Information processing device, information processing system, information processing method, and computer program product

What is claimed is: 1 . An information processing device, comprising: one or more hardware processors configured to function as: a risky vulnerability detection unit configured to detect, as a risky vulnerability, a vulnerability having a possibility of becoming a cause of attack on an object system configured to execute information processing; a technical similarity calculation unit configured to calculate a technical similarity representing a similarity to the risky vulnerability technically, for each of a plurality of vulnerabilities registered in advance, the technical similarity being greater as the similarity to the risky vulnerability technically is higher; a risk score calculation unit configured to calculate, for each of the vulnerabilities, a risk score representing a level of a risk of attack on a corresponding vulnerability in the object system, based on the technical similarity; and an output unit configured to determine at least one of the vulnerabilities as a target vulnerability to be dealt with, based on the risk score for each of the vulnerabilities, and output identification information for identifying the target vulnerability, wherein for each of the vulnerabilities, the technical similarity calculation unit calculates a similarity to the risky vulnerability in any one or more items of a type of vulnerability, a characteristic of vulnerability, and a feature of a source or binary code of vulnerability, as the technical similarity. 2 . The information processing device according to claim 1 , wherein out of the vulnerabilities, the output unit determines a vulnerability for which the risk score is equal to or greater than a preset threshold, as the target vulnerability. 3 . The information processing device according to claim 1 , wherein a score is assigned in advance to each of the type, the characteristic, and the feature, and, for each of the vulnerabilities, the technical similarity calculation unit calculates, as the technical similarity, a value obtained by adding scores of items in which each of the vulnerabilities is identical to the risky vulnerability. 4 . The information processing device according to claim 1 , wherein the one or more hardware processors are configured to further function as: an object similarity calculation unit configured to calculate an object similarity to the risky vulnerability for each of the vulnerabilities registered in advance, the object similarity representing a similarity of an object having or causing vulnerability, wherein for each of the vulnerabilities, the risk score calculation unit calculates the risk score, based on the technical similarity and the object similarity. 5 . The information processing device according to claim 4 , wherein for each of the vulnerabilities, the object similarity calculation unit calculates, as the object similarity, a similarity to the risky vulnerability in any one or more items of object software/hardware representing software or hardware having vulnerability, a software type representing a type of software having vulnerability, and an object hardware type representing a type of hardware having vulnerability caused by executing software having vulnerability. 6 . The information processing device according to claim 5 , wherein a score is assigned in advance to each of the object software/hardware, the software type, and the object hardware type, and, for each of the vulnerabilities, the object similarity calculation unit calculates, as the object similarity, a value obtained by adding scores of items in which each of the vulnerabilities is identical to the risky vulnerability. 7 . The information processing device according to claim 1 , wherein the one or more hardware processors are configured to further function as a correction unit configured to correct the risk score for each of the vulnerabilities, based on an environmental score representing a level of influence of attack on the object system. 8 . The information processing device according to claim 7 , wherein the one or more hardware processors are configured to further function as: a prediction unit configured to predict an amount of change in risk of attack on vulnerability during a set period from a specific time point to a prediction time point, wherein for each of the vulnerabilities, the correction unit corrects the risk score, based on the amount of change in the risk. 9 . The information processing device according to claim 8 , wherein the correction unit uses, as the set period, a period from the specific time point to a point in time when next maintenance is performed for the object system. 10 . The information processing device according to claim 1 , wherein the one or more hardware processors are configured to further function as: a mitigation measure determination unit configured to determine one or more effective mitigation measures effective for the target vulnerability, out of a plurality of mitigation measures registered in advance to mitigate an influence of vulnerability by a method other than dealing with vulnerability by using a patch program, wherein the output unit outputs the one or more effective mitigation measures determined for the target vulnerability. 11 . The information processing device according to claim 10 , wherein, for each of the mitigation measures, any one or more items of a vulnerability for which a measure is effective, a type of the vulnerability for which the measure is effective, a characteristic of the vulnerability for which the measure is effective, and a feature of a source or binary code of the vulnerability for which the measure is effective are registered in advance, and out of the mitigation measures, the mitigation measure determination unit determines, as the one or more effective mitigation measures, any one or more mitigation measures that are identical to the target vulnerability in any one or more registered items of the type, the characteristic, and the feature of the source or binary code of the vulnerability for which the measure is effective. 12 . The information processing device according to claim 11 , wherein the mitigation measure determination unit determines an optimal effective mitigation measure out of the one or more effective mitigation measures, based on a preset policy, and the output unit outputs the optimal effective mitigation measure for the target vulnerability. 13 . The information processing device according to claim 12 , wherein the mitigation measure determination unit determines the optimal effective mitigation measure, based on any of: a policy of minimizing a number of the overall optimal effective mitigation measures when a plurality of the target vulnerabilities is outputted; a policy of limiting to a predetermined cost or lower when one or more of the target vulnerabilities is outputted; a policy of satisfying a condition defined in the object system; and a policy of applying a plurality of effective mitigation measures to a single target vulnerability. 14 . An information processing system comprising: an object system configured to execute information processing; a security management device configured to provide a patch program to the object system to correct a vulnerability in the object system; and the information processing device according to claim 1 . 15 . An information processing method to be executed by an information processing device, the information processing method comprising: by the information processing device, detecting a vulnerability having a possibility of becoming a cause