For preventing, for example, attacks from external communication networks or malicious third parties' unauthorized entries, a company network shuts down or monitors communications by means of firewalls and intrusion detection systems. In the following explanation of the present application, “communication network” may be simply expressed as “network.” In addition, in the following explanation, “unauthorized entry detection system” may be expressed as “IDS (intrusion detection system).”
Particularly in recent years, cases of targeted attacks aiming to steal information on intellectual property or confidential information of companies have been on the increase. In response, the demand for cyber security is increasing.
A general cyber security measure is to monitor the network to be monitored or address incidents by introducing a security operation center. In the following explanation, “security operation center” may be expressed as “SOC (security operation center).” For example, companies organize the SOC internally, or realize the SOC by outsourcing the operation of the SOC to outside companies.
More specifically, in an operation to monitor the network, the operation to classify an alert notified by a monitoring device such as a firewall or an IDS performs classification operations according to predetermined levels of risk is performed. Alerts include such an alert that indicates an attack from outside, alternatively include one which does not have any risk, for example. That is, not all alerts notified by the monitoring devices are required to be reported as incidents. Therefore, an operator who performs a monitoring operation confirms information included in the alert or refers to outside information. Then, the operator sets an appropriate risk level to the alert. The operator can report the alert as an incident if necessary. The alert information referred to in this classification operation includes the following information, for example. That is, the alert information includes a detection rule used in detecting abnormalities of the monitoring target, IP addresses and port numbers of hosts having performed transmission and reception, and information representing an importance level assigned to the detection rule by a security vendor. Note that “IP” is an abbreviated expression of “Internet protocol.”
PTL 1 is an example related art disclosed before the present application. PTL 1 analyzes event data (alert information) notified by the IDS sensor provided on the network to be monitored. In this way, PTL 1 discloses a technique related to a system for analyzing an event and giving a warning to issue an alert.
This event analysis and warning system mechanically determines whether a communication event which is indicated by event data is an unauthorized access, based on the event data and the alert having been determined as indicating an unauthorized access in the past. More specifically, the event analysis and warning system compares a part or all of the items of the signature (detection rule), the IP address, and the port number included in the event data, with the alert having been determined as indicating the unauthorized access in the past. As a result, the event analysis and warning system determines whether the communication event is the unauthorized access, based on whether each of the items matches or is similar to the alert having been determined as indicating the unauthorized access.