HK1098224B - Invalidity monitoring method, and invalidity monitoring system - Google Patents
Invalidity monitoring method, and invalidity monitoring system Download PDFInfo
- Publication number
- HK1098224B HK1098224B HK07105805.7A HK07105805A HK1098224B HK 1098224 B HK1098224 B HK 1098224B HK 07105805 A HK07105805 A HK 07105805A HK 1098224 B HK1098224 B HK 1098224B
- Authority
- HK
- Hong Kong
- Prior art keywords
- data
- illegal
- user
- output instruction
- computer
- Prior art date
Links
Description
Technical Field
The present invention relates to an illegal monitoring method and an illegal monitoring system for monitoring illegal data for performing an illegal operation on a computer.
Background
When a computer is connected to a network such as the internet for use, it is necessary to prevent external unauthorized data from intruding into the computer and to prevent internal data of the computer from flowing out or leaking due to unauthorized operation of the computer. In order to prevent the intrusion of illegal data, a firewall is usually installed between an internal network such as an intranet of a corporation and the internet to intercept the illegal data, or antivirus software for preventing virus intrusion is installed on the internal network and each computer terminal. In general, firewalls and antivirus software set rules for determining illegal data in advance based on keywords or source IP addresses, and determine whether the data is illegal by comparing the rules.
On the other hand, as for a method of preventing data leakage due to an illegal operation, the following techniques are known. For example, a technique of referring to rules set in advance about access authority, source address, transfer file type, and the like for data to be transmitted to a network and shutting down communication upon detecting a possible unauthorized attempt (for example, refer to patent document 1).
Patent document 1: japanese laid-open patent publication No. 2002-232451
Disclosure of Invention
Problems to be solved by the invention
Any of the firewall, antivirus software, and the invention described in patent document 1 is used to prevent intrusion of illegal data on the network and to prevent leakage of internal data. However, an unauthorized operation using a computer is not limited to a network, and may cause information to flow out by a so-called method not using a network. For example, a third party without authority performs an illegal operation on a computer which is not connected to an external network, and outputs information inside the computer to a printer or writes information in an external disk. In other words, it is preferable to monitor data for performing an unauthorized operation not only between networks but also at a driver level connected to a printer, a driver, and the like.
As described above, the conventional method for monitoring unauthorized data is mainly based on a rule base in which information such as a keyword, an IP Address, and a hardware Address (i.e., a Media Access Control Address) of a network interface is registered, and the contents of the rules that can be registered by these methods are very limited. Although the number of rules may be increased to make the determination as accurate as possible, if the number of rules is increased too much, the processing load of the determination becomes heavy. Therefore, it is preferable that various interface rules be registered as simply as possible, and that the reference rules be processed efficiently.
Further, illegal decisions based on rule bases also present problems: when an illegal operation that does not comply with the registered rule is executed by a method completely different from the past, it is difficult to check the illegal operation only by the rule base. In this regard, it is preferable that a user operation behavior pattern different from the conventional one be grasped and the possibility of an unauthorized operation be accurately determined.
In view of the above problems, it is an object of the present invention to provide an illegal monitoring method and an illegal monitoring system for monitoring illegal data for performing an illegal operation on a computer, which can be input and output between the computer and a network or an external device, and which can flexibly set various rules for determining an illegal operation and effectively utilize the rules.
Means for solving the problems
A first solution to the problem to which the present application relates is an illegal monitoring method. The method is a method for monitoring illegal data for performing an illegal operation on a computer, characterized in that: the following steps are executed on the computer: acquiring output instruction data output to an external output device through a network connected to the computer or through an external connection bus connecting the computer and the external device; determining identification information for identifying a user based on the output instruction data; acquiring at least a part of attribute information corresponding to the identification information from a user information storage unit storing user attribute information on a user having a use authority of the computer; determining whether or not the output command data is illegal by referring to a determination rule storage unit in which a rule for determining whether or not the output command data is illegal is stored; when the illegal data is determined in the illegal data determination step, the output instruction operation performed based on the output instruction data is stopped by stopping the execution processing of the driver. In the step of determining whether the data is illegal, the determination rule corresponding to the attribute information acquired in the step of acquiring the attribute information is referred to determine whether the data is illegal.
In the first aspect, since not only data input/output through the network but also output command data output to an external output device through an external connection bus of the computer are monitored, command data written to an unauthorized printer, a magnetic disk, or the like without passing through the network can be monitored to interrupt an unauthorized operation. Also, since determination items corresponding to attribute information of the user are added, the rule can be diversified.
In the first embodiment, if an external connection bus connected to a network is provided, the computer may be used as a client or a server on the network. The network includes all networks that can transmit and receive data, such as LAN, dial-up, etc. The external devices include all peripheral devices such as a printer and a driver which can be connected to a computer via an external connection bus. The unauthorized data is data related to an unauthorized operation of the computer, such as a transmission instruction for an outgoing file or an operation by an unauthorized user. The attribute information of the user may use information such as the user's age, sex, belonging work, job title, and the like.
In addition, the first solution may further have the following features: and a step of executing, on the computer, a step of determining whether or not the user corresponding to the identification information has the usage right of the computer with reference to the user information storage unit, and a step of stopping an operation executed based on the output instruction data when no usage right is determined in the step of determining the usage right. And, when the step of determining the use authority is determined to be not use authority, at least one of the step of acquiring the attribute information and the step of determining the illegal data is not executed on the computer, in comparison with the step of determining the illegal data, in which the step of determining the use authority is executed in advance.
In the first aspect, since the attribute information of the user is registered in advance and used as one item of the rule, it is possible to easily confirm whether or not the user who has performed the operation has the usage right of the computer. If the presence or absence of the usage authority of the user is confirmed before the determination of the rule, the efficiency of the rule application process can be improved by performing the operation stop process before the rule is applied when the user who originally has no authority performs the operation in the initial stage.
In addition, the first scheme may further include the steps of: comparing, on the computer, the output instruction data acquired in the data acquiring step with the daily operation habits and tendencies of the user with reference to a profile storing section that stores the log data related to the output instruction data as a profile of each user, and determining whether or not there is an abnormality; in the step of stopping the operation performed based on the output instruction data, when the abnormality is determined in the step of determining whether or not there is an abnormality, the step of stopping the output instruction operation performed based on the output instruction data.
In this way, by creating a profile in which the operation characteristics of each user are grasped by collecting the log data of each user, and by referring to the relevant profile to determine whether or not the user has performed an abnormal operation, it is possible to determine whether or not a third party who cannot be determined by the rule pretends to be an authorized user, an operation with a possibility of being illegal which is not normally performed although the user is within the scope of the authority, and the like.
Moreover, the first aspect may further include the following features: in the step of acquiring the output instruction data, when the output instruction data is acquired from the network, the step of stopping the operation executed based on the output instruction data executes the channel cutting process.
In addition, the first solution may further have the following features: in the step of acquiring the output instruction data, when the output instruction data is acquired from an external connection bus, the step of stopping the operation executed based on the output instruction data stops the execution processing of the driver.
In the first scheme, when the computer is determined that the processing being executed is an illegal operation, the executed processing is immediately stopped. When the processing being executed is to transmit and receive data via a network, information leakage due to data transmission to the outside can be prevented by cutting off the channel being executed. When the processing being executed is an operation of transmitting data to the external device via the external connection bus, by stopping the execution of the driver, it is possible to prevent information leakage due to data output.
A second aspect of the present application for solving the problems related to the present application is an illegitimate monitoring method for monitoring illegitimate data that performs illegitimate operations on a computer, characterized in that: the program executes the following steps on the computer: acquiring output instruction data input and output through a network connected to the computer or through an external connection bus connecting the computer and an external device; determining identification information for identifying a user based on the output instruction data; acquiring at least a part of attribute information corresponding to the identification information from a user information storage section storing various user attribute information relating to a user having a usage right of the computer; determining whether or not the output instruction data is illegal data by referring to a determination rule storage unit in which a rule for determining whether or not the output instruction data is illegal data is stored; when the unauthorized data is determined in the unauthorized data determination step, the user or the terminal device operated by the administrator is notified that the operation executed based on the output instruction data is an unauthorized operation. The determination rule storage unit stores a determination rule corresponding to a user attribute, and in the step of determining whether or not the data is illegal, the determination rule corresponding to the attribute information acquired in the step of acquiring the attribute information is referred to determine whether or not the data is illegal.
The invention is characterized in that: in the first scheme, when it is determined that the data is illegal, the processing performed by the data is stopped, and the illegal data processing is performed by notifying the user who performed the processing related to the data, the operator such as the administrator of the computer or the terminal, or the like.
The first and second embodiments may be an unauthorized monitoring system using the above unauthorized monitoring method.
In other words, the first aspect may also be an illegal monitoring system for monitoring illegal data for executing an illegal operation on a computer, characterized by comprising: a data acquisition device for acquiring output instruction data output to an external output device through a network connected to the computer or through an external connection bus connecting the computer and the external device; identification information determination means for determining identification information for identifying a user based on the output instruction data; user information storage means for storing various user attribute information related to a user having the computer use authority; attribute information acquiring means for acquiring at least a part of attribute information corresponding to the identification information from the user information storing means; a determination rule storage means for storing a rule for determining whether the output instruction data is illegal data; an illegal data determination device for referring to the determination rule storage device and determining whether the output command data is illegal; and stopping means for stopping the output instruction operation executed based on the output instruction data by stopping the execution processing of the driver when the illegal data is determined by the illegal data determining means. The determination rule storage means stores a determination rule corresponding to a user attribute, and the unauthorized data determination means determines whether or not the data is unauthorized data by referring to the determination rule corresponding to the attribute information acquired by the attribute information acquisition means.
Further, the illicit monitoring system of the first aspect may further include usage right determination means for determining whether or not the user corresponding to the identification information has usage right of the computer with reference to the user information storage portion. When the usage right judgment device judges that there is no usage right, the stop device stops the operation performed based on the output instruction data. The usage right determining means is first activated before the unauthorized data determining means is activated, and at least one of the attribute information acquiring means and the unauthorized data determining means is not activated when the usage right determining means determines whether or not the usage right is present.
Further, the illegal monitoring system according to the first aspect may further include a subset-of-protocols storage means for storing the associated record data of the output instruction data as a subset of protocols of the respective users, and an abnormal operation determination means; the abnormal operation determination means is configured to compare the output instruction data acquired by the data acquisition means with the daily operation habit and tendency of the user with reference to the profile storage means, and determine whether or not there is an abnormality. And, when the abnormal operation determination means determines an abnormality, the operation performed based on the output instruction data is stopped.
Further, the illegal monitoring system according to the first aspect may have the following features: when the data acquisition device acquires the input/output data from the network, the stop function executes the cut-off processing of the channel.
Further, the illegal monitoring system according to the first aspect may have the following features: when the data acquisition device acquires the output instruction data from the external connection bus, the stop device stops the execution processing of the driver.
The second solution may also be an illegal monitoring system. The system is a system for monitoring illegal data for performing illegal operations on a computer. The method is characterized in that: the system comprises: a data acquisition device for acquiring output instruction data input and output through a network connected to the computer or through an external connection bus connecting the computer and an external device; identification information determination means for determining identification information for identifying a user based on the output instruction data; user information storage means for storing various user attribute information related to a user having the computer use authority; attribute information acquiring means for acquiring at least a part of attribute information corresponding to the identification information from the user information storing means; a determination rule storage means for storing a rule for determining whether the output instruction data is illegal data; illegal data determination means for referring to the determination rule storage means and determining whether or not the output instruction data is illegal data; and notifying means for notifying the user or the terminal device operated by the administrator that the operation performed based on the output instruction data is determined to be an illegal operation when the illegal data is determined by the illegal data determining means. Further, the determination rule storage means stores a determination rule corresponding to a user attribute, and the unauthorized data determination means determines whether or not the data is unauthorized data by referring to the determination rule corresponding to the attribute information acquired by the attribute information acquisition means.
Advantages and positive effects of the invention
According to the present invention, it is possible to monitor illegal data that is illegally handled by a computer, not only data that is input/output between the computer and a network, but also data that is input/output between the computer and an external device, and to prevent information leakage due to illegal data output by imposters and unauthorized persons.
Further, since the attribute information of the user registered in advance is used as one item of the rule, various rules for determining an unauthorized operation can be set. Further, since the presence or absence of the operation authority of the computer is determined by the attribute information before the rule is applied, the efficiency of the processing related to the illegal determination can be improved. Further, by recording the operation history of each user as the profile and identifying an abnormal operation pattern which cannot be judged by the rule, it is possible to judge an operation which is pretended to be an authorized user, an operation with a possibility of being illegal which is not normally executed although being within the scope of authority, and the like.
Detailed Description
Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings. Meanwhile, the following description is merely an example of the embodiment of the present invention, and the present invention is not limited to the embodiment.
Fig. 1 and 2 are explanatory diagrams of examples in which the unauthorized monitoring system according to the present invention is used for monitoring a network and monitoring a connection with an external device, respectively. Fig. 3 is an explanatory diagram showing an installation position of the unauthorized monitoring system according to the present invention. Fig. 4 and 5 are exploded views showing a first configuration and a second configuration of the unauthorized monitoring system according to the present invention. Fig. 6 is an explanatory diagram showing an example of the user data storage unit of the unauthorized monitoring system according to the present invention. Fig. 7 is an explanatory diagram showing an example of the illegal rule storage unit of the illegal monitoring system according to the present invention. Fig. 8 is a flowchart showing the unauthorized monitoring program according to the present invention.
The unauthorized monitoring system according to the present invention can monitor not only various data transmitted over a network but also an external connection bus for connecting external devices such as an output device such as a printer and an external storage device such as an external disk drive. As shown in fig. 3, the unauthorized monitoring system according to the present invention may be installed in an intranet such as a corporate intranet or a gateway of the internet to perform network monitoring, or may be installed in a mail server to monitor mail transmission and reception through the network. The present invention can be used for monitoring a network segment of an internal network, and can also be used for monitoring a connection between each user terminal and a network, or between each user terminal and an external device.
Fig. 1 shows an example of a system for monitoring a network, and the unauthorized monitoring system according to the present invention includes an unauthorized monitoring server 10, a user data storage unit 12, and an unauthorized rule storage unit 13. The unauthorized monitoring server 10 may be used to monitor the leakage of unauthorized data or the like in the entire internal network provided in the gateway between the internal network and the internet, or may be used to monitor the leakage of unauthorized data or the like in a network segment provided in the internal network.
The illicit monitoring server 10 acquires all input-output data transmitted on the network, and acquires information on user attributes for data input-output from the user data storage section 12. The illegitimate rule storage unit 13 stores rules determined to be illegitimate corresponding to user attributes, in addition to the ordinary illegitimate data determination rules. The illicit monitoring server 10 refers to the illicit rule storage unit 13 and the general determination rule concerning the input/output data, and also refers to the rule corresponding to the attribute acquired by the user data storage unit 12, and determines whether the input/output data is illicit. And intercepting a channel to be subjected to input and output aiming at the input and output data which are judged to be illegal.
Fig. 2 shows an example of monitoring an external connection bus, and the unauthorized monitoring system according to the present invention is constituted by an unauthorized monitoring program 11 stored in a hard disk drive 214 of a processing device 210, a user data storage unit 12, and an unauthorized rule storage unit 13. In the monitoring, these programs and stored data are read from the hard disk drive 214, and arithmetic processing is performed on the processing device 210. In order to perform monitoring by the unauthorized monitoring program 11 stored in the hard disk drive 214, various basic programs for hardware control such as input control and output control stored in the read only memory 213 are started on the processing device 210, and the cpu 211 performs arithmetic processing while allowing the ram 212 to function as a work area of the unauthorized monitoring program 11. In the arithmetic processing of the unauthorized monitoring program 11, necessary data is read from the user data storage unit 12 and the unauthorized rule storage unit 13 of the hard disk drive 214 and used. The hard disk drive 214 for storing the program in the processing device 210 may be another storage medium such as a flash memory that can store the program.
When the driver 22 in the processing device 210 is read and the command data printed and stored in the external disk or the like is sent to the external connection bus 23, the unauthorized monitoring program 11 acquires the command data transferred through the external connection bus 23 and acquires user attribute information on the operation performed on the command data from the user data storage unit 12. The illegitimate rule storage unit 13 stores rules determined to be illegitimate corresponding to user attributes, in addition to the ordinary illegitimate data determination rules. The illegitimate monitoring program 11 determines whether or not the instruction data matches the general determination rule stored in the illegitimate rule storage unit 13, and executes a determination process of determining whether or not the instruction data matches the rule corresponding to the attribute obtained from the user data storage unit 12. The processing that has been executed by the driver 22, for example, the processing of stopping printing or stopping communication with a computer directly connected to the external connection bus 23, is stopped for the instruction data determined to be an illegal operation.
The method of determining the unauthorized use of the unauthorized monitoring server 10 of fig. 1 and the unauthorized monitoring program 11 of fig. 2 will be described in further detail with reference to fig. 4 and 5. Fig. 4 shows a configuration for executing a determination method in which a rule corresponding to a user attribute is added to an illegal determination rule, and fig. 5 shows not only a rule base but also a configuration for executing a determination method in which an operation mode is determined from each user profile and an abnormal operation is determined to be illegal.
The illegal determination method of fig. 4 is performed in the following order: the data acquisition unit 14 acquires data to be determined, the unauthorized operation determination unit 15 determines an unauthorized operation of the rule base, and the interrupt processing execution unit 16 terminates processing determined as an unauthorized operation. The above-described parts may be stored in the hard disk drive 214 as a part of the unauthorized monitoring program 11 that executes the respective processes, read out in order, and function with the random access memory 212 as a work area, while the cpu 211 executes the arithmetic processing, without actually separating the parts.
The data acquisition unit 14 acquires data transmitted through a network or an external connection bus. The obtained data includes identification data of the user who performed the relevant operation of the data. The identification data is determined based on the login identity of the user when logging into the computer, etc.
The unauthorized operation determination unit 15 acquires user attribute information corresponding to the identification data of the user acquired by the data acquisition unit 14 from the user data storage unit 12. Fig. 6 shows an example of the user attribute information stored in the user data storage unit 12. Each user record stores attribute information such as user identity, work post and job title.
The illegitimate operation determining unit 15 refers to the illegitimate rule storage unit 13 to determine whether or not the data acquired from the data acquiring unit 14 matches the illegitimate determination rule. The illegitimate rules storage unit 13 stores general illegitimate determination rules that are not related to the user attributes, and attribute rules that specify non-permissible items corresponding to the user attributes. The former is a general rule for judging illegitimate using, for example, a keyword, a link, an IP address, and a network interface hardware address as a standard. The latter is a rule that specifies, for example, an operation authority or the like related to a specific operation corresponding to a work post or a job title.
Fig. 7 shows an example of the determination rule set in accordance with the user attribute stored in the illegal rule storage unit 13. The record set in units of rules stores rules applicable to attributes to be determined, and in this example, only persons above regular employees have authority to send mails. For example, if the practice nurse shown in the example of fig. 6 wants to send a mail, it is determined that there is no transmission authority, and the mail transmission process is stopped.
When the unauthorized operation determining unit 15 determines that the operation related to the acquired data is an unauthorized operation, the interrupt processing executing unit 16 stops the processing executed by the operation. In other words, for the input and output data passing through the network, when the input and output data are to be input and output, the channel is intercepted; when the data processed through the external link bus is to be printed or written to the external disk, the process of stopping the printing or writing is executed.
Further, when the user attribute information is acquired from the user data storage unit 12, if there is no data matching the user identity, or if the user identity is invalid due to reasons such as the user's name, the unauthorized operation determination unit 15 may determine an unauthorized operation without the unauthorized person accessing the data by the unauthorized rule storage unit 13, and the interrupt processing execution unit 16 may execute the interrupt processing. In this way, the access of an unauthorized person can be determined before the determination of the rule base, so that the processing load of the system can be reduced and the determination and the interrupt processing can be accelerated.
The illegal determination in fig. 5 is performed separately: the data acquisition unit 14 acquires data to be determined, the unauthorized operation determination unit 15 determines unauthorized operations in the rule base, the abnormal operation determination unit 18 determines unauthorized operations reflected from operation patterns of the respective users without using the rule base, and the interrupt processing execution unit 16 terminates processing to be determined. As in the case shown in fig. 4, the above-described respective parts may be stored in the hard disk drive 214 as a part of the program of the unauthorized monitoring program 11 that executes the respective processes, read in order, and the arithmetic processing may be executed by the cpu 211 while the ram 212 is used as a work area.
In fig. 5, the following processing is the same as the case shown in fig. 4: acquiring data to be determined by the data acquiring unit 14; an illegal operation determination unit (15) for determining an illegal operation of the rule base; the interrupt processing execution unit 16 terminates the process to be determined. The following features are provided in this configuration: creating a profile for each user in the profile creating section 19; the abnormal operation determination unit 18 determines an unauthorized operation reflected on the operation pattern of each user.
The data acquired by the data acquisition unit 14 is determined by the abnormal operation determination unit 18 that performs determination according to the operation mode of each user and the unauthorized operation determination unit 15 that performs determination by the rule base at the same time. When the past operation mode of each user is registered in the user profile 17, and the abnormal operation determination unit 18 compares the operation related to the acquired data with the operation mode of the user registered in the user profile 17, and determines that the operation is abnormal, the interrupt processing execution unit 16 executes the interrupt processing. For example, when an operation is performed during a period of time during which the operation is not normally performed, and a large number of types of operations that are not normally performed are performed, there is a possibility that the user performs an illegal operation or masquerades as another person using the user identity of another person, and thus the process is interrupted.
Further, the operation mode registered in the user profile 17 can be created by the data for determination in the abnormal operation determination section 18 and the user attribute information in the user data storage section 12. A running record of the data obtained in the data obtaining section 14 may also be used. The update of the protocol subset may be processed online each time new data is obtained, or may be processed periodically in divided portions.
The abnormal operation determination unit 18 is provided with a Knowledge engine (Knowledge engine) for comparing the user profile 17 and determining the abnormal operation mode. The knowledge engine has a function of determining artificial intelligence for distinguishing a normal operation from an abnormal operation, and the artificial intelligence may be constructed in a bayesian Network (bayesian Network) or a Neural Network (Neural Network).
In the embodiments described so far, the interception process is performed when it is determined that the operation is an unauthorized operation, and the process of stopping printing or stopping storing data in the external disk is performed for data processed through the external link bus. However, when it is determined that the operation is an unauthorized operation, a process of notifying a user, a computer, or an administrator of the network who has performed the operation may be performed.
A basic flow of the monitoring program according to the present invention will be described with reference to the flowchart of fig. 8. First, input/output data transmitted in a network or an external connection bus and an operator identity of an operation related to the input/output data are acquired (S01); referring to a user database storing user attribute information for the acquired identity (S02); when the user identity does not exist in the user database (S03); a process (S08) for suspending an operation relating to the input/output data, for an operation determined as being a person without operation authority;
when the identity exists in the user database (S03), acquiring attribute information on the identity from the user database (S04); then referring to the rule database (S05); first, it is judged whether or not the acquired attribute and the rule representing each attribute coincide (S06); if they match, determining that the operation is an operation by a person without operation authority, and executing a suspension process of the operation on the input/output data (S08); if they do not match, then determining whether the obtained input/output data matches the general rule (S07); if they match, judging the operation as an illegal operation, and executing a process of stopping the operation related to the input/output data (S08); when the input data and the output data do not match each other, the operation related to the input/output data is continuously executed as a normal operation.
Drawings
Fig. 1 is an explanatory diagram showing an example of an illegal monitoring system for monitoring a network according to the present invention.
Fig. 2 is an explanatory diagram showing an example of an unauthorized monitoring system for monitoring connection to an external device according to the present invention.
Fig. 3 is an explanatory diagram showing an installation position of the unauthorized monitoring system according to the present invention.
Fig. 4 is an exploded view showing a first configuration of the unauthorized monitoring system according to the present invention.
Fig. 5 is an exploded view showing a second configuration of the unauthorized monitoring system according to the present invention.
Fig. 6 is an explanatory diagram showing an example of the user data storage unit of the unauthorized monitoring system according to the present invention.
Fig. 7 is an explanatory diagram showing an example of the illegal rule storage unit of the illegal monitoring system according to the present invention.
Fig. 8 is a flowchart showing a flow of the unauthorized monitoring program according to the present invention.
Description of the figures
10 illegal monitoring server
11 illegal monitoring program
12 user data storage unit
13 illegal rule storage part
14 data acquisition part
15 illegal operation judging unit
16 interrupt processing execution unit
17 user profile
18 abnormal operation determination unit
19 profile creation section
20 user terminal
210 processing device
211 central processing unit
212 random access memory
213 read-only memory
214 hard disk drive
22 driver
23 external connection bus
24 output device
25 external storage device
31 user terminal
32 user terminal
33 user terminal
41 external terminal
42 external terminal
43 external terminal
Claims (6)
1. An illegal monitoring method for monitoring illegal data for executing an illegal operation on a computer, comprising the steps of: acquiring, on the computer, output instruction data output to an external output device through an external connection bus connecting the computer and the external device; determining identification information for identifying a user according to the output instruction data; acquiring at least a part of attribute information corresponding to the identification information from a user information storage section storing user attribute information relating to a user having the computer use authority; determining whether the output instruction data is illegal data by referring to a determination rule storage unit in which a rule for determining whether the output instruction data is illegal data is stored; stopping an output instruction operation executed according to the output instruction data by stopping an execution process of a driver when the illegal data is determined in the illegal data determination step;
further, the determination rule storage unit stores a determination rule corresponding to a user attribute, and in the step of determining whether or not the data is illegal, the determination rule corresponding to the attribute information acquired in the step of acquiring at least a part of the attribute information is referred to determine whether or not the data is illegal.
2. The illegal monitoring method according to claim 1, further comprising: executing, on the computer, a step of determining whether or not the user corresponding to the identification information has the usage right of the computer with reference to the user information storage unit; and a step in which the computer stops the operation executed based on the output instruction data when the computer determines that there is no usage right in the step of determining usage rights;
and, when no usage right is determined in the step of determining the usage right, at least one of the step of acquiring at least a part of the attribute information or the step of determining the illegal data is not performed, compared to the step of determining the illegal data.
3. The illegal monitoring method according to claim 1 or 2, characterized by further comprising the steps of: on the computer, referring to a profile storage unit that stores operation log data related to the output instruction data as profile of each user, and comparing the output instruction data acquired in the data acquisition step with the daily operation habits and tendencies of the user to determine whether or not there is an abnormality;
when an abnormality is determined in the step of determining whether or not there is an abnormality, the step of stopping the operation executed based on the output instruction data stops the output instruction operation executed based on the output instruction data.
4. An illegal monitoring system for monitoring illegal data for executing an illegal operation on a computer, comprising: data acquisition means for acquiring output instruction data output to an external output device through an external connection bus connecting the computer and the external device; identification information determination means for determining identification information for identifying a user based on the output instruction data; user information storage means for storing user attribute information on a user who owns the computer usage right; attribute information acquiring means for acquiring at least a part of attribute information corresponding to the identification information from the user information storing means; a determination rule storage means for storing a rule for determining whether the output instruction data is illegal data; illegal data determination means for referring to the determination rule storage means and determining whether or not the output instruction data is illegal data; stopping means for stopping an output instruction operation executed according to the output instruction data by stopping execution processing of the driver when the illegal data is determined in the illegal data determining means;
in the above-described illegal data determination device, the determination rule storage means stores a determination rule corresponding to a user attribute, and the illegal data determination device refers to the determination rule corresponding to the attribute information acquired by the attribute information acquisition means to determine whether or not the data is illegal.
5. The illegal monitoring system of claim 4, further comprising: usage right determination means for determining whether or not the user corresponding to the identification information has a usage right of the computer with reference to the user information storage means; when the usage right judging means judges that there is no usage right, the stopping means stops the operation performed based on the output instruction data, the usage right judging means is started before the illegal data judging means is started, and when it is judged that there is no usage right by the usage right judging means, at least one of the attribute information acquiring means or the illegal data judging means is not started.
6. The illegal monitoring system according to claim 4 or 5, characterized by further comprising: a profile storage means for storing the relevant record data of the output instruction data as each user profile; abnormal operation determination means for comparing the output instruction data acquired by the data acquisition means with the daily operation habits and tendencies of the user with reference to the profile storage means, and determining whether or not there is an abnormality;
when the abnormal operation determination device determines that there is an abnormality, the stop device stops the output instruction operation executed based on the output instruction data.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP387212/2003 | 2003-11-17 | ||
| JP2003387212A JP3758661B2 (en) | 2003-11-17 | 2003-11-17 | Fraud monitoring program, fraud monitoring method and fraud monitoring system |
| PCT/JP2004/009860 WO2005048114A1 (en) | 2003-11-17 | 2004-07-09 | Invalidity monitoring program, invalidity monitoring method, and invalidity monitoring system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1098224A1 HK1098224A1 (en) | 2007-07-13 |
| HK1098224B true HK1098224B (en) | 2010-09-24 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100590613C (en) | illegal monitoring method and illegal monitoring system | |
| US11288385B2 (en) | Chain of custody for enterprise documents | |
| US7673324B2 (en) | Method and system for tracking an operating performed on an information asset with metadata associated therewith | |
| US7870612B2 (en) | Antivirus protection system and method for computers | |
| US8286255B2 (en) | Computer file control through file tagging | |
| US8291498B1 (en) | Computer virus detection and response in a wide area network | |
| US7792049B2 (en) | Techniques for modeling and evaluating protocol interactions | |
| KR100734732B1 (en) | Method and system for responding to a computer intrusion | |
| US11924235B2 (en) | Leveraging user-behavior analytics for improved security event classification | |
| CN108683652A (en) | A kind of method and device of the processing attack of Behavior-based control permission | |
| Stolfo et al. | A comparative evaluation of two algorithms for windows registry anomaly detection | |
| KR20070065306A (en) | End User Risk Management | |
| GB2507360A (en) | Threat detection through the accumulated detection of threat characteristics | |
| JP2008541273A5 (en) | ||
| KR20040101490A (en) | Detecting and countering malicious code in enterprise networks | |
| WO2004066085A2 (en) | Managed distribution of digital assets | |
| GB2592132A (en) | Enterprise network threat detection | |
| CN117150453B (en) | Network application detection method, device, equipment, storage medium and program product | |
| Vigna et al. | Host-based intrusion detection | |
| JPWO2006092931A1 (en) | Network connection control program, network connection control method, and network connection control system | |
| US12229258B2 (en) | System, method, and apparatus for smart whitelisting/blacklisting | |
| JP4984531B2 (en) | Server monitoring program, relay device, server monitoring method | |
| US12218954B2 (en) | Systems and methods for contextually securing remote function calls | |
| HK1098224B (en) | Invalidity monitoring method, and invalidity monitoring system | |
| JP2005322261A (en) | Fraud monitoring program, fraud monitoring method and fraud monitoring system |