JP6338189B2 - Management device, management system, management device control method, and program - Google Patents

Description

  The present invention relates to a management device, a management system, a management device control method, and a program.

  When a failure occurs in hardware of an IT (Information Technology) device (hereinafter referred to as an information device) in which a firewall is incorporated, it is desirable to quickly restore the hardware. In view of this, there has been proposed a technique for restoring an information device and / or a system including the information device when a failure occurs in the information device.

  Patent Literature 1 describes a firewall system including a first firewall device that operates as a master device and a second firewall device that operates as a backup device. In the technique described in Patent Document 1, the second firewall device monitors the first firewall device. When a failure occurs in the first firewall device, the second firewall device controls the first firewall device via a LAN (Local Area Network).

  Japanese Patent Application Laid-Open No. 2004-228561 describes a technology for storing software package configuration and data related to the software as backup data. In the technique described in Patent Document 2, when it is necessary to restore data, the package configuration of software that operates the data and the data are restored.

  Patent Document 3 describes a technique for comparing firewall setting information of each security function with respect to two or more security functions provided in the data processing device and detecting inconsistency between the firewall setting information.

JP 2008-199081 A JP 2007-257156 A JP 2007-0667604 A

  It should be noted that the disclosure of the above prior art document is incorporated herein by reference. The following analysis has been made from the viewpoint of the present invention.

  As described above, when a failure occurs in an information device, it is desirable to quickly recover it.

  In the technologies described in Patent Documents 1 and 3, when a failure occurs in the information device, the backup information device operates, but the failed information device cannot be recovered.

  In the technique described in Patent Document 2, the entire configuration information is restored. For this reason, in the technique described in Patent Document 2, there is a possibility that the backup process of the part that has not been updated in the configuration information is repeated. Furthermore, in the technique described in Patent Document 2, the entire configuration information is restored, and thus the updated portion cannot be grasped.

  SUMMARY An advantage of some aspects of the invention is that it provides a management device, a management system, a management device control method, and a program that contribute to appropriately managing an updated portion of an information device.

According to a first aspect of the present invention, a management device is provided. The management device includes a management device communication unit that communicates with the information device.
Furthermore, the management apparatus includes a security information acquisition unit that acquires first security information corresponding to software installed in the information device via the management apparatus communication unit.
The management device further includes a management device storage unit that stores second security information corresponding to the software and an operation mode .
Further, the management apparatus, when the operation mode is the first mode and the first security information is different from the second security information, the first security information and the second security information. A security information management unit is provided for storing a difference from the information in the management device storage unit. The security information management unit transmits the difference to the information device when the operation mode is the second mode and the first security information is different from the second security information.

According to a second aspect of the present invention, a management system is provided. The management system includes an information device and a management device including a management device communication unit that communicates with the information device.
The information device includes a device storage unit that stores first security information corresponding to software installed in the information device.
Furthermore, the information device includes a security information output unit that transmits the first security information to the management device.
Furthermore, the management device includes a management device communication unit that communicates with the information device.
Furthermore, the management device includes a security information acquisition unit that acquires first security information corresponding to software installed in the information device via the management device communication unit.
The management device further includes a management device storage unit that stores second security information corresponding to the software and an operation mode .
Furthermore, the management apparatus, when the operation mode is the first mode and the first security information transmitted from the information device is different from the second security information, the first security information And a security information management unit that stores a difference between the second security information and the second security information in the management device storage unit. The security information management unit transmits the difference to the information device when the operation mode is the second mode and the first security information is different from the second security information.

According to a third aspect of the present invention, a control method for a management apparatus is provided. The management device includes a management device communication unit that communicates with the information device. The control method includes a step of obtaining first security information corresponding to software installed in the information device.
Further, the control method includes a step of storing second security information corresponding to the software and an operation mode .
Further, in the control method, when the operation mode is the first mode and the first security information is different from the second security information, the first security information and the second security information A step of calculating a difference from the information.
Further, the control method includes a step of storing the difference.
Further, the control method includes a step of transmitting the difference to the information device when the operation mode is the second mode and the first security information is different from the second security information.
Note that this method is linked to a specific machine called a management device that communicates with information equipment.

According to a fourth aspect of the present invention, there is provided a program that is executed by a computer that controls a management apparatus. The management device includes a management device communication unit that communicates with the information device. The program causes the computer to execute processing for acquiring first security information corresponding to software installed in the information device.
Further, the program causes the computer to execute processing for storing second security information corresponding to the software and an operation mode .
Further, in the program, when the operation mode is the first mode and the first security information is different from the second security information, the first security information and the second security information The computer is caused to execute a process for calculating the difference between the two.
Further, the program causes the computer to execute a process for storing the difference.
The program further includes a process of transmitting the difference to the information device when the operation mode is the second mode and the first security information is different from the second security information. Let the computer run.
The program can be recorded on a computer-readable storage medium. The storage medium may be non-transient such as a semiconductor memory, a hard disk, a magnetic recording medium, an optical recording medium, or the like. The present invention can also be embodied as a computer program product.

  According to each aspect of the present invention, a management device, a management system, a management device control method, and a program that contribute to appropriately managing an updated portion of an information device are provided.

It is a figure for demonstrating the outline | summary of one Embodiment. It is a block diagram which shows an example of the whole structure of the management system 1 which concerns on 1st Embodiment. FIG. 3 is a block diagram illustrating an example of the internal configuration of the information device 100. FIG. 4 is a block diagram illustrating an example of the internal configuration of the management apparatus 200. It is a flowchart which shows an example of operation | movement of the management system 1 in a 3rd mode. It is a flowchart which shows an example of operation | movement of the management system 1 in a 3rd mode. It is a flowchart which shows an example of operation | movement of the management system 1 in a 1st mode. It is a flowchart which shows an example of operation | movement of the management system 1 in a 1st mode. It is a flowchart which shows an example of operation | movement of the management system 1 in a 1st mode. It is a flowchart which shows an example of operation | movement of the management system 1 in a 2nd mode. It is a flowchart which shows an example of operation | movement of the management system 1 in a 2nd mode. It is a flowchart which shows an example of operation | movement of the management system 1 in a 2nd mode. It is a flowchart which shows an example of operation | movement of the management system 1 in a 2nd mode. It is a block diagram which shows an example of the whole structure of the management system 1a which concerns on 2nd Embodiment.

  First, an outline of an embodiment will be described with reference to FIG. Note that the reference numerals of the drawings attached to the outline are attached to the respective elements for convenience as an example for facilitating understanding, and the description of the outline is not intended to be any limitation.

  As described above, a management device that contributes to appropriately managing the updated portion of the information equipment is desired.

  Therefore, as an example, the management device 20 shown in FIG. 1 is provided. The management device 20 includes a management device communication unit 21, a security information acquisition unit 22, a management device storage unit 23, and a security information management unit 24.

  The management device communication unit 21 communicates with the information device 10. The security information acquisition unit 22 acquires first security information 31 corresponding to software installed in the information device 10 via the management device communication unit 21. Specifically, the security information acquisition unit 22 acquires the first security information 31 stored in the information device 10 from the information device 10 via the management device communication unit 21.

  Here, the security information is information relating to the security (management) of software installed in the information device 10. For example, the security information may include a patch file that corrects a malfunction of the firewall. The security information may include a virus pattern file that detects unauthorized access and the like. The security information may include firewall setting information for setting a firewall. The software may be a program for controlling a firewall and / or an OS (Operating System).

  The management device storage unit 23 stores second security information 32 corresponding to software installed in the information device 10. Here, the second security information 32 is security information corresponding to the same software as the first security information 31.

  When the first security information 31 and the second security information 32 are different from each other, the security information management unit 24 indicates a difference 33 between the first security information 31 and the second security information 32 as a management device storage unit. 23.

  The management device 20 may monitor the information device 10 and monitor whether the first security information (patch file or the like) 31 is updated. In that case, the security information acquisition unit 22 may acquire the first security information 31 from the information device 10 when the first security information 31 is updated. If the first security information 31 applied to the information device 10 is different from the second security information 32 stored in advance, the security information management unit 24 determines whether the first security information 31 and the second security information 32 A difference 33 from the security information 32 is calculated. Then, the security information management unit 24 stores the calculated difference 33 in the management device storage unit 23. As a result, the management device 20 stores the updated portion in the security information (first security information 31) of the information device 10. As described above, with respect to the information device 10 to be managed, the management device 20 can monitor the update of the patch file or the like of the information device 10 and make a backup of the updated portion.

  For example, assume that a failure has occurred in the information device 10. In that case, even if the information device 10 is restored, the software may not operate in a state before the failure occurs. However, the management device 20 stores in advance an updated part such as a patch file to be stored. Therefore, after the failure recovery, the information device 10 may acquire a backup of the updated part from the management device 20. Then, the information device 10 can easily restore the information device 10 to the state before the failure by applying the updated portion of the acquired patch file or the like to the information device 10. Therefore, the management device 20 contributes to appropriately managing the updated portion of the information device 10.

[First Embodiment]
The first embodiment will be described in more detail with reference to the drawings. In the following description, information for identifying a patch file is referred to as a patch file ID (Identification). In the following description, information for identifying a virus pattern file is referred to as a virus pattern file ID. The patch file ID and the virus pattern file ID are configured to include at least one of numbers, characters, and symbols.

  FIG. 2 is a block diagram illustrating an example of the overall configuration of the management system 1 according to the present embodiment. The management system 1 includes an information device 100 and a management device 200.

  The information device 100 operates the information device 100 by causing the installed computer to execute the OS 1100. The OS 1100 controls firewall software 1020 for controlling the firewall. The firewall software 1020 is a software program for controlling processing related to the firewall for the information device 100.

  The management apparatus 200 operates the management apparatus 200 by causing the installed computer to execute the OS 2100. The OS 2100 controls the firewall management software 2020.

  Each of the information device 100 and the management device 200 includes a USB (Universal Serial Bus) interface or the like. The information device 100 and the management apparatus 200 are connected via a USB interface or the like.

  For example, the management apparatus 200 is a so-called USB memory, and the OS 2100 may be installed in a storage unit (storage area) of the USB memory. For example, the OS 2100 may be Linux (registered trademark). Of course, the OS 2100 may be an OS with a different name based on Linux. Further, when the management apparatus 200 is a USB memory, the OS 2100 may be an OS that operates on the USB memory, and details thereof are not limited.

  Next, the internal configuration of the information device 100 and the management apparatus 200 will be described in detail with reference to FIGS. 3 and 4.

  First, the internal configuration of the information device 100 will be described in detail. FIG. 3 is a block diagram illustrating an example of the internal configuration of the information device 100. The information device 100 includes a device communication unit 110, a device storage unit 120, and a device control unit 130. Note that FIG. 3 mainly describes modules related to the information device 100 according to the present embodiment.

  The information device 100 may include an input unit (not shown) and a display unit (not shown). The input unit accepts user input. For example, the input unit may be realized using a keyboard, a mouse, a touch panel, or the like. The display unit presents information so that the user can visually recognize the information. For example, the display unit may be realized using a liquid crystal panel, an organic EL (Electro Luminescence) panel, or the like.

  Each module of the information device 100 illustrated in FIG. 3 may be realized by a computer program that causes a computer constituting the information device 100 to execute each process using the hardware thereof.

  The device communication unit 110 communicates with the management device 200. That is, the device communication unit 110 is an interface for communicating with the management apparatus 200. For example, the device communication unit 110 may communicate with the management apparatus 200 via USB.

  The device storage unit 120 stores first identification information corresponding to software installed in the information device 100. Here, the first identification information means security information applied to the information device 100 for the security of software installed in the information device 100. The first identification information is information including at least one of a patch file ID 1011, a virus pattern file ID 1012, and firewall setting information 1023 applied for security of software installed in the information device 100.

  The device storage unit 120 stores first security information corresponding to software installed in the information device 100. The first security information may include a patch file 1021, a virus pattern file 1022, firewall setting information 1023, and the like.

  In addition, the device storage unit 120 stores first identification information corresponding to the first security information. The first identification information is information for specifying the first security information such as the patch file ID 1011 and the virus pattern file ID 1012.

  The device storage unit 120 also stores firewall software 1020. The device storage unit 120 may include a storage device. For example, the device storage unit 120 may be configured using an HDD (Hard Disk Drive) or the like.

  The device control unit 130 controls processing for operating the information device 100. Further, the device control unit 130 controls the OS 1100 mounted on the information device 100. As described above, the OS 1100 controls the firewall software 1020 stored in the device storage unit 120. The device control unit 130 is realized using a CPU (Central Processing Unit) and a memory (RAM (Random Access Memory)).

  The device control unit 130 includes a security information output unit 131 and a security control unit 132.

  The security information output unit 131 transmits the first identification information to the management apparatus 200 in response to a request from the management apparatus 200. Specifically, when the device communication unit 110 receives a signal (command) requesting the first identification information, the security information output unit 131 receives the first identification such as the patch file ID 1011 from the device storage unit 120. Extract information. Then, the security information output unit 131 transmits the first identification information extracted from the device storage unit 120 to the management apparatus 200 via the device communication unit 110.

  The security control unit 132 controls processing for applying the patch file 1021, the virus pattern file 1022, and the firewall setting information 1023 to the information device 100.

  Next, the internal configuration of the management apparatus 200 will be described in detail. FIG. 4 is a block diagram illustrating an example of the internal configuration of the management apparatus 200. The management device 200 includes a management device communication unit 210, a management device storage unit 220, and a management device control unit 230. FIG. 4 mainly describes modules related to the management apparatus 200 according to the present embodiment.

  Each module of the management apparatus 200 illustrated in FIG. 4 may be realized by a computer program that causes a computer constituting the management apparatus 200 to execute each process using the hardware.

  The management device communication unit 210 communicates with the information device 100. That is, the management device communication unit 210 is an interface for communicating with the information device 100. For example, the management device communication unit 210 may communicate with the information device 100 using USB.

  The management device storage unit 220 stores second security information corresponding to software installed in the information device 100. The second security information may include a patch file 2021, a virus pattern file 2022, and the like.

  The second security information may include a patch file 2021, a virus pattern file 2022, firewall setting information 2023, and the like. The patch file 2021 means a patch file specified based on the patch file ID 2011. The virus pattern file 2022 means a virus pattern file specified based on the virus pattern file ID 2012.

  In addition, the management device storage unit 220 stores second identification information corresponding to the second security information. The second identification information is information for identifying the second security information. The second identification information is information for specifying the second security information such as the patch file ID 2011 and the virus pattern file ID 2012.

  In addition, the management device storage unit 220 stores an operation mode 2030. Here, the operation mode 2030 is information regarding the operation mode of the management apparatus 200. The management device 200 executes processing according to the operation mode 2030. The operation mode 2030 is information indicating any one of the first mode to the third mode. Hereinafter, the first mode is also referred to as “in-operation connection mode”. Hereinafter, the second mode is also referred to as “recovery connection mode”. Hereinafter, the third mode is also referred to as “initial connection mode”. Details of the operation mode will be described later.

  As described above, the management device 200 may be a so-called USB memory. The OS 2100 may be installed in the management device storage unit 220. In that case, the management device storage unit 220 may be realized using a flash memory or the like.

  The management device control unit 230 controls processing for operating the management device 200. The management device control unit 230 controls the OS 2100 installed in the management device 200. As described above, the OS 2100 controls the firewall management software 2020 stored in the management device storage unit 220. The management device control unit 230 is realized using a CPU and a memory (RAM).

  The management device control unit 230 includes an operation mode control unit 231, a security information acquisition unit 232, a security information comparison unit 233, and a security information management unit 234. Each module of the management apparatus control unit 230 illustrated in FIG. 4 may be realized as the firewall management software 2020 illustrated in FIG.

  The operation mode control unit 231 acquires the operation mode 2030 and stores the acquired operation mode 2030 in the management device storage unit 220. For example, the user may input an operation mode using an input unit (not shown) of the information device 100. In this case, the information device 100 transmits the input operation mode to the management apparatus 200 via the device communication unit 110. The operation mode control unit 231 may acquire the operation mode via the management device communication unit 210. Then, the operation mode control unit 231 stores the acquired operation mode in the management device storage unit 220 as the operation mode 2030.

  The security information acquisition unit 232 acquires first identification information corresponding to the software installed in the information device 100 via the management device communication unit 210.

  The security information comparison unit 233 compares the first identification information with the second identification information. Specifically, the security information comparison unit 233 compares the first identification information acquired by the security information acquisition unit 232 with the second identification information stored in the management device storage unit 220. As described above, it is assumed that the second identification information stored in the management device storage unit 220 corresponds to software installed in the information device 100. Note that the security information comparison unit 233 compares the first identification information and the second identification information with respect to the same type of information. For example, when the first identification information is the patch file ID 1011, the second identification information to be compared is the patch file ID 2011.

  When the first security information and the second security information are different, the security information management unit 234 stores the difference between the first security information and the second security information in the management device storage unit 220.

  Note that the information device 100 and the management apparatus 200 may use an existing command (function) implemented in the OS when executing patch file application processing, patch file acquisition processing, and the like. For example, when the OS 1100 and the OS 2100 are Linux, the information device 100 and the management apparatus 200 perform patch file application processing, patch file acquisition processing, and the like using commands such as “yum update” and “yum proxy”. May be executed. Note that the above commands (“yum update”, “yum proxy”) are merely examples, and are not intended to limit the commands. Of course, the information device 100 and the management device 200 execute commands with different names depending on the OS.

  Hereinafter, the first mode (in-operation connection mode) and the second mode (recovery connection mode) will be described in detail. In the following description, the first information device 101 corresponds to the information device 100 in the first operation mode (in-operation connection mode) and the third operation mode (initial connection mode). In the following description, the second information device 102 corresponds to the information device 100 in the second operation mode (recovery connection mode). Specifically, it is assumed that the first information device 101 is the information device 100 before the occurrence of the failure. On the other hand, the second information device 102 is assumed to be the information device 100 to be restored. Note that the second information device 102 may be the first information device 101 after failure recovery. Alternatively, the second information device 102 may be an information device different from the first information device 101.

[First mode]
First, the case of the first mode (in-operation connection mode) will be described in detail.

  In the first mode, the management apparatus 200 stores the updated portion of the first security information applied to the first information device 101.

  The management device communication unit 210 connects to the first information device 101 when the operation mode is the first mode. Then, when the first security information is updated, the security information output unit 131 of the first information device 101 transmits the first security information to the management apparatus 200.

  Then, when the operation mode is the first mode and the first security information is different from the second security information, the security information management unit 234 determines whether the first security information and the second security information are Calculate the difference. Then, the security information management unit 234 stores the calculated difference in the management device storage unit 220.

  Alternatively, the security information management unit 234 corresponds to the first security information corresponding to the first identification information and the second identification information when the first identification information and the second identification information are different. A difference from the second security information may be calculated. Then, the security information management unit 234 stores the management information in the management device storage unit 220. Specifically, the security information comparison unit 233 compares the first identification information with the second identification information. Assume that the security information comparison unit 233 determines that the first identification information is different from the second identification information. In that case, the security information management unit 234 calculates a difference between the first security information corresponding to the first identification information and the second security information corresponding to the second identification information. Then, the security information management unit 234 stores the management information in the management device storage unit 220.

  The security information management unit 234 may store the calculated difference in the management device storage unit 220 in association with the corresponding first identification information and information for identifying the second identification information. . For example, it is assumed that the security information management unit 234 calculates the difference between the patch file 1021 of version Ver1 (first identification information) and the patch file 2021 of version Ver2 (second identification information). In this case, the security information management unit 234 may store a character string such as “Ver1-Ver2” in the management device storage unit 220 in association with the calculated difference. Of course, the management device storage unit 220 may store two or more differences. In this case, the management device storage unit 220 may associate each difference with the corresponding first identification information and second identification information as identifiable information.

[Second mode]
Next, the case of the second mode (recovery connection mode) will be described in detail.

  In the second mode, the management apparatus 200 transmits the updated portion of the first security information stored in the first mode to the second information device 102. Then, the second information device 102 applies the received difference to the corresponding software.

  The management device communication unit 210 connects to the second information device 102 when the operation mode is the second mode. Then, the security information output unit 131 of the second information device 102 transmits the first security information to the management apparatus in response to a request from the management apparatus 200.

  When the operation mode is the second mode and the first security information is different from the second security information, the security information management unit 234 determines the difference stored in the management device storage unit 220 as the second Transmit to the information device 102. Specifically, when the operation mode is the second mode and the first identification information is different from the second identification information, the security information management unit 234 determines the difference stored in the management device storage unit 220 as the first difference. To the second information device 102. When the security control unit 132 receives the difference via the device communication unit 110, the security control unit 132 applies the received difference to corresponding software such as a firewall.

  For example, it is assumed that the first identification information is “Ver1” and the second identification information is “Ver2”. In this case, in the first mode, it is assumed that the security information management unit 234 stores the character string “Ver1-Ver2” in the management device storage unit 220 in association with the calculated difference. In the second mode, it is assumed that the first identification information is “Ver1” and the second identification information is “Ver2”. In this case, in the security information management unit 234, the management device storage unit 220 extracts a difference in which the first identification information “Ver1” and the second identification information “Ver2” are associated with each other.

  Next, the operation of the management system 1 will be described in detail.

[Third mode]
First, the operation of the management system 1 in the third mode (initial connection) will be described in detail with reference to FIGS. 5 and 6.

  When the operation mode is the third mode, the security information management unit 234 causes the management device storage unit 220 to store the first identification information acquired by the security information acquisition unit 232 as second identification information.

  FIG. 5 is a flowchart illustrating an example of patch file storage processing and firewall setting information storage processing in the initial connection.

  In step A0, the management apparatus 200 performs pre-setting. Specifically, the management device 200 executes an initial process (start-up process) so as to be operable. Then, the operation mode control unit 231 sets the operation mode 2030 to the third mode.

  In step A1, the first information device 101 activates the OS 1100. In step A2, the device control unit 130 of the first information device 101 activates the firewall.

  In step A <b> 3, the management apparatus communication unit 210 starts connection with the first information device 101. Note that “connection start” in step A3 means starting electrical connection between the management apparatus 200 and the first information device 101. Here, as a matter of course, the management apparatus 200 and the first information device 101 are physically connected before the execution of the process of step A3.

  In step A <b> 4, the security information acquisition unit 232 transmits a firewall setting information output command to the first information device 101 via the management device communication unit 210. In step A5, the device communication unit 110 receives an output command for firewall setting information.

  In step A6, the security information output unit 131 outputs firewall setting information 1023. Specifically, the security information output unit 131 extracts firewall setting information 1023 from the device storage unit 120. Then, the security information output unit 131 transmits the extracted firewall setting information 1023 to the management apparatus 200 via the device communication unit 110. In step A 7, the security information acquisition unit 232 receives the firewall setting information via the management device communication unit 210.

  In step A8, the security information management unit 234 stores firewall setting information. Specifically, the security information management unit 234 stores the received firewall setting information as firewall setting information 2023 in the management device storage unit 220.

  In step A <b> 9, the security information acquisition unit 232 transmits a patch file output command to the first information device 101 via the management device communication unit 210. In step A10, the device communication unit 110 receives a patch file output command.

  In step A11, the security information output unit 131 outputs the patch file 1021. Specifically, the security information output unit 131 extracts the patch file 1021 applied to the first information device 101 and the patch file ID 1011 of the patch file 1021 from the device storage unit 120. Then, the security information output unit 131 transmits the extracted patch file 1021 and patch file ID 1011 to the management apparatus 200 via the device communication unit 110. In step A12, the security information acquisition unit 232 receives the patch file 1021 and the patch file ID 1011 via the management apparatus communication unit 210.

  In step A13, the security information management unit 234 stores the patch file 1021 and the patch file ID 1011. Specifically, the security information management unit 234 stores the received patch file 1021 in the management device storage unit 220 as the patch file 2021 in the management device storage unit 220. Further, the security information management unit 234 stores the received patch file ID 1011 in the management device storage unit 220 as the patch file ID 2011. And it changes to step A20 shown in FIG.

  FIG. 6 is a flowchart showing an example of a virus pattern file saving process in the first connection.

  In step A <b> 20, the security information acquisition unit 232 transmits a virus pattern file output command to the first information device 101 via the management device communication unit 210. In step A21, a virus pattern file output command is received.

  In step A22, the security information output unit 131 outputs the virus pattern file 1022. Specifically, the security information output unit 131 extracts the applied virus pattern file 1022 and the virus pattern file ID 1012 of the virus pattern file 1022 from the device storage unit 120. Then, the security information output unit 131 transmits the extracted virus pattern file 1022 and virus pattern file ID 1012 to the management apparatus 200 via the device communication unit 110. In step A 23, the security information acquisition unit 232 receives the virus pattern file 1022 and the virus pattern file ID 1012 via the management device communication unit 210.

  In step A24, the security information management unit 234 stores the virus pattern file 2022 and the virus pattern file ID 2012. Specifically, the security information management unit 234 stores the received virus pattern file 1022 as the virus pattern file 2022 in the management device storage unit 220. Further, the security information management unit 234 stores the received virus pattern file ID 1012 in the management device storage unit 220 as the virus pattern file ID 2012. In step A <b> 25, the management apparatus communication unit 210 executes connection termination to the first information device 101.

[First mode]
Next, the operation of the management system 1 in the first mode (operational connection) will be described in detail with reference to FIGS.

  FIG. 7 is a flowchart illustrating an example of the operation of the management system 1 regarding the firewall setting information and the patch file.

  In step B0, the management apparatus 200 performs pre-setting. Specifically, the operation mode control unit 231 sets the operation mode 2030 to the first mode. Here, it is assumed that the management system 1 has completed the processing shown in FIGS. 5 and 6 (processing in the third mode, that is, processing in the first connection).

  In step B <b> 1, the security information acquisition unit 232 accesses the first information device 101 via the management device communication unit 210.

  In step B <b> 2, the security information acquisition unit 232 transmits a firewall setting information output command to the first information device 101. In step B3, the device communication unit 110 receives an output command of firewall setting information. In step B4, the security information output unit 131 outputs firewall setting information. Specifically, the security information output unit 131 transmits firewall setting information 1023 stored in the device storage unit 120 to the management apparatus 200. In step B5, the security information acquisition unit 232 receives the firewall setting information 1023.

  In step B6, the security information comparison unit 233 determines whether or not the received firewall setting information 1023 is different from the stored firewall setting information 2023. That is, the security information comparison unit 233 determines whether or not the firewall setting information 1023 transmitted from the first information device 101 is different from the firewall setting information 2023 stored in the management device storage unit 220. .

  If the received firewall setting information 1023 is different from the saved firewall setting information 2023 (Yes branch of step B6), the process proceeds to step B7. On the other hand, if the received firewall setting information 1023 is not different from the stored firewall setting information 2023 (No branch of step B6), the process proceeds to step B8.

  In step B7, the security information management unit 234 overwrites the stored firewall setting information 2023 with the received firewall setting information 1023. Specifically, the security information management unit 234 overwrites the firewall setting information 2023 stored in the management device storage unit 220 with the firewall setting information 1023 applied to the first information device 101. As described above, the management apparatus 200 can acquire and store information related to the firewall settings applied to the first information device 101. And it changes to step B8.

  In step B <b> 8, the security information acquisition unit 232 transmits an output command for applied patch list information to the first information device 101. Here, the applied patch list information means a list of patch file IDs 1011 applied to the first information device 101.

  In step B9, the device communication unit 110 receives an output command of applied patch list information. In step B10, the security information output unit 131 outputs applied patch list information. Specifically, the security information output unit 131 transmits a list of patch file IDs 1011 of the patch file 1021 applied to the first information device 101 to the management apparatus 200. In step B11, the security information acquisition unit 232 receives applied patch list information. That is, the security information acquisition unit 232 acquires a list of patch file IDs 1011 from the first information device 101. And it changes to step B20 shown in FIG.

  FIG. 8 is a flowchart showing an example of the operation of the management system 1 regarding the patch file and the virus pattern file.

  In step B20, the security information comparison unit 233 determines whether or not the received patch list information is different from the stored patch list information. That is, the security information comparison unit 233 determines whether or not the list of patch file IDs 1011 transmitted from the first information device 101 is different from the list of patch file IDs 2011 stored in the management device storage unit 220. To do.

  If the received patch list information is different from the stored patch list information (Yes branch of step B20), the process proceeds to step B21. On the other hand, if the received patch list information is not different from the stored patch list information (No branch of step B20), the process proceeds to step B26.

  In step B <b> 21, the security information acquisition unit 232 transmits a differential patch file output command to the first information device 101. The difference patch file refers to a patch file (first security information) 1021 specified based on the patch file ID 1011 and a patch file (second security information described above) 2021 specified based on the patch file ID 2011. (The above difference).

  Further, the security information acquisition unit 232 transmits the stored patch list information (list of patch file IDs 2011) to the first information device 101.

  In step B22, the device communication unit 110 receives a differential patch file output command. Furthermore, the information communication unit 110 receives patch list information stored in the management apparatus 200.

  In step B23, the security information output unit 131 outputs the difference patch file. Specifically, the security information output unit 131 calculates a difference between the patch file 1021 specified based on the patch file ID 1011 and the patch file 2021 specified based on the patch file ID 2011 as a difference patch file. Then, the security information output unit 131 transmits the calculated difference patch file to the management apparatus 200. In step B24, the security information acquisition unit 232 receives the difference patch file.

  In step B25, the security information management unit 234 saves the difference patch file. Specifically, the security information management unit 234 stores the received difference patch file in the management device storage unit 220. Therefore, the management apparatus 200 can store the updated part of the patch file 1021 in the first information device 101.

  In step B <b> 26, the security information acquisition unit 232 transmits an output command of virus pattern file list information to the first information device 101. Here, the virus pattern file list information means a list of virus pattern file IDs 1012 applied to the first information device 101.

  In step B27, the device communication unit 110 receives an output command of virus pattern file list information. In step B28, the security information output unit 131 outputs virus pattern file list information. Specifically, the security information output unit 131 transmits a list of virus pattern file IDs 1012 applied to the first information device 101 to the management apparatus 200. In step B <b> 29, the security information acquisition unit 232 receives virus pattern file list information from the first information device 101. That is, the security information acquisition unit 232 acquires a list of virus pattern file IDs 1012 from the first information device 101. And it changes to step B40 shown in FIG.

  FIG. 9 is a flowchart showing an example of the operation of the management system 1 regarding the virus pattern file.

  In step B40, the security information comparison unit 233 determines whether the received virus pattern file list information is different from the stored virus pattern file list information. If the received virus pattern file list information is different from the stored virus pattern file list information (Yes branch of step B40), the process proceeds to step B41. On the other hand, if the received virus pattern file list information is not different from the stored virus pattern file list information (No branch of step B40), the process proceeds to step B46.

  In step B <b> 41, the security information acquisition unit 232 transmits a difference pattern file output command to the first information device 101. The difference pattern file is a virus pattern file (first security information described above) identified based on the virus pattern file ID 1012 and a virus pattern file (second security described above) identified based on the virus pattern file ID 2012. Information) (difference described above).

  Further, the security information acquisition unit 232 transmits the stored virus pattern file list information (list of virus pattern files 2022) to the first information device 101.

  In step B42, the device communication unit 110 receives the output command for the difference pattern file. Furthermore, the information communication unit 110 receives virus pattern file list information stored in the management apparatus 200.

  In step B43, the security information output unit 131 outputs a difference pattern file. Specifically, the security information output unit 131 calculates a difference between the virus pattern file specified based on the virus pattern file ID 1012 and the virus pattern file specified based on the virus pattern file ID 2012 as a difference pattern file. To do. Then, the security information output unit 131 transmits the calculated difference pattern file to the management apparatus 200. In step B44, the security information acquisition unit 232 receives the difference pattern file.

  In step B45, the security information management unit 234 stores the difference pattern file. Specifically, the security information management unit 234 stores the received difference pattern file in the management device storage unit 220. Therefore, the management apparatus 200 can monitor the update of the virus pattern file applied to the first information device 101 and store the updated virus pattern file. In step B <b> 46, the management apparatus communication unit 210 terminates the connection to the first information device 101.

[Second mode]
Next, the operation of the management system 1 in the second mode (recovery connection) will be described in detail with reference to FIGS. In the following description, the security information applied to the first information device 101 and the security information applied to the second information device 102 may be different.

  FIG. 10 is a flowchart illustrating an example of the operation of the management system 1 regarding the difference patch file.

  In step C0, the management apparatus 200 performs pre-setting. Specifically, the operation mode control unit 231 sets the operation mode 2030 to the second mode and causes the management device storage unit 220 to store the operation mode 2030. Here, it is assumed that the management system 1 has completed the processing shown in FIGS. 7 to 9 (processing in the first mode).

  In step C1, the second information device 102 activates the OS 1100. In step C2, the device control unit 130 of the second information device 102 activates the firewall.

  In step C <b> 3, the management apparatus communication unit 210 starts connection to the second information device 102. As described above, “connection start” means starting an electrical connection between the management apparatus 200 and the second information device 102.

  In step C <b> 4, the security information acquisition unit 232 transmits an output command for applied patch list information to the second information device 102. In step C5, the device communication unit 110 receives an output command of applied patch list information. In step C6, the security information output unit 131 outputs applied patch list information. Specifically, the security information output unit 131 transmits a list of patch file IDs 1011 stored in the device storage unit 120 to the management apparatus 200. In step C7, the security information acquisition unit 232 receives applied patch list information.

  That is, the security information acquisition unit 232 of the management device 200 requests the second information device 102 for list information of patch numbers applied by the second information device 102 via the management device communication unit 210. Then, the security information output unit 131 of the second information device 102 transmits the list information of the patch numbers to which the second information device 102 has been applied to the management apparatus 200 as the first identification information.

  In step C8, the security information comparison unit 233 determines whether or not the received patch list information is different from the stored patch list information. That is, the security information comparison unit 233 determines whether or not the list of patch file IDs 1011 transmitted from the second information device 102 and the list of patch file IDs 2011 stored in the management device storage unit 220 are different. If the received patch list information is different from the stored patch list information (Yes branch of step C8), the process proceeds to step C9. On the other hand, when the received patch list information is not different from the stored patch list information (No branch of step C8), the process proceeds to step C22 shown in FIG.

  In step C9, the security information management unit 234 outputs the difference patch file. Specifically, the security information management unit 234 determines the difference between the patch file 1021 specified based on the received list information of the patch file ID 1011 and the patch file 2021 specified based on the stored patch file ID 2011. Is calculated as a difference patch file. Then, the security information management unit 234 transmits the calculated difference patch file to the second information device 102 via the management device communication unit 210. In step C10, the device communication unit 110 receives the difference patch file. And it changes to step C20 shown in FIG.

  FIG. 11 is a flowchart illustrating an example of the operation of the management system 1 regarding the difference patch file and the difference pattern file.

  In step C20, the security control unit 132 applies the differential patch file to the firewall. In step C21, the security control unit 132 notifies the management apparatus 200 of the completion of application of the differential patch file to the firewall. When the management apparatus communication unit 210 receives a notification of the completion of application of the differential patch file to the firewall, the security information management unit 234 determines that the processing related to the patch file has been completed.

  Next, in step C <b> 22, the security information acquisition unit 232 transmits the virus pattern file list information output command to the second information device 102. In step C23, the device communication unit 110 receives an output command of virus pattern file list information. In step C24, the security information output unit 131 outputs virus pattern file list information. Specifically, the security information output unit 131 transmits a list of virus pattern file IDs 1012 stored in the device storage unit 120 to the management apparatus 200. In step C25, the security information acquisition unit 232 receives virus pattern file list information.

  That is, the security information acquisition unit 232 of the management device 200 requests virus pattern file list information from the second information device 102 via the management device communication unit 210. Then, the security information output unit 131 of the second information device 102 transmits the virus pattern file list information to which the second information device 102 has been applied to the management apparatus 200 as the first identification information.

  In step C26, the security information comparison unit 233 determines whether or not the received virus pattern file list information is different from the stored virus pattern file list information. If the received virus pattern file list information is different from the stored virus pattern file list information (Yes branch of step C26), the process proceeds to step C27. On the other hand, when the received virus pattern file list information is not different from the stored virus pattern file list information (No branch of step C26), the process proceeds to step C41 shown in FIG.

  In step C27, the security information management unit 234 outputs a difference pattern file. Specifically, the security information management unit 234 determines whether the virus pattern file 1022 specified based on the received virus pattern file ID 1012 and the virus pattern file 2022 specified based on the stored virus pattern file ID 2012. The difference is calculated as a difference pattern file. Then, the security information management unit 234 transmits the calculated difference pattern file to the second information device 102 via the management device communication unit 210. In step C28, the device communication unit 110 receives the difference pattern file.

  In step C29, the security control unit 132 applies the difference pattern file to the firewall. And it changes to step C40 shown in FIG.

  FIG. 12 is a flowchart illustrating an example of the operation of the management system 1 regarding the difference pattern file and the firewall setting information.

  In step C40, the security control unit 132 notifies the management apparatus 200 of the completion of application of the difference pattern file to the firewall. When the management apparatus communication unit 210 receives a notification of the completion of application of the differential pattern file to the firewall, the security information management unit 234 determines that the processing related to the virus pattern file has been completed.

  Next, in step C <b> 41, the security information acquisition unit 232 transmits an output command for firewall setting information to the second information device 102. In step C42, the device communication unit 110 receives an output command of firewall setting information. In step C43, the security information output unit 131 outputs the firewall setting information 1023. Specifically, the security information output unit 131 transmits firewall setting information 1023 stored in the device storage unit 120 to the management apparatus 200. In step C44, the security information acquisition unit 232 receives the firewall setting information 1023.

  In step C45, the security information comparison unit 233 determines whether or not the received firewall setting information 1023 is different from the stored firewall setting information 2023. If the received firewall setting information 1023 is different from the saved firewall setting information 2023 (Yes branch of step C45), the process proceeds to step C46. On the other hand, when the received firewall setting information 1023 and the stored firewall setting information 2023 are not different (No branch of step C45), the process proceeds to step C62 shown in FIG.

  In step C46, the security information management unit 234 outputs the saved firewall setting information 2023. Specifically, the security information management unit 234 extracts the firewall setting information 2023 from the management device storage unit 220. Then, the security information management unit 234 transmits the extracted firewall setting information 2023 to the second information device 102 via the management device communication unit 210. In step C47, the device communication unit 110 receives the firewall setting information 2023. And it changes to step C60 shown in FIG.

  FIG. 13 is a flowchart illustrating an example of the operation of the management system 1 regarding the firewall.

  In step C60, the security control unit 132 applies the received firewall setting information 2023 to the firewall. In step C61, the security control unit 132 notifies the management apparatus 200 of the completion of application of the firewall setting information 2023. When the management apparatus communication unit 210 receives the notification of the completion of application of the firewall setting information 2023, the security information management unit 234 determines that the processing related to the firewall setting information has been completed.

  In step C62, the management apparatus control unit 230 transmits a command for restarting the second information device 102 to the second information device 102. In step C63, the device communication unit 110 receives a command for restarting the second information device 102. In step C64, the device control unit 130 restarts the second information device 102. In step C65, the device control unit 130 restarts the second information device 102 and then starts the OS 1100. In step C66, the device control unit 130 activates the firewall.

  As described above, in the management system 1 according to the present embodiment, when the first information device 101 is operating properly and the patch file applied to the first information device 101 is updated, the management device 200 calculates an updated portion of the patch file or the like. And the management apparatus 200 preserve | saves the updated part. Then, when a failure occurs in the first information device 101, it is assumed that the second information device 102 is operated instead of the first information device 101. In this case, since the management apparatus 200 stores the updated part (difference) regarding the patch file or the like, the management apparatus 200 transmits the updated content (difference) to the second information device 102. Then, the second information device 102 applies the updated part related to the patch file or the like. As described above, the management system 1 contributes to restoring the information device 100 to the state before the failure, and contributes to appropriately managing the updated portion of the information device 100.

[Modification 1]
As a first modification of the management system 1 according to the present embodiment, the first information device 101 may calculate a difference. For example, when the operation mode is the first mode, the security information acquisition unit 232 may request the first information device 101 to confirm whether or not the first identification information is updated. Then, it is assumed that the first information device 101 has updated the first identification information. In that case, the security information output unit 131 uses the difference between the first security information based on the first identification information before the update and the first security information based on the first identification information after the update as a difference, It may be calculated. Then, the security information output unit 131 may transmit the calculated difference to the management apparatus 200.

  For example, it is assumed that the first information device 101 has updated the patch file ID 1011. In that case, the security information output unit 131 may calculate the difference between the patch file 1021 corresponding to the patch file ID 1011 before update and the patch file 2021 corresponding to the patch file ID 1011 after update as a difference. Then, the security information output unit 131 may transmit the calculated difference to the management apparatus 200.

  Further, it is assumed that the first information device 101 has updated the virus pattern file ID 1012. In that case, the security information output unit 131 may calculate the difference between the virus pattern file based on the virus pattern file ID 1012 before update and the virus pattern file based on the virus pattern file ID 1012 after update. The security information output unit 131 may transmit the calculated difference to the management apparatus 200.

Further, it is assumed that the security information output unit 131 has updated the firewall setting information. In that case, the security information output unit 131 may store the difference between the firewall setting information before the update and the firewall setting information after the update in the management apparatus 200 as a difference.
[Second Embodiment]
Next, the second embodiment will be described in more detail with reference to the drawings.

  In the present embodiment, the management device acquires a patch file or the like from a predetermined server device. In the description of the present embodiment, the description of the same part as the above embodiment is omitted. Further, in the description of the present embodiment, the same components as those of the above-described embodiment are denoted by the same reference numerals, and the description thereof is omitted. In the description of the present embodiment, the description of the same operational effects as those of the above-described embodiment is also omitted.

  FIG. 14 is a diagram illustrating an example of the overall configuration of the management system 1a according to the present embodiment. The difference from the management system 1 shown in FIG. 2 is that the management system 1a shown in FIG.

  Server device 300 is connected to information device 100 via network 400. The network 400 may be the Internet or an intranet, and details thereof are not limited. There are various implementation methods of the network 400, and it is assumed that the network 400 is appropriately selected according to the implementation form of the management system 1a.

  The server apparatus 300 provides and / or manages patch files, virus pattern files, and firewall setting information related to the OS 1100 included in the information device 100. Furthermore, the server device 300 manages the version of the OS 1100 installed in the information device 100. The information device 100 downloads the OS, patch file, virus pattern file, and firewall setting information from the server device 300.

  Hereinafter, the information device 100 and the management apparatus 200 according to the present embodiment will be described in detail.

  The internal configuration of the information device 100 according to the present embodiment is as shown in FIG. Further, the internal configuration of the management apparatus 200 is as shown in FIG.

  The device control unit 130 according to the present embodiment monitors the server device 300. Specifically, the device control unit 130 accesses the server device 300 and determines whether or not there is an update regarding the OS 1100 version, patch file, virus pattern file, and firewall setting information. For example, the device control unit 130 may confirm whether or not the OS, patch file, or the like has been updated in the server apparatus 300 at predetermined time intervals.

  More specifically, the device control unit 130 compares the version of the OS 1100 installed in the information device 100 with the version of the OS 1100 managed by the server device 300. Assume that the version of the OS 1100 installed in the information device 100 is different from the version of the OS 1100 managed by the server apparatus 300. In that case, the device control unit 130 calculates the difference between the version of the OS 1100 installed in the information device 100 and the version of the OS 1100 managed by the server device 300. Then, the security information output unit 131 transmits the calculated difference to the management apparatus 200.

  The device control unit 130 also includes a patch file 1021, a virus pattern file 1022, and firewall setting information 1023 stored in the device storage unit 120, and a patch file, virus pattern file, and firewall setting information managed by the server device 300. Compare Assume that the patch file 1021 and the like stored in the device storage unit 120 are different from the patch file and the like managed by the server device 300. In that case, the security information output unit 131 calculates a difference between the patch file 1021 and the like stored in the device storage unit 120 and the patch file and the like managed by the server device 300. Then, the security information output unit 131 transmits the calculated difference to the management apparatus 200.

  For example, when the device control unit 130 calculates the above difference, the security information output unit 131 may transmit the calculated difference to the management apparatus 200. Alternatively, when the device control unit 130 calculates the difference, the device control unit 130 may temporarily store the calculated difference in the device storage unit 120. Then, the security information output unit 131 may extract the stored difference from the device storage unit 120 at a predetermined time interval, and transmit the extracted difference to the management apparatus 200.

  As described above, in the management system 1a according to the present embodiment, the information device 100 acquires a patch file or the like from the server device 300. In the management system 1a according to the present embodiment, the server apparatus 300 centrally manages patch files and the like. Therefore, the management system 1a according to the present embodiment contributes to the information device 100 efficiently confirming whether or not the patch file or the like is updated.

  A part or all of the above-described embodiment can be described as in the following supplementary notes, but is not limited thereto.

  (Additional remark 1) It is as the management apparatus which concerns on a said 1st viewpoint.

  (Supplementary Note 2) The management device storage unit further stores an operation mode, and the security information management unit is configured such that the operation mode is the first mode, the first security information, and the second security information. If the information is different, the difference between the first security information and the second security information is stored in the management device storage unit, and the security information management unit is configured such that the operation mode is the second mode. The management apparatus according to appendix 1, wherein the difference is transmitted to the information device when the first security information and the second security information are different.

  (Supplementary Note 3) The security information acquisition unit acquires the first security information and first identification information corresponding to the first security information, and the management device storage unit further includes the second security information. The second identification information corresponding to the security information and the operation mode are stored, and the security information management unit is configured such that the operation mode is the first mode, the first identification information, and the second identification When the information is different, the difference between the first security information corresponding to the first identification information and the second security information corresponding to the second identification information is stored in the management device storage unit. The security information management unit transmits the difference to the information device when the operation mode is the second mode and the first identification information is different from the second identification information. Management device according to note 1 or 2.

  (Additional remark 4) It is as the management system which concerns on the said 2nd viewpoint.

  (Supplementary Note 5) The management device storage unit further stores an operation mode, and the security information management unit is configured such that the operation mode is the first mode, the first security information, and the second security information. If the information is different, the difference between the first security information and the second security information is stored in the management device storage unit, and the security information management unit is configured such that the operation mode is the second mode. The management system according to appendix 4, wherein the difference is transmitted to the information device when the first security information is different from the second security information.

  (Supplementary Note 6) The management system includes the first information device, the second information device, and the management device, and the management device communication unit is configured such that the operation mode is the first mode. In this case, when the operation mode is the second mode when connected to the first information device, the security information output unit of the first information device is connected to the second information device, When the first security information is updated, the first security information is transmitted to the management device, and the security information output unit of the second information device responds to a request from the management device. 6. The management system according to appendix 4 or 5, wherein the security information of 1 is transmitted to the management device.

  (Supplementary Note 7) The device storage unit further stores first identification information corresponding to the first security information, and the security information output unit includes the first security information and the first security information. The first identification information corresponding to the information is transmitted to the management device, and the security information acquisition unit acquires the first security information and the first identification information from the information device, and the management The device storage unit further stores second identification information corresponding to the second security information and an operation mode, and the security information management unit is configured such that the operation mode is the first mode, When the first identification information is different from the second identification information, the first security information corresponding to the first identification information and the first identification information corresponding to the second identification information 2 is stored in the management device storage unit, and the security information management unit is configured such that the operation mode is the second mode, the first identification information, and the second identification The management system according to any one of appendices 4 to 6, wherein when the information is different, the difference is transmitted to the information device.

  (Supplementary Note 8) When the operation mode is the first mode, the security information acquisition unit requests the information device to check whether or not the first identification information is updated, and the security information output unit When the first identification information is updated, the first security information associated with the first identification information before the update and the first security information associated with the first identification information after the update The management system according to appendix 7, wherein a difference from the first security information is transmitted to the management device, and the security information management unit stores the received difference in the management device storage unit as the difference.

  (Supplementary note 9) When the operation mode is the first mode and the first identification information is different from the second identification information, the security information acquisition unit is configured to communicate via the management device communication unit. , Transmitting the second identification information to the information device and requesting the difference from the information device, wherein the security information output unit is configured to obtain a difference between the first security information and the second security information. Is calculated as the difference, and the calculated difference is transmitted to the management device.

  (Supplementary note 10) The management system according to any one of supplementary notes 4 to 9, further comprising a security control unit that applies the difference to the software when the information device receives the difference.

  (Additional remark 11) It is as the control method of the management apparatus which concerns on a said 3rd viewpoint.

  (Supplementary note 12) Further, the method includes a step of storing an operation mode, wherein the operation mode is the first mode, and the first security information is different from the second security information, the difference is calculated. The calculated difference is stored, and when the operation mode is the second mode and the first security information is different from the second security information, the difference is transmitted to the information device. The control method of the management apparatus of 11.

  (Supplementary Note 13) In the step of acquiring the first security information, the first security information and first identification information corresponding to the first security information are acquired, and the second security information is stored. In the step of further storing the second identification information corresponding to the second security information and the operation mode, and in the step of calculating the difference, the operation mode is the first mode, When the first identification information is different from the second identification information, the first security information corresponding to the first identification information and the second security information corresponding to the second identification information The difference is calculated, the calculated difference is stored, the operation mode is the second mode, and the first identification information is different from the second identification information. And it transmits to said information device, control method for a management apparatus according to note 11 or 12.

  (Additional remark 14) It is as the program which concerns on the said 4th viewpoint.

  (Supplementary Note 15) Further, when the computer stores the operation mode, the operation mode is the first mode, and the first security information is different from the second security information, When causing the computer to execute a process for calculating a difference, storing the calculated difference, the operation mode is the second mode, and the first security information is different from the second security information, The program according to appendix 14, which causes the computer to execute a process of transmitting the difference to the information device.

  (Supplementary Note 16) In the process of acquiring the first security information, the computer executes the process of acquiring the first security information and the first identification information corresponding to the first security information, In the process of storing the second security information, in the process of causing the computer to execute a process of storing the second identification information corresponding to the second security information and the operation mode, and calculating the difference When the operation mode is the first mode and the first identification information is different from the second identification information, the first security information corresponding to the first identification information, and the first Causing the computer to execute a process of calculating a difference from the second security information corresponding to the second identification information, and storing the calculated difference A process of transmitting the difference to the information device when the operation mode is the second mode and the first identification information is different from the second identification information. The program according to appendix 14 or 15, which is executed by the computer.

  The disclosure of the above patent document is incorporated herein by reference. Within the scope of the entire disclosure (including claims) of the present invention, the embodiment can be changed and adjusted based on the basic technical concept. Further, various combinations or selections of various disclosed elements (including each element of each claim, each element of each embodiment, each element of each drawing, etc.) are possible within the framework of the entire disclosure of the present invention. is there. That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the entire disclosure including the claims and the technical idea. In particular, with respect to the numerical ranges described in this document, any numerical value or small range included in the range should be construed as being specifically described even if there is no specific description.

1, 1a Management system 10, 100 Information device 20, 200 Management device 21, 210 Management device communication unit 22, 232 Security information acquisition unit 23, 220 Management device storage unit 24, 234 Security information management unit 31 First security information 32 Second security information 33 Difference 101 First information device 102 Second information device 110 Device communication unit 120 Device storage unit 130 Device control unit 131 Security information output unit 132 Security control unit 230 Management device control unit 231 Operation mode control unit 233 Security information comparison unit 300 Server device 400 Network 1011, 2111 Patch file ID
1012, 2012 Virus pattern file ID
1020 Firewall software 1021, 2021 Patch file 1022, 2022 Virus pattern file 1023, 2023 Firewall setting information 1100, 2100 OS
2020 Firewall management software 2030 operation mode

Claims (8)

A management device communication unit for communicating with the information device;
A security information acquisition unit that acquires first security information corresponding to software installed in the information device via the management device communication unit;
A management device storage unit for storing second security information corresponding to the software and an operation mode ;
When the operation mode is the first mode and the first security information is different from the second security information, the difference between the first security information and the second security information is calculated as follows: A security information management unit stored in the management device storage unit;
Equipped with a,
The security information management unit is configured to transmit the difference to the information device when the operation mode is the second mode and the first security information is different from the second security information . The security information acquisition unit acquires the first security information and first identification information corresponding to the first security information;
The management device storage unit further stores second identification information corresponding to the second security information,
When the operation mode is the first mode and the first identification information is different from the second identification information, the security information management unit is configured to correspond to the first identification information. Storing the difference between the security information and the second security information corresponding to the second identification information in the management device storage unit;
Wherein the security information management unit, the operation mode is the second mode, when the first identification information, and the second identification information different, and transmits the difference to the information appliance, according to claim 1 The management apparatus as described in. Information equipment,
A management device comprising a management device communication unit for communicating with the information device;
A management system including:
The information device is
A device storage unit for storing first security information corresponding to software installed in the information device;
A security information output unit for transmitting the first security information to the management device;
With
The management device
A management device communication unit that communicates with the information device;
A security information acquisition unit for acquiring the first security information corresponding to software installed in the information device via the management device communication unit;
A management device storage unit for storing second security information corresponding to the software and an operation mode ;
When the operation mode is the first mode and the first security information transmitted from the information device is different from the second security information, the first security information and the second security information A security information management unit for storing a difference with information in the management device storage unit;
Equipped with a,
The security information management unit is configured to transmit the difference to the information device when the operation mode is the second mode and the first security information is different from the second security information . The management system includes a first information device and a second information device, and the management device,
The management device communication unit connects to the first information device when the operation mode is the first mode, and connects to the second information device when the operation mode is the second mode. connection,
When the first security information is updated, the security information output unit of the first information device transmits the first security information to the management device,
The management system according to claim 3 , wherein the security information output unit of the second information device transmits the first security information to the management device in response to a request from the management device. The device storage unit further stores first identification information corresponding to the first security information,
The security information output unit transmits the first security information and the first identification information corresponding to the first security information to the management device;
The security information acquisition unit acquires the first security information and the first identification information from the information device,
The management device storage unit further stores second identification information corresponding to the second security information,
The security information management unit, when the operation mode is the first mode and the first identification information is different from the second identification information, the first information corresponding to the first identification information. The difference between the security information and the second security information corresponding to the second identification information is stored in the management device storage unit,
The security information management unit transmits the difference to the information device when the operation mode is the second mode and the first identification information is different from the second identification information. The management system according to 3 or 4 . The security information acquisition unit, when the operation mode is the first mode, requests the information device to confirm whether or not the first identification information is updated,
When the first identification information is updated, the security information output unit includes the first security information associated with the first identification information before the update and the first identification information after the update. Transmitting the difference with the associated first security information to the management device;
The management system according to claim 5 , wherein the security information management unit stores the received difference as the difference in the management device storage unit. A method for controlling a management device including a management device communication unit that communicates with an information device,
Obtaining first security information corresponding to software installed in the information device;
Storing second security information corresponding to the software and an operation mode ;
When the operation mode is the first mode and the first security information is different from the second security information, a difference between the first security information and the second security information is calculated. Process,
Storing the difference;
When the operation mode is a second mode and the first security information is different from the second security information, the step of transmitting the difference to the information device;
A control method for a management device including: A program to be executed by a computer that controls a management device including a management device communication unit that communicates with an information device,
Processing for obtaining first security information corresponding to software installed in the information device;
Processing for storing second security information corresponding to the software and an operation mode ;
When the operation mode is the first mode and the first security information is different from the second security information, a difference between the first security information and the second security information is calculated. Processing,
Storing the difference;
When the operation mode is the second mode and the first security information is different from the second security information, a process of transmitting the difference to the information device;
A program for causing the computer to execute.

Images