Abstract: In a data circulation control method, an approval server including a processor and a memory controls access to data between a provision party computer providing the data and a use party computer using data. The method includes: a purpose accomplishment status notifying step in which the use party computer notifies the approval server of a use status of the previously approved data; a use application step in which the use party computer makes application to the approval server for a use policy including protection level information related to a security measure when the data is used and a use purpose of the data; and an access control step in which the approval server controls access of the use party computer to the data of the provision party computer based on the use status of the data, the protection level information, and the use purpose of the data.

Abstract: A response support technology for minimizing the impact on jobs as much as possible and enabling job continuity and prompt response can be realized. A response support device that supports a response executed according to a situation of an incident that has occurred in a monitoring target, includes an incident evaluation unit 103 that evaluates an impact of the incident on the monitoring target and an urgency level of the response against the incident; a response evaluation unit 104 that evaluates an impact level on jobs and an effectiveness level to the incident, for the response against the incident; a priority order determination unit 105 that determines a priority order of responses based on evaluation by the incident evaluation unit and evaluation by the response evaluation unit; and a display unit 106 that displays a screen including the priority order of responses determined by the priority order determination unit.

Abstract: Attack scenario information describes each state of an information processing system to be attacked and an attack scenario including a chain of actions that can be taken in the state, an action that transitions from a first state to a second state is obtained with reference to state information, action information, and attack tactics information, a reward of the action is obtained with reference to reward information, the action information, and the attack tactics information, an expected reward of the reward of the action that transitions from the first state to the second state is obtained with reference to success probability information, the highest expected reward is set as a state value of reinforcement learning of the first state among the expected rewards of the action, and the attack scenario is generated by the reinforcement learning.

Abstract: In a network monitoring device, a CPU detects an increase point of a darknet traffic and calculates, with regard to darknet traffic corresponding to the increase point, an evaluation value indicating priority of a countermeasure against a cyberattack based on whether one or more of the following conditions are met: the darknet traffic has been detected inside a user organization; a correlation score of a darknet traffic between an observation point and the user organization is equal to or more than a threshold; a transmission source IP address is included in a blacklist; the darknet traffic is included in threat intelligence as attack information; a corresponding log is included in a honeypot; the honeypot including the log is included in the user organization; a CVSS score of a target is equal to or more than a threshold; and there is a product having vulnerability inside the user organization.

Abstract: A computer system comprises an analysis module configured to execute dynamic analysis for a sample of a malicious program, and to output an analysis result including a coupling destination to and from which the malicious program communicates; a variation detection module configured to detect variation of the coupling destination based on results of cyclic observation of the coupling destination, and to output a result of the detection; and an information sharing module configured to store information output from the analysis module and information output from the variation detection module in a form that allows sharing among a plurality of external computers.

Abstract: Disclosed is an incident scenario generation device for generating an incident scenario that indicates how an attack progresses in relation to an information system. The incident scenario generation device includes an attack parts database for storing attack parts information and a system configuration database for storing system configuration information about the information system. The incident scenario generation device generates the incident scenario according to the attack parts information stored in the attack parts database and to the system configuration information stored in the system configuration database.

Abstract: A transaction mediation device stores transaction request information indicating estimates of profit and loss obtained by the first participant through the transaction; transaction provision information indicating estimates of profit and loss incurred based on a thing that the second participant obtains through the transaction; and behavior characteristic information indicating evaluation of behavior characteristics that affect the profit and loss of a transaction counterparty, and, for each of the one or more second participants, calculates, based on the transaction request information and the behavior characteristic information, a first expected profit that the first participant obtains through the transaction with the second participant and a second expected profit that the second participant obtains through the transaction with the first participant; and calculates and outputs a gross profit incurred from the transaction based on the first expected profit and the second expected profit.

Abstract: Attack scenario information describes each state of an information processing system to be attacked and an attack scenario including a chain of actions that can be taken in the state, an action that transitions from a first state to a second state is obtained with reference to state information, action information, and attack tactics information, a reward of the action is obtained with reference to reward information, the action information, and the attack tactics information, an expected reward of the reward of the action that transitions from the first state to the second state is obtained with reference to success probability information, the highest expected reward is set as a state value of reinforcement learning of the first state among the expected rewards of the action, and the attack scenario is generated by the reinforcement learning.

Abstract: A vulnerability countermeasure device stores configuration information associating multiple computers connected via a network and software possessed by each computer, vulnerability information associating the software with information related to the vulnerability of the software, and countermeasure policy information associating the software with a countermeasure policy to be executed if there is a vulnerability in the software; calculates the computer that data will reach based on information related to a route of the data included in the data received from a used terminal; acquires software existing in the computer based on the calculated computer and configuration information; assesses whether or not there is a vulnerability in the acquired software based on the acquired software and the vulnerability information; and is provided with countermeasure unit for executing a countermeasure to a vulnerability in accordance with a countermeasure policy with respect to the software assessed to have the vulnerabili

Abstract: A vulnerability countermeasure device stores configuration information associating multiple computers connected via a network and software possessed by each computer, vulnerability information associating the software with information related to the vulnerability of the software, and countermeasure policy information associating the software with a countermeasure policy to be executed if there is a vulnerability in the software; calculates the computer that data will reach based on information related to a route of the data included in the data received from a used terminal; acquires software existing in the computer based on the calculated computer and configuration information; assesses whether or not there is a vulnerability in the acquired software based on the acquired software and the vulnerability information; and is provided with countermeasure unit for executing a countermeasure to a vulnerability in accordance with a countermeasure policy with respect to the software assessed to have the vulnerabili

Abstract: A security level of each service is calculated and visualized. The device includes a security level calculation unit and a security level visualization unit. The security level calculation unit receives information regarding security of the service from a plurality of sensors as observation information, and calculates a security level of each service based on the received observation information and a security level calculation policy. The security level visualization unit outputs the security level of each service, based on the security level calculated by the security level calculation unit and configuration information of the service. Further, the security level calculation policy has a service, a user using the service, and an observation item to be observed in the service. The security level calculation unit calculates the security level in association with the user of the service and the service, based on the security level calculation policy.

Abstract: An encrypted traffic test system is disclosed which tests whether or not traffic involving packets over a network is encrypted, the encrypted traffic test system including: a test data acquisition portion configured to receive each of the packets on the network so as to acquire test data from the received packet; an encrypted traffic test portion configured to evaluate the test data acquired by the test data acquisition portion for randomness using a random number testing scheme and, if the test data is evaluated to have randomness, to further determine that the traffic involving the packets including the test data is encrypted traffic; and a test result display portion configured to display a test result from the encrypted traffic test portion on a test result display screen.

Abstract: Provided is a system whereby information on activities obtained by way of monitoring system access to input and output devices and storage devices in a terminal as well as information on activities executed by way of a terminal and obtained by way of monitoring communications through a network are associated with processes in the terminal that generated the activities, and if the activities are predetermined activities executed by the same or related processes, the system detects that unauthorized processes are running on the terminal.

Abstract: A technique for collecting information concerning those files distributed on a file sharing network and for detecting an information leak file to take corrective measures is provided. Supervised information is generated by adding as attributes a file type, a speech-part appearance frequency of words making up a file name and a result of human-made judgment as to whether a file being inspected is the information leak file to key information collected from the file sharing network. Next, the supervised information is input to a decision tree leaning algorithm, thereby causing it to learn an information leak file judgment rule and then derive a decision tree for use in information leak file judgment. Thereafter, this decision tree is used to detect the information leak file from key information flowing on the file sharing network, followed by alert transmission and key information invalidation, thereby preventing damage expansion.