstract: The present invention relates to: a packet filtering apparatus that represents a rule set for packet filtering being a technique for preventing a cyber-attack, using a tree structure suitable for calculation of a logical expression, thereby improving processing efficiency; and a packet filtering method thereof. The packet filtering apparatus includes: a rule set containing a rule in which a condition and an action are associated with each other, and a Zero-Suppressed Binary Decision Diagram (ZDD) that represents a logical expression in which the condition of the rule is described using a logical variable; a packet analyzing unit to analyze a packet received from a network and extract collation information being a character string to be collated; and a filtering unit to collate the collation information extracted by the packet analyzing unit with the ZDD, execute the action associated with the condition that the collation information matches, and permit or deny communication of the packet.