{"created":"2025-01-19T01:26:57.586534+00:00","updated":"2025-01-19T12:03:29.883920+00:00","metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00227705","sets":["581:11107:11118"]},"path":["11118"],"owner":"44499","recid":"227705","title":["米国国土安全保障省CISA脅威カタログを用いた脆弱性データ分析とトリアージ戦略の評価"],"pubdate":{"attribute_name":"公開日","attribute_value":"2023-09-15"},"_buckets":{"deposit":"9482957a-6f44-4130-9b13-7ebfa7e4a2de"},"_deposit":{"id":"227705","pid":{"type":"depid","value":"227705","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"米国国土安全保障省CISA脅威カタログを用いた脆弱性データ分析とトリアージ戦略の評価","author_link":["606849","606850","606851","606848"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"米国国土安全保障省CISA脅威カタログを用いた脆弱性データ分析とトリアージ戦略の評価"},{"subitem_title":"Analysis of Vulnerability Data and Triage Strategy by CISA Known Exploited Vulnerabilities Catalog","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"[特集:サイバー空間を安全にするコンピュータセキュリティ技術] 脆弱性管理，パッチ管理，セキュリティ運用，脅威インテリジェンス","subitem_subject_scheme":"Other"}]},"item_type_id":"2","publish_date":"2023-09-15","item_2_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"東京海上ホールディングス株式会社"},{"subitem_text_value":"九州大学大学院システム情報科学研究院"}]},"item_2_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Tokio Marine Holdings, Inc.","subitem_text_language":"en"},{"subitem_text_value":"The Graduate School of Information Science and Electrical Engineering","subitem_text_language":"en"}]},"item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/227705/files/IPSJ-JNL6409010.pdf","label":"IPSJ-JNL6409010.pdf"},"date":[{"dateType":"Available","dateValue":"2025-09-15"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-JNL6409010.pdf","filesize":[{"value":"1.2 MB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"8"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"1a24979e-91d7-4fd0-a8dc-b5eb63c09bb5","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2023 by the Information Processing Society of Japan"}]},"item_2_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"石川, 朝久"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"櫻井, 幸一"}],"nameIdentifiers":[{}]}]},"item_2_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Tomohisa, Ishikawa","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Kouichi, Sakurai","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_2_source_id_9":{"attribute_name":"書誌レコードID","attribute_value_mlt":[{"subitem_source_identifier":"AN00116647","subitem_source_identifier_type":"NCID"}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_6501","resourcetype":"journal article"}]},"item_2_publisher_15":{"attribute_name":"公開者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"item_2_source_id_11":{"attribute_name":"ISSN","attribute_value_mlt":[{"subitem_source_identifier":"1882-7764","subitem_source_identifier_type":"ISSN"}]},"item_2_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"セキュリティ運用において，パッチ管理プロセスはサイバー衛生を実現するうえで重要である．しかし，近年報告される脆弱性の数は年々増加しており，そのすべてに対応することは困難である．そのため，より優先すべき脆弱性を絞り込む「トリアージ戦略」を活用し，対策優先度を決定する手法がとられている．一方，トリアージ戦略が「真にパッチを適用すべき脆弱性」にのみパッチを当てられるかどうかについて，様々な議論が存在する．本論文では，米国国土安全保障省の傘下にあるCISA（サイバーセキュリティー・インフラセキュリティー庁）が公表している脅威カタログと脆弱性データ分析を行い，トリアージ戦略の有効性評価を示すことに成功した．","subitem_description_type":"Other"}]},"item_2_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"In security operation, patch management process is critical to realize cyber hygiene. However, the number of vulnerabilities reported in recent years has been increasing year by year, and it is difficult to handle all of them. To solve this issue, the organizations generally determine the priority of patch application as “triage strategy”. On the contrary, there are several discussions on whether triage strategy can focus on actually exploited vulnerabilities. This paper analyzes “Known Exploited Vulnerabilities Catalog” published by CISA (Cybersecurity and Infrastructure Security Agency) and vulnerabilities data and evaluate the effectiveness of various triage strategy.","subitem_description_type":"Other"}]},"item_2_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"1286","bibliographic_titles":[{"bibliographic_title":"情報処理学会論文誌"}],"bibliographicPageStart":"1277","bibliographicIssueDates":{"bibliographicIssueDate":"2023-09-15","bibliographicIssueDateType":"Issued"},"bibliographicIssueNumber":"9","bibliographicVolumeNumber":"64"}]},"relation_version_is_last":true,"item_2_identifier_registration":{"attribute_name":"ID登録","attribute_value_mlt":[{"subitem_identifier_reg_text":"10.20729/00227596","subitem_identifier_reg_type":"JaLC"}]},"weko_creator_id":"44499"},"id":227705,"links":{}}