< Back
Sign In to Follow Application
View All Documents & Correspondence
Login

Intrusion Detection Device And Intrusion Detection Program

Abstract: A state management unit (210) identifies the state of an operational system and determines whether or not the operational system has experienced a state transition on the basis of the identified state. If the operational system has experienced a state transition the state management unit determines using a state transition scenario indicating state transition patterns whether the state transition experienced by the operational system matches any of the transition patterns indicated by the state transition scenario. If the state transition experienced by the operational system does not match any of the transition patterns an alert output unit (293) outputs an alert. If the state transition experienced by the operational system matches one of the transition patterns a white list management unit (220) switches to a selected white list and an intrusion detection unit (230) performs white-list-based intrusion detection.

Get Free WhatsApp Updates!
Notices, Deadlines & Correspondence

Patent Information

Application #
Filing Date
04 December 2018
Publication Number
08/2019
Publication Type
INA
Invention Field
COMPUTER SCIENCE
Status
Email
patent@depenning.com
Parent Application

Applicants

MITSUBISHI ELECTRIC CORPORATION
7-3, Marunouchi 2-chome, Chiyoda-ku, Tokyo 1008310

Inventors

1. SHIMIZU, Koichi
c/o Mitsubishi Electric Corporation, 7-3, Marunouchi 2-chome, Chiyoda-ku, Tokyo 1008310
2. YAMAGUCHI, Teruyoshi
c/o Mitsubishi Electric Corporation, 7-3, Marunouchi 2-chome, Chiyoda-ku, Tokyo 1008310
3. NAKAI, Tsunato
c/o Mitsubishi Electric Corporation, 7-3, Marunouchi 2-chome, Chiyoda-ku, Tokyo 1008310
4. KOBAYASHI, Nobuhiro
c/o Mitsubishi Electric Corporation, 7-3, Marunouchi 2-chome, Chiyoda-ku, Tokyo 1008310

Specification

We Claim:
[Claim 1] An intrusion detection apparats comprising:
a state identifying unit to identify a state of an operational system;
5 a state transition determination unit to determine presence or absence of a
state transition of the operational system based on the identifed state; and
a transition patter determination unit to, in a case where there has been a state transition of the operational system, deterine, with use of a state transition scenario indicating a transition patter of state transition, whether the state transition 10 of the operational system matches the transition patter indicated in the state transition scenano.
[Claim 2] The intrusion detection apparatus according to claim 1, frther comprising an alert output unit to output an alert in a case where the state transition of the 15 operational system does not match the transition patter.
[Claim 3] The intrusion detection apparatus according to claim 1 or claim 2, frther comprising an intrusion detection unit to perfrm whitelist-tye intrusion detection in a case where the state transition of the operational system matches the transition patter.
20
[Claim 4] The intrsion detection apparatus according to claim 3, frther comprising a whitelist management unit to, in a case where the state transition of the operational system matches the transition patter, select a whitelist associated with the state of the operational system fom a plurality of whitelists associated with operational states,
25 wherein the intrsion detection unit perfrms whitelist-type intrusion
39

detection with use of the selected whitelist.
[Claim 5] An intrusion detection program that causes a computer to perform:
state identifying processing to identify a state of an operational system;
5 state transition determination processing to determine presence or absence of
a state transition of the operational system based on the identified state; and
transition pattern determination processing to, in a case where there has been a state transition of the operational system, determine, with use of a state transition scenario indicating a transition pattern of state transition, whether the state transition 10 of the operational system matches the transition pattern indicated in the state transition scenario.
[Claim 6] An intrusion detection apparatus comprising:
a packet detection unit to detect a periodic packet which is communicated in 15 an operational system;
a detection interval calculation unit to detect a detection interval at which the periodic packet has been detected;
a state identifying unit to identify a state of the operational system; a state transition determination unit to determine presence or absence of a 20 state transition of the operational system based on the identified state;
a whitelist management unit to select a whitelist associated with the state of the operational system from a plurality of whitelists associated with operational states; an acceptance or unacceptance identifying unit to, in a case where there has been a state transition of the operational system, identify, with use of a whitelist 25 associated with a state of before state transition and a whitelist associated with a state
40

of after state transition, acceptance or unacceptance of the periodic packet of before state transition and acceptance or unacceptance of the periodic packet of after state transition; and
an alert determination unit to determine necessity or unnecessity of an alert 5 based on an alert condition table in which acceptance or unacceptance before state transition, acceptance or unacceptance after state transition, a communication interval, and necessity or unnecessity of an alert are associated with each other, acceptance or unacceptance of the periodic packet of before state transition, acceptance or unacceptance of the periodic packet of after state transition, and the detection interval 10 of the periodic packet.
[Claim 7] The intrusion detection apparatus according to claim 6, wherein, in a case where the periodic packet has been first detected, the detection interval calculation unit calculates, as the detection interval, a time elapsing from time of day at which the state 15 of the operational system has become a state in which the periodic packet has been detected.
[Claim 8] The intrusion detection apparatus according to claim 6 or claim 7, further comprising an intrusion detection unit to perform whitelist-type intrusion detection 20 with use of a whitelist associated with the state of the operational system in a case where there has been no state transition of the operational system.
[Claim 9] An intrusion detection program that causes a computer to perform: packet detection processing to detect a periodic packet which is 25 communicated in an operational system;
41

detection interval calculation processing to detect a detection interval at which the periodic packet has been detected;
state identifying processing to identify a state of the operational system; state transition determination processing to determine presence or absence of 5 a state transition of the operational system based on the identified state;
whitelist management processing to select a whitelist associated with the state of the operational system from a plurality of whitelists associated with operational states;
acceptance or unacceptance identifying processing to, in a case where there
10 has been a state transition of the operational system, identify, with use of a whitelist
associated with a state of before state transition and a whitelist associated with a state
of after state transition, acceptance or unacceptance of the periodic packet of before
state transition and acceptance or unacceptance of the periodic packet of after state
transition; and
15 alert determination processing to determine necessity or unnecessity of an
alert based on an alert condition table in which acceptance or unacceptance before state transition, acceptance or unacceptance after state transition, a communication interval, and necessity or unnecessity of an alert are associated with each other, acceptance or unacceptance of the periodic packet of before state transition, 20 acceptance or unacceptance of the periodic packet of after state transition, and the detection interval of the periodic packet.
[Claim 10] An intrusion detection apparatus comprising:
a packet detection unit to detect a state transition packet which is 25 communicated when a state of an operational system transitions; and
42

a whitelist management unit to, in a case where the state transition packet has been detected, select a whitelist associated with a state of after state transition from a plurality of whitelists associated with operational states.
5 [Claim 11] The intrusion detection apparatus according to claim 10,
wherein the operational system includes a network having a communication period including a communication time for a periodic packet and a communication time for a different packet, and
wherein the state transition packet is communicated in the communication 10 time for a different packet in a communication time period including time of day at which the state of the operational system transitions among communication time periods separated according to the communication period.
[Claim 12] The intrusion detection apparatus according to claim 11, wherein the 15 network has a communication band for a periodic packet and a communication band for a different packet.
[Claim 13] The intrusion detection apparatus according to any one of claim 10 to claim
12,
20 wherein the packet detection unit detects a periodic packet which is
communicated in the operational system,
wherein the intrusion detection apparatus further comprises:
a detection interval calculation unit to calculate a detection interval at which
the periodic packet has been detected;
25 an acceptance or unacceptance identifying unit to, in a case where the state
43

transition packet has been detected, identify, with use of a whitelist associated with a
state of before state transition and a whitelist associated with a state of after state
transition, acceptance or unacceptance of the periodic packet of before state transition
and acceptance or unacceptance of the periodic packet of after state transition; and
5 an alert determination unit to determine necessity or unnecessity of an alert
based on an alert condition table in which acceptance or unacceptance before state transition, acceptance or unacceptance after state transition, a communication interval, and necessity or unnecessity of an alert are associated with each other, acceptance or unacceptance of the periodic packet of before state transition, acceptance or 10 unacceptance of the periodic packet of after state transition, and the detection interval of the periodic packet.
[Claim 14] An intrusion detection program that causes a computer to perform: packet detection processing to detect a state transition packet which is 15 communicated when a state of an operational system transitions; and
whitelist management processing to, in a case where the state transition packet has been detected, select a whitelist associated with a state of after state transition from a plurality of whitelists associated with operational states.
44

Documents