JP2021068133A - Information processing device, information processing method, information processing system and program - Google Patents

Abstract

To reduce a processing load on a PC to obtain a hash value of a file.SOLUTION: In an information processing device comprising detection means for detecting the execution of a file, acquisition means for acquiring file information of the file detected by the detection means, and first determination means for determining whether or not the file information of the file acquired by the acquisition means is included in a first list where the file information of the file is associated with a hash value, if the first determination means determines that the file is included in the first list, the hash value corresponding to the file information of the file is set to the hash value of the file, and if the first determination means determines that the file is not included in the first list, the hash value of the file is calculated and the calculated hash value is set to the hash value of the file.SELECTED DRAWING: Figure 4

Description

The present invention relates to an information processing device, an information processing method, an information processing system and a program.

In recent years, as a new form of cyber attack on a company, a method called a targeted attack that targets a computer owned by a specific employee in the company, infects the computer with malware, and steals information in the company is increasing. Also, the types of malware continue to grow. Conventional security products generally use the blacklist method, which registers the file information of a malicious file and prohibits execution when the file is executed, but it is difficult to handle unknown files with the blacklist method. Met. Therefore, anti-malware measures have been taken by using a white list type control method (for example, Patent Document 1) that allows known files and restricts execution otherwise.

Japanese Unexamined Patent Publication No. 2014-96142

However, the white list type and blacklist type control methods include a process of controlling using the hash value of the file, and the load of the process of acquiring the hash value affects other programs such as delay. Therefore, there is a problem that a high load is applied to the user's personal computer (hereinafter referred to as PC).

Therefore, an object of the present invention is to solve at least one of the above problems or other problems. For example, an object of the present invention is to reduce the processing load of a PC and acquire a hash value of a file.

The information processing device according to the present invention is
Detection means to detect file execution and
An acquisition means for acquiring file information of a file detected by the detection means, and
It is provided with a first determination means for determining whether or not the file information of the file acquired by the acquisition means is included in the first list in which the file information of the file and the hash value are associated with each other.
When it is determined by the first determination means that it is included in the first list, the hash value corresponding to the file information of the file is set as the hash value of the file, and the first list by the first determination means. When it is determined that the file is not included in the file, the hash value of the file is calculated, and the calculated hash value is used as the hash value of the file.

According to the present invention, it is possible to reduce the processing load of the PC and acquire the hash value of the file.

A block diagram showing a configuration example of an information processing system. A block diagram showing a configuration example of an information processing system in which a server does not exist. The flowchart explaining an example of the process of the determination program 110. The flowchart explaining an example of processing of acquisition program 120. The flowchart explaining an example of processing of update program 130. The flowchart explaining an example of the process of the organizing program 140. The figure which shows an example of the history list. The figure which shows an example of the access count record list. The figure which shows an example of the history list master. The figure which shows an example of the access count record list master.

Hereinafter, the information processing of the information processing system of the embodiment according to the present invention will be described in detail with reference to the drawings. Although the information processing system using the white list will be described below, the following processing can be applied not only to the white list but also to the information processing system using the blacklist.

[System configuration]
FIG. 1 is a block diagram showing a configuration example of an information processing system. The information processing system includes an information processing device and a server device that manages the information processing device. In FIG. 1, the client computer (hereinafter, client) 10 is an information processing device in an information processing system. The client 10 is, for example, a personal computer (PC) installed in a company, a school, an administrative agency, a home, or the like, or a computer device such as a tablet terminal or a smartphone used or owned by an individual.

The server computer (hereinafter, server) 20 is a server device that manages an information processing device in an information processing system. The server 20 acquires the information of the white list 111, the history list (first list) 121, and the access count record list (second list) 131 from the plurality of clients 10 and creates a database, or periodically clients. The white list data, the history list data, and the access count list data are transmitted to 10, and the white list 111, the history list 121, and the access count list 131 are updated.

The network 300 is a computer network such as the Internet or an intranet. The client 10 connects to the server 20, a web server, an FTP server, etc. (not shown) via the network 300. Although the client 10 and the server 20 are shown one by one in FIG. 1 for the sake of brevity, in reality, a plurality of clients and a plurality of servers may exist.

● Client In the client 10, the arithmetic unit 10C is a microprocessor (CPU). The arithmetic unit 10C boots the operating system (OS) stored in the storage device 10B according to a boot program such as BIOS stored in the ROM of the memory 10E, and further executes various resident programs (for example, a determination program 110) according to the OS. to start. At that time, the arithmetic unit 10C uses the RAM of the memory 10E as a work area. Further, the OS is, for example, Windows (registered trademark), MacOS (registered trademark), Linux (registered trademark), iOS (trademark), Android (trademark) and the like.

The storage device 10B is a hard disk drive (HDD), a solid state drive (SSD), or the like, and stores various programs 100A and data 100B running on the client 10 in addition to the OS. Although the details will be described later, the various programs 100A stored in the storage device 10B include the discrimination program 110, the acquisition program 120, the update program 130, the rearranging program 140, the file search program 150, the hash value calculation program 160, and the whitelist identification program 170. Etc. are included.

The program 100A may include a plurality of programs for each function such as the discrimination program 110, or may be one program having various functions. Further, as will be described in detail later, the various data 100B stored in the storage device 10B includes a white list 111, a history list 121, an access count record list 131, and the like.

The I / O device 10A is an input / output interface (I / F) for connecting to a pointing device (mouse or the like) or a keyboard, or a display incorporating a touch panel. The keyboard may be a software keyboard. Further, the I / O device 10A may be a voice input unit including a microphone or the like that recognizes the input operator's voice by the voice recognition function and transmits the recognized voice to the arithmetic unit 10C. The I / O device 10A also functions as a user interface (UI) for displaying information.

The network I / F 10D is an interface with the network 300 and is a communication circuit for communicating with another computer. The arithmetic unit 10C receives information such as a part of data of the white list 111 from the server 20 via the network I / F 10D, and transmits various information to the server 20.

● Server In the server 20, the arithmetic unit 20C is a microprocessor (CPU). The arithmetic unit 20C boots the OS stored in the storage device 20B according to a boot program such as a BIOS stored in the ROM of the memory 20E. Further, the arithmetic unit 20C loads the management console 210 from the storage device 20B into the RAM of the memory 20E. Then, information (for example, information on the white list 111) is acquired from a plurality of clients 10 and stored in a database, or conversely, information is transmitted to the clients 10 to update the white list 111.

The storage device 20B is an HDD, SSD, or the like, and stores various programs 200A and data 200B including a management console 210 running on the server 20 in addition to the OS. Although details will be described later, the various data 200B stored in the storage device 20B includes a white list master 211, a history list master 221 and an access count record list master 231.

The I / O device 20A is an interface for connecting a pointing device (mouse, etc.), a keyboard, and a monitor, the monitor functions as a UI for displaying information, and the network I / F 20D is an interface with the network 300. It is a communication circuit for communicating with another computer such as the client 10.

The arithmetic unit 20C receives information about the white list 111 and the history list 121 from a plurality of clients 10 via the network I / F 20D, and manages the white list master 211 and the history list master 221 based on the received information. ..

The server 20 is not an indispensable configuration in the information processing system. The block diagram of FIG. 2 shows a configuration example of an information processing system in which the server 20 does not exist. In the configuration of FIG. 2, since communication between the client 10 and the server 20 is not required, the network 300 and the network I / F 10D are also optional.

Further, the information processing system may be configured by using a thin client (for example, a terminal service). A thin client is a system that enables a client to remotely connect to a server and execute an application program on the server using a virtual desktop environment generated on the server.

[Programs and Data]
The determination program 110 acquires information such as file information (for example, file path, file name, size, version information, etc.), hash value, etc. for identifying a file from a program executed separately by the arithmetic unit 10C. To do. Then, with reference to the access count record list 131, the access count for the acquired file is compared with the reference reference count indicating the reference value for the access count for the target file, and the execution of the acquisition program 120 or the update program 130 is determined. ..

The acquisition program 120 searches the history list 121, acquires a hash value, and registers file information.

Update 130 updates the number of accesses to the file and the date and time of the last access. The organizing program 140 organizes the history list 121 after a file operation (for example, writing, renaming, deleting, etc.) occurs.

The file search program 150 searches the history list 121, the access count record list 131, and the like. The hash value calculation program 160 performs a hash value calculation.

The white list identification program 170 uses the white list 111 to identify the file to be executed, and controls (prohibits / permits) the execution of the file.

The white list 111 is a list of files that are permitted to be executed, and is used by the white list identification program 170. The white list 111 holds file information and hash value information for each file. Note that the present invention is not limited to this, and for example, a process name, a digital signature, or the like may be retained.

The history list (first list) 121 records the file information and the hash value of each file, and is used by the acquisition program 120 and the rearranging program 140. FIG. 7 shows an example of the history list 121. The history list 121 holds information on the file path and hash value for each file. Note that FIG. 7 is an example, and the type and number of information held as the history list 121 is not limited to FIG.

The access count record list (second list) 131 records the file information, the last access date and time, the access count, and the reference reference count of each accessed file, and is used by the determination program 110 and the update program 130. .. FIG. 8 shows an example of the access count record list 131. The access count record list 131 holds information on the file path, the last access date and time, the access count, and the reference reference count for each file. The reference reference count indicates a reference value of the access count to the target file, and is stored in advance by the user. Further, the reference reference number of times may be set by the server 20 or the client 10. Note that FIG. 8 is an example, and the type and number of information held in the access count record list 131 is not limited to FIG.

The white list master 211 collectively manages the white list 111.
It is a list of a plurality of whitelists 111, and sends and receives whitelist data to and from the client 10. The white list master 221 holds information related to the white list 111 of a plurality of clients in association with the names and codes of the clients.

Similar to the white list master 211, the history list master 221 lists a plurality of history lists 121 in order to collectively manage the history list 121, and sends and receives history list data to and from the client 10. FIG. 9 shows an example of the history list master 221 existing in the server 20. The history list master 221 holds information related to the history lists 121 of a plurality of clients in association with the names and codes of the clients. In the example of FIG. 9, a plurality of file paths and hash values are held as the history list 003 corresponding to the client PC 003. Note that FIG. 9 is an example, and the type and number of information held as the history list master 221 is not limited to FIG.

The access count record list master 231 lists a plurality of access count record lists 131 in order to collectively manage the access count record list 131, and transmits / receives access count record list data. FIG. 10 shows an example of the access count record list master 231 existing in the server 20. The access count record list master 231 holds information related to the access count record list 131 of a plurality of clients in association with the client name and code. In the example of FIG. 10, a plurality of file paths, the last access date and time, the access count, and the reference reference count are retained as the access count record list 003 corresponding to the client PC 003. Note that FIG. 10 is an example, and the type and number of information held as the access count record list master 231 is not limited to FIG.

[Control processing]
● Processing of the determination program 110 FIG. 3 is a flowchart showing a process of determining the execution of the acquisition program or the update program executed by the determination program 110.

The arithmetic unit 10C monitors the execution of the file (for example, Dynamic Link Library), and when the execution of the file is detected, the determination program 110 acquires the file information of the target file in step S301. The file information may be anything as long as it uniquely identifies the file, such as a file name, a file path, and a size.

In step S302, the determination program 110 determines whether or not the file information acquired in step S301 exists in the access count record list 131.

If it is determined that the file exists in the access count record list 131 (YES in step S302), the determination program 110 determines in step S303 whether or not the number of accesses corresponding to the target file information exceeds the reference value. judge. Specifically, the access count corresponding to the target file information acquired in step S301 recorded in the access count record list 131 is compared with the reference reference count, and whether the access count exceeds the reference reference count. Judge whether or not.

If the number of accesses exceeds the reference value (YES in step S303), the process proceeds to step S304, and if the number of accesses is less than the reference value (NO in step S303), the process proceeds to step S305.

The determination program 110 executes the acquisition program 120 in step S304, and executes the update program 120 in step S305. The processes executed by the acquisition program 120 and the update program 130 will be described later.

● Process of acquisition program 120 FIG. 4 is a flowchart showing a process of acquiring a hash value executed by the acquisition program 120.

In step S401, the acquisition program 120 determines whether the target file information acquired in S301 exists in the history list 121. When the target file information exists in the history list 121 (YES in step S401), in step S402, the acquisition program 120 acquires the hash value corresponding to the target file registered in the history list 121.

If the target file information does not exist in the history list 121 (NO in step S401), the acquisition program 120 executes the hash value calculation program 160 to calculate the hash value in step S403.

In step S404, the acquisition program 120 additionally registers the file information acquired in step S301 with the hash value calculated in step S403 in the history list 121.

In step S405, the acquisition program 120 executes the white list identification program 170. The white list identification program 170 uses the white list 111 to identify the file to be executed, and controls (prohibits / permits) the execution of the file.

When the execution of the file is detected, if the history list 121 has the file information of the target file, the hash value is acquired from the history list 121, and if the file information of the target file does not exist, the hash value is calculated to hash. The number of processes for calculating the value can be reduced. Further, when the number of accesses to the target file exceeds the reference value, the acquisition program 120 is executed to refer to the history list 121, so that the number of processes for searching the history list 121 can be reduced.

● Process of update program 130 FIG. 5 is a flowchart showing a process of updating the access count record list 131 executed by update program 130.

In step S501, the update program 130 determines whether or not the target file information acquired in S301 exists in the access count record list 131. If it does not exist in the access count record list 131 (NO in step S501), the update program 130 registers the file information acquired in S301 in the access count record list 131 in step S502.

If it exists in the access count record list 131 (YES in step S501), the update program 130 sets the current time as the last access date and time corresponding to the target file information recorded in the access count record list 131 in step S503. It is determined whether or not it is within a certain period from. A certain period of time is stored in advance by the user, and may be set by the server 20 or the client 10.

If it is not within a certain period (NO in step S503), in step S504, the update program 130 resets the access count corresponding to the target file information recorded in the access count record list 131.

If it is within a certain period (YES in step S503), in step S505, the update program 130 updates the last access date and time corresponding to the target file information recorded in the access count record list 131 to the current time.

In step S506, the update program 130 adds 1 (1 count up) the number of accesses corresponding to the target file information recorded in the access count record list 131. In step S507, the update program 130 executes the hash value calculation program 160 to calculate the hash value.

In step S508, update 130 executes the whitelist identification program 170. The white list identification program 170 uses the white list 111 to identify the file to be executed, and controls (prohibits / permits) the execution of the file.

If the last access date and time recorded in the access count record list 131 is not within a certain period from the current time, the access count is reset. Therefore, a file that has not been accessed for a certain period of time is calculated with a hash value, so that the security can be further improved.

● Processing of the organizing program 140 FIG. 6 is a flowchart showing a processing of organizing the history list 121 when a file operation occurs, which is executed by the organizing program 140. A file operation is an operation performed on a file such as creating, reading, writing, or deleting a file.

The arithmetic unit 10C monitors the file operation and detects the file operation. In step S601, when the file operation occurs, the organizing program 140 determines whether or not the file operation generated in step S602 is a file change operation. The file change operation is a file operation in which the hash value of the file is changed, for example, writing or deleting.

In the case of the file change operation (YES in step S602), in step S603, the organizing program 140 determines whether or not the hash value corresponding to the file information of the target file exists in the history list 121.

If the hash value exists (YES in step S603), the organizing program 140 deletes the target file information and the hash value recorded in the history list 121.

When the file is rewritten, the hash value before rewriting is deleted from the history list 121, so that the correct hash value for the rewritten file can be obtained. Further, when the file is rewritten, the file information and the hash value of the history list 121 are deleted, so that the number of processes for searching the history list 121 can be reduced.

According to this embodiment, if the target file information exists in the history list without performing the process of calculating the hash value every time the file is executed, the hash value is acquired from the history list, so that the hash value is calculated. It is possible to reduce the processing to be calculated. Therefore, the processing load of the PC can be reduced and the hash value of the file can be acquired.

Claims (8)

Detection means to detect file execution and
An acquisition means for acquiring file information of a file detected by the detection means, and
It is provided with a first determination means for determining whether or not the file information of the file acquired by the acquisition means is included in the first list in which the file information of the file and the hash value are associated with each other.
When it is determined by the first determination means that it is included in the first list, the hash value corresponding to the file information of the file is set as the hash value of the file, and the first list by the first determination means. An information processing apparatus characterized in that, when it is determined that the file is not included in the file, the hash value of the file is calculated and the calculated hash value is used as the hash value of the file. Whether or not the file information of the file acquired by the acquisition means is included in the second list in which the file information of the file, the last access date and time, the access count, and the reference reference count are associated with each other. The second judgment means to judge
When it is determined by the second determination means to be included in the second list,
The information processing apparatus according to claim 1, further comprising a third determination means for determining whether or not the number of accesses corresponding to the file information of the file exceeds the reference reference number of times. The detection means detects a file operation on the file and
A fourth determination means for determining whether the detected file operation is a file change operation,
The information processing according to claim 1 or 2, wherein when the fourth determination means determines that the file change operation is performed, the file information and hash value of the file are deleted from the first list. apparatus. The file information of the file, the last access date and time, the access count, the last access date and time recorded in the second list associated with the reference reference count, and the time when the file information of the file was acquired. Further provided with a fifth determination means for determining whether or not the file is within a certain period of time.
The information processing according to any one of claims 1 to 3, wherein when the fifth determination means determines that the period is not a certain period, the number of accesses corresponding to the file information of the file is reset. apparatus. The information processing apparatus according to any one of claims 1 to 4, further comprising a control means for permitting or prohibiting execution of a file based on a list of files whose execution is permitted or prohibited. The detection process that detects the execution of a file and
The acquisition process for acquiring the file information of the file detected in the detection process, and
It is provided with a first determination step of determining whether or not the file information of the file acquired in the acquisition step is included in the first list in which the file information of the file and the hash value are associated with each other.
When it is determined in the first determination step that the file is included in the first list, the hash value corresponding to the file information of the file is set as the hash value of the file, and the first list in the first determination step. When it is determined that the file is not included in the file, the hash value of the file is calculated, and the calculated hash value is used as the hash value of the file. The information processing apparatus according to claim 5 and
An information processing system including a server device that transmits data of a list of files permitted or prohibited to be executed to the information processing device via a network. A program for causing a computer to function as each means of the information processing apparatus according to any one of claims 1 to 5.

Images