KR100918272B1 - Security control system and method through single user identification - Google Patents

Abstract

The present invention relates to a security control system and a method thereof, and more particularly, to accurately identify a single user and to manage all trends of a specific person by integrating and managing information used in all authentication systems used by each individual on various authentication systems for security. Integrated management can effectively detect or block security incidents, and classify and manage key management targets related to internal security in advance or create and manage abnormal symptoms related to internal security as scenarios in advance. The present invention relates to an improved security control system and a method through identification of a single user who can detect and prevent the risk of a security incident in advance.

Description

A security control system and method using a single user identification

The present invention relates to a security control system and a method thereof, and more particularly, to accurately identify a single user and to manage all trends of a specific person by integrating and managing information used in all authentication systems used by each individual on various authentication systems for security. Integrated management can effectively detect or block security incidents, and classify and manage key management targets related to internal security in advance or create and manage abnormal symptoms related to internal security as scenarios in advance. The present invention relates to an improved security control system and a method through identification of a single user who can detect and prevent the risk of a security incident in advance.

In general, as the industry develops, competition for information acquisition among companies is fierce. The information acquisition war between companies attempts to acquire confidential information of competitors through appeasement of employees of industrial spies or other companies, and keeps the company's security through various authentication systems for security.

Commonly used security authentication systems allow employees to commute to work and control access to unauthorized persons, and prevent in-house leakage of employees 'or employees' inside of the company by hiding items or materials inside the company. Door authentication system to be authenticated if you want to go through each door, elevator authentication system to be authenticated if you want to move to each floor in the facility, especially if you want to use elevator or emergency stairs to go to the security-related floor, or Emergency staircase authentication system, network authentication system that authenticates the access according to the authority granted to each user in order to access the network server in the company, and stores the access records for the system and information, various terminals in the facility, especially computers, copiers , Facsimile, etc. Various systems, such as a terminal authentication system to be authenticated when being used, are being used.

However, in the related art, since various security authentication systems as described above are managed and operated separately, an ID card for access control, an e-mail account name or a login account name such as an e-mail or a messenger used internally or externally for work or private use. In addition, a unique identification code for identifying the user in various programs, authentication codes for authenticating the use rights of various terminals, etc. are also generated and managed in various ways, and accordingly, various authentication codes used by one specific person for each authentication system, etc. Different from each other, it is difficult to integrate and manage all trends of a specific person in the security system, so there is a problem in limiting the detection of abnormal information or prediction of in-house information leakage.

Therefore, for efficient in-house security, the necessity of identifying a single user on various management systems is increasing. By utilizing this, it is possible to prevent abnormalities by capturing abnormal symptoms in advance before a security accident occurs. The need for an existing system is emerging.

The present invention has been made to solve the conventional problems as described above,

The purpose of the present invention is to integrate the information used in all authentication systems used by each individual on a variety of authentication systems for security, to accurately identify a single user and to manage all the trends of a specific person efficiently security accidents It is an object of the present invention to provide an improved security control system and method through a single user identification that can detect or block it.

Another object of the present invention is to improve the security control system through the identification of a single user that can detect and prevent the risk of a security accident in advance by enabling to classify the key management targets related to the security in the company in advance, and to manage To provide a way.

Another object of the present invention is to improve the security control system through the identification of a single user that can detect and prevent the risk of a security accident in advance by enabling to create and manage the abnormal symptoms related to the internal security in the scenario in advance, and its To provide a way.

It is another object of the present invention to continuously update the abnormal symptom scenario, so that the risk factors of all possible security incidents can be pre-scenariod and managed, and improved through the identification of a single user who can increase the possibility of security accident prevention. To provide a secured security control system and method thereof.

Improved security control system and method through a single user identification for achieving the above object of the present invention includes the following configuration.

According to an embodiment of the present invention, an improved security control system through single user identification according to the present invention is connected to access movement information or a terminal, a program, or a network, which is checked and registered with an authentication system when entering or leaving a facility. An authentication information DB for storing access information checked and registered with the authentication system at the time of writing; Information that all employees in the company use in authentication system, ie company number, name, social security number, biometric information, access card information, terminal IP address, terminal access ID, mail (messenger) access ID, remote server system access ID, groupware system access A user identification DB for storing IDs, network system access IDs, database server access IDs, and program access IDs by database for each employee; Personnel information DB that stores personal information of all employees in the company, that is, company number, name, social security number, company name, company code, department name, department code, rank, date of employment, address and contact information for each employee; A subject information DB for selecting key subjects according to the degree of access and handling of internal information among employees in the company and storing information on the subject matters; A data management unit for periodically collecting and managing information stored in the authentication information DB, user identification DB, personnel information DB, and management target information DB; A data analysis unit for comparing the access movement information or the access information obtained from the authentication information DB with the information used in the authentication system for each employee stored in the user identification DB to determine whether a single user exists; An information leakage analysis unit for detecting an internal information leakage signal by analyzing the access movement information and the access information of the single user determined by the data analysis unit; and thus, various access movement information checked and registered in the authentication system for each employee In addition, it is possible to detect an internal information leakage sign in advance by determining whether a single user is determined from the access information.

According to another embodiment of the present invention, the improved security control system through the identification of a single user according to the present invention further includes a profile DB for storing an abnormal symptom scenario for predicting abnormal behavior of the key management target, the data management unit Periodically collects and manages information stored in the profile DB, and the information leakage analysis unit stores the key management target information stored in the management target information database, and access movement information and access of the key management target determined by the data analysis unit. By comparing and analyzing the information and the abnormal symptoms scenarios stored in the profile DB, it is possible to detect and block the abnormal symptoms of the key management target in advance.

According to another embodiment of the present invention, in the improved security control system through the identification of a single user according to the present invention, the abnormal symptom scenario is a single analysis scenario that analyzes and predicts abnormal symptoms occurring in a single behavior pattern of a specific person. The correlation analysis scenario predicts an abnormal symptom occurring in a comprehensive behavior pattern by interconnecting the independent analysis scenarios, and does not correspond to the single analysis scenario or the correlation analysis scenario among the abnormal behavior patterns detected by a specific person. It is characterized by including a post-mortem scenario for reflecting the behavioral pattern into an abnormal symptom scenario in the future.

According to another embodiment of the present invention, the data management unit in the improved security control system through a single user identification according to the present invention, the authentication information DB, user identification DB, personnel information DB, management target information DB and profile Receiving module for receiving the information of the DB, the control module for changing and managing the information stored in the authentication information DB, user identification DB, personnel information DB, management target information DB and profile DB, the authentication information DB, user identification DB And a transmission module for transmitting the information of the personnel information DB, the management subject information DB, and the profile DB to the data analysis unit or the information leakage analysis unit, wherein the data analysis unit transmits the authentication information DB, the user identification DB, or the human resources from the data management unit. Analysis and processing module for determining a single user by analyzing the receiving module for receiving information of the information DB, the information of the authentication information DB, user identification DB or personnel information DB And a transmission module for transmitting an analysis result of the analysis and processing module to the information leakage analysis unit, wherein the information leakage analysis unit analyzes the analysis result of the data analysis unit and the management subject information DB and profile DB from the data management unit. Receiving module for receiving the information, the analysis and processing module for determining abnormal symptoms by analyzing the analysis results of the data analysis unit and the information of the management target information DB and profile DB, and transmits the analysis results of the analysis and processing module Characterized in that it comprises a transmission module.

According to another embodiment of the present invention, the improved security control method through the single user identification according to the present invention is to the access movement information or terminal, program or network that is checked and registered with the authentication system when entering or moving in the facility. An authentication information collecting step of a data management unit for collecting and managing information used for the authentication system from an authentication information DB storing access information checked and registered in the authentication system at the time of connection; Information that all employees in the company use in authentication system, ie company number, name, social security number, biometric information, access card information, terminal IP address, terminal access ID, mail (messenger) access ID, remote server system access ID, groupware system access A user identification information collection step of collecting and managing user ID information of each employee from a user identification DB which stores IDs, network system connection IDs, database server connection IDs, and program connection IDs for each employee in a database; Personal information of all employees in the company, namely company number, name, social security number, company name, company code, department name, department code, rank, date of employment, address, contact information, and personal information of each employee from the database HR information collection step of collecting and managing information; Single user discrimination step of the data analysis unit to determine whether a single user by comparing and analyzing the information used in the authentication system obtained through the authentication information collection step and the authentication system usage information for each employee obtained through the user identification information collection step ; Checking and registering in the authentication system for each employee by including; information leakage analysis step of the information leakage analysis unit for detecting the internal information leakage symptoms by analyzing the access movement information and access information of the single user determined through the single user identification step; By determining whether a single user from the various access movement information or access information that is characterized in that it can detect the internal information leakage signs in advance.

According to another embodiment of the present invention, in the improved security control method through a single user identification according to the present invention, the single user discrimination step is to request information used in a specific authentication system collected in the authentication information collection step A first authentication information request step; A user identification information request step of requesting information used by all authentication systems collected in the user identification information collection step, to a specific person using information used in the specific authentication system obtained through the first authentication information request step; A personnel information request step of requesting personal information collected in the personnel information collection step for a specific person using information used in the specific authentication system obtained through the first authentication information request step; A second authentication information request step of requesting information used in all other authentication systems of the specific person collected in the authentication information collection step by the specific person obtained through the user identification information request step; And storing and providing a single user information for storing and providing access movement information or access information of a specific person used in all authentication systems based on the information obtained through the second authentication information requesting step.

According to another embodiment of the present invention, the improved security control method through the identification of a single user according to the present invention selects the key management target according to the degree of access and handling of internal information among the employees of the company to store the information about it A management target information collection step of the data management unit for collecting the key management target information from the management target information DB; An abnormal symptom scenario collection step of a data management unit that collects and manages an abnormal symptom scenario from a profile DB that stores an abnormal symptom scenario predicting an abnormal behavior of a key management subject; Focus management subject information obtained from the management target information DB through the management target information collection step, access movement information and access information of the key management target identified through the single user discrimination step, and the abnormal symptom scenario collection step. Analyze the abnormal symptom scenario obtained from the profile DB through, the abnormal symptom analysis step of information leakage analysis unit to detect and block the abnormal symptom of the target management in advance; characterized in that it further comprises.

According to another embodiment of the present invention, the abnormal symptom analysis step in the improved security control method through the identification of a single user according to the present invention requests information on the key management target collected through the management information collection step Management subject information request step; A single user information request step of requesting access information or access information of a specific person stored in the single user information storage and providing step to a specific person corresponding to the key management target object obtained through the management subject information request step; An abnormal symptom scenario request step for requesting information on the abnormal symptom scenario collected through the abnormal symptom scenario collection step; A comparative analysis step of comparing and analyzing the access movement information or the access information of the specific person obtained through the single user information request step and the abnormal symptom scenario obtained through the abnormal symptom scenario request step; And a notification and storage step of notifying and storing the matters which are found to be abnormal symptoms through the comparative analysis step, or storing the matters which are not found to be abnormal symptoms.

The present invention can obtain the following effects by the configuration, combination, and use relationship described above with the present embodiment.

The present invention integrates and manages the information used by all authentication systems used by each individual on various authentication systems for security, so that a single user can be identified accurately and all the trends of a specific person can be integrated and managed to efficiently detect security incidents. Provides improved security control system and method through single user identification that can block or block.

The present invention provides an improved security control system and method through the identification of a single user who can detect and prevent the risk of security incidents in advance by enabling the priority management of the key management targets related to internal security in advance. do.

The present invention provides an improved security control system and method through the identification of a single user that can detect and prevent the risk of security incidents in advance by enabling scenario management of abnormal symptoms related to internal security in advance. .

The present invention can continuously update the abnormal symptom scenario, so that the risk factors of all possible security accidents can be scenario-managed and managed in advance, thereby improving the security control system through the identification of a single user that can increase the possibility of security accident prevention. And a method thereof.

Hereinafter, preferred embodiments of the converged security control system and method through a single user identification according to the present invention will be described in detail with reference to the accompanying drawings.

1 is a block diagram of an improved security control system through single user identification according to an embodiment of the present invention, Figure 2 is a detailed configuration diagram of the data management unit, data analysis unit and information leakage analysis unit, Figures 3 to 4 FIG. 5 is a diagram illustrating an example in which an improved security control system through single user identification according to the present invention is implemented, and FIG. 5 is a block diagram of an improved security control method through single user identification according to an embodiment of the present invention. 6 is a block diagram showing the detailed configuration of the single user discrimination step, and FIG. 7 is a block diagram showing the detailed configuration of the abnormal symptom analysis step.

1 to 7, the improved security control system through a single user identification according to an embodiment of the present invention is the access movement information or terminal, program or check and registered in the authentication system when entering or moving in the facility; An authentication information DB (100) for storing connection information which is checked and registered in the authentication system when connecting to the network; Information that all employees in the company use in authentication system, ie company number, name, social security number, biometric information, access card information, terminal IP address, terminal access ID, mail (messenger) access ID, remote server system access ID, groupware system access A user identification DB 200 for storing IDs, network system access IDs, database server access IDs, and program access IDs by database for each employee; Personnel information DB (300) for storing personal information of all employees in the company, that is, company number, name, social security number, company name, company code, department name, department code, job title, date of employment, address, contact information by database for each employee; Management subject information DB (400) for selecting the key management subjects according to the degree of access and handling of internal information among the employees in the company to store information about them; A data manager 600 for periodically collecting and managing information stored in the authentication information DB 100, the user identification DB 200, the personnel information DB 300, and the management target information DB 400; Data analysis unit for determining whether a single user by comparing and analyzing the access movement information or access information obtained from the authentication information DB (100) and the information used in the authentication system for each employee stored in the user identification DB (200) ( 700); Checking and registering in the authentication system for each employee by including; information leakage analysis unit 800 to detect the internal information leakage symptoms by analyzing the access movement information and access information of the single user determined by the data analysis unit 700 By determining whether a single user from the various access movement information or access information that is characterized in that it can detect the internal information leakage signs in advance.

The authentication information DB 100 stores access movement information that is checked and registered in each authentication system when entering or exiting a facility, or access information that is checked and registered in each authentication system when connecting to a terminal, a program, or a network. As a part, when a user checks and registers with various authentication systems 1-9, the authentication information storage module 101-109 of each authentication system 1-9 has a check date and time which occurs during the check and registration process. Various information such as used information (meaning, biometric information such as fingerprint, ID, etc.), approval status, and the like are stored, and the information forms the contents of the authentication information DB 100. Among these authentication information DB (100), in particular, biometric information such as company number or social security number used in door authentication system (1) or elevator authentication system (2), fingerprint used in terminal authentication system (3), network authentication system Information that can identify a specific user, such as an ID or a password used in (4) or the program authentication system 8, is utilized as information for discriminating a single user. The authentication information storage modules 101 to 109 of each authentication system 1 to 9 may store information extracted by using a general storage device, that is, a hard disk or a RAM.

The user identification DB (200) is a part for storing all the information used in the authentication system for all employees in the database by each employee, the various authentication systems for the security of the company, that is, the access / movement restrictions when moving in or out of the facility Restricting access to networks such as door authentication system 1 or elevator authentication system 2, terminal authentication system 3 for restricting access to various terminals used in-house, and various communication networks used in-house Network authentication system (4), groupware authentication system (5) for restricting access to groupware used in-house, remote server authentication system (6) for restricting access to in-house server remotely, in-house communication network E-mail (messenger) authentication system (7) for restricting access to e-mail or messenger through In the program authentication system (8) for restricting the use authority of the user, and the DB server authentication system (9) for restricting access to the in-house database server, information for various authentications used is included in each system (1-9). Since it is created and managed separately for each user, the door authentication system (1), the elevator authentication system (2), the terminal authentication system (3), etc., are separately accessed or moved / received even if a specific user accesses and moves to the terminal. There was a weakness to determine only whether the access is approved, and it is difficult to determine whether the user is a single user or an abnormal symptom according to the root of the single user. All information used on the account, name, name, social security number, biometrics, access card information, terminal IP address, terminal access child It stores the mail (IM) connection ID, remote server system connection ID, groupware system connection ID, network system connection ID, database server connection ID, program connection ID, etc. for each individual. The information may be stored in a database using a device, that is, a hard disk or a RAM. Accordingly, all information used by a specific person in the company's authentication system is stored and managed at a glance through the user identification DB 200.

The personnel information DB (300) is a part that stores the personal information of all employees in the company database for each employee, the personal information of all employees, that is, company number, name, resident registration number, company name, company code, department name, department code, It is necessary to know the personal information of employees identified as a single user by storing the position, date of employment, address, and contact information in a database for each employee, or when needing personal information of an employee who exhibits an abnormal symptom that violates security. Information can be provided immediately. The personnel information DB 300 may store the information as a database using a general storage device, that is, a hard disk or a RAM.

The management subject information DB (400) is a part for selecting the key management subjects and storing the information according to the degree of access and handling of internal information among the employees in the company, authentication for various security installed in the company as described above Employees who have access to in-house confidential information by systems are limited, and confidential leaks that occur in-house are often carried out by some employees with such access rights. Rather, focusing on employees who have the right to access confidential information will be a more effective way to manage security. Therefore, select key targets based on the level of access and handling of internal or confidential information among employees in the company. Separate information on the selected key managers to the management target information DB (400) By storing / management, and the management subject information DB (400) is capable of storing and databasing the selected information by using a common storage device, that is, a hard disk or RAM or the like.

The data manager 600 is a part for periodically collecting and managing information stored in the authentication information DB 100, the user identification DB 200, the personnel information DB 300, the management target information DB 400, and the like, Check date and time stored in the authentication information DB (100), information used for authentication (meaning, biometric information, such as fingerprint, ID, etc.), various information such as whether or not to collect or delete old information The user may register new information used in various authentication systems for each employee stored in the user identification DB 200 or delete information not used, and personal information for each employee stored in the personnel information DB 300. Collect or modify the fluctuating information, such as the employee information that has left the company, register the information about the newly selected management subject in the management target information DB (400) or delete old information, Information collected from the information DB (100), user identification DB (200), personnel information DB (300), management target information DB (400) and the like, which will be described below data analysis unit 700 or information leakage analysis unit 800 ) Will also perform the function. That is, the first reception module 601 receives information stored in the authentication information DB 100, the user identification DB 200, the personnel information DB 300, the management target information DB 400, or the like by an administrator. New information used in a variety of newly entered authentication systems, information about the newly selected management target, etc. are received, and the authentication information DB (100) received by the first transmission module (605), user identification DB ( 200), personnel information DB (300), management target information DB (400), such as information provided to the data analysis unit 700 or information leakage analysis unit 800, or in various authentication systems input by the administrator The new information to be used, information about the newly selected management target, and the like are provided to the personnel information DB 300 and the management target information DB 400 to be stored, and the control module 603 is configured to store the first receiving module. 601 and the first transmission module 605 to receive the information received and transmitted And management. The data management unit 600 may use a general operation unit or a central processing unit, and the function of the data management unit 600 may be performed by a separate program.

The data analysis unit 700 compares the information used for authentication in the authentication system (1-9) obtained from the authentication information DB (100) and the information stored in the user identification DB (200) to determine whether a single user Based on the information used in the authentication obtained from the authentication information DB (100) through the data management unit 600 and the information used in the authentication system for each employee obtained in the user identification DB (200) For example, a specific user recognizes a fingerprint in the door authentication system 1, enters the terminal number into the terminal authentication system 4, receives a terminal use approval, and then enters the network authentication system 5 in the company network. Even in the case of accessing using a specific ID and password, the fingerprint, number, ID and password used in each authentication system and non-specific information for each employee stored in the user identification DB (200) By cross-referencing, a function of determining the fact that such a series of actions is performed by a single user is performed. In more detail as an example, when receiving the number used for authentication of the terminal authentication system 3 from the data management unit 600 by the second receiving module 701, the first analysis and processing module ( 703 requests the data management unit 600 to use the information stored in the user identification DB 200 in all other authentication systems of the specific person using the number or the personnel information DB 300 based on the number. The personal information of the specific person using the number stored in the request is received, and based on this, the specific person is stored in the authentication information DB 100 in the data management unit 600 in all other authentication systems. When requesting the information corresponding to the information to be used and receiving it, the specific person authenticated using the number 4 to the terminal authentication system 3 checks the other authentication system. It is possible to systematically store and manage access to the mobile information or access information, personnel information, such as for a single user, as in the example shown in Figure 4 to glance to grasp and out movement information and the access information. The second transmission module 705 may store the analysis result in a separate storage device or provide the information leakage analysis unit 800. The data analysis unit 700 may use a general operation unit or a central processing unit, and the function of the data analysis unit 700 may be performed by a separate program.

The information leakage analysis unit 800 detects internal information leakage symptoms by analyzing the access movement information and the access information of the single user determined by the data analysis unit 700. If the access is made using the ID of the specific employee in the terminal authentication system 3 of the specific terminal even though the access authentication system 1 of the installed floor is not accessed and entered, the information leakage analysis unit 800 ) Analyzes the access movement information and access information, captures and detects the signs of internal information leakage, and takes appropriate measures, such as denying access to the terminal or alerting the relevant parties. It becomes possible. In more detail as an example, when the access information and the access information of a single user determined by the data receiving unit 700 by the third receiving module 801, the second analysis and processing module 803 ) Analyzes the access movement information and the access information of a single user and captures and detects internal information leakage signs. As described above, the specific door authentication system of a floor where a specific employee is installed ( 1) in the authentication information DB (100) of the authentication information DB (100) of the terminal authentication system (3) of the terminal of the specific terminal at the time after the authentication or exiting the record on the record of the specific employee as the ID of the specific employee If the connection authentication is made, it is detected and detected as an internal information leakage signal, and the third transmission module 805 notifies the administrator to recognize the analysis result or respectively. The transmission to the authentication system, to block the specific terminal user moves out of or connected. The information leakage analysis unit 800 may use a general operation unit or a central processing unit, and the function of the information leakage analysis unit 800 may be performed by a separate program.

The improved security control system through single user identification according to an embodiment of the present invention integrates and manages separate information used by each individual on each authentication system in various authentication systems for security, and through this, each authentication is performed. It is possible to accurately identify a single user from the information connected to the systems and to manage all trends of a specific person so that the effect of effectively detecting or blocking a security incident can be expected.

The improved security control system through the identification of a single user according to another embodiment of the present invention further includes a profile DB (500) for storing an abnormal symptom scenario for predicting abnormal behavior of the key management target, the data management unit 600 ) Periodically collects and manages information stored in the profile DB 500, and the information leakage analysis unit 800 includes key management subject information stored in the management target information DB 400 and the data analysis unit ( Comparing and analyzing the movement and access information and access information of the key management subject and the abnormal symptoms scenario stored in the profile DB 500, it is possible to detect and block the abnormal symptoms of the key management subject in advance. do.

The profile DB 500 stores an abnormal symptom scenario for predicting abnormal behavior of a key management subject registered and managed on a specific subject, in particular, the subject management information DB 400, which is generated in-house as described above. Confidentiality incidents are often conducted by some employees with access to confidential company information, so they focus on employees who have access to confidential information rather than managing all employees equally. As a more efficient security management method, the profile DB can be used to predict abnormal symptoms of security accident risks based on the abnormal behavior patterns of the key management subjects selected and managed as targets. Stored in the 500 will be utilized. The profile DB 500 may store the selected information by using a general storage device, that is, a hard disk or a RAM.

The abnormal symptom scenario refers to the prediction of abnormal behaviors related to a confidential leak of a particular person, in particular, a key management subject, and recording the pattern as a scenario. The abnormal symptom scenario analyzes abnormal symptoms occurring in a single behavior pattern of a specific person. The correlation analysis scenario predicted and the correlation analysis scenario predicting abnormal symptoms occurring in a comprehensive behavior pattern by interconnecting the analysis scenario alone, and the correlation analysis scenario or correlation among the abnormal behavior patterns detected by a specific person. Anomalous behavior patterns or users who do not conform to the analysis scenarios or post-analysis scenarios for separately extracting and dataizing the data and reflecting them in the future symptom scenario or key management target information are included.

The single analysis scenario is a scenario in which a pattern is set by assuming one abnormal behavior of a specific person. For example, abnormal behavior through commuting time, that is, when a specific target manager goes to work much earlier than usual or goes home later than usual. Scenarios assuming abnormal behaviors, or abnormal behaviors through the access route, such as accessing the door authentication system on the floor that is not normally accessed or increasing the number of times of entrance to security-related places much more frequently than usual. Assumed scenarios can be calculated.

The correlation analysis scenario is a scenario in which the single analysis scenarios described above are interconnected and the pattern is set assuming an abnormal symptom in a specific behavioral pattern of a specific person. In connection with the analysis scenario and the independent analysis scenario that assumes abnormal behavior through the access movement route, the number of people who enter into the security-related places increases more frequently than usual during the delayed working hours due to the delayed leaving time than usual. Correlation analysis scenarios that set the situation as an abnormal symptom can be estimated.

The post-analysis scenario is an abnormal symptom scenario stored in the profile DB 500 by the information leakage analysis unit 800, that is, the single analysis scenario or the correlation analysis scenario and the key management identified by the data analysis unit 700. If an abnormal behavior pattern is not detected in the single analysis scenario or the correlation analysis scenario in the process of comparing and comparing the access movement information and the access information of the subject, it is extracted to reflect the abnormal symptom scenario or the key management target information in the future. This refers to a scenario of data storage.

The information leakage analysis unit 800 corresponds to the key management target information stored in the management target information DB 400 and the access movement information and the access information of the single user determined by the data analysis unit 700 based on the information. By analyzing the access movement information and access information of the key management target and the abnormal symptom scenario stored in the profile DB (500), the abnormal symptoms of the key management target can be detected in advance and informed and blocked.

The improved security control system through the identification of a single user according to another embodiment of the present invention can improve the efficiency of security incident blocking by allowing the key management targets to be classified and managed in advance. In addition, it is possible to expect the effect of detecting and preventing the risk of a security accident in advance by enabling scenario creation of abnormal symptoms related to internal security in advance in a scenario.

1 to 7, an improved security control method through single user identification according to an embodiment of the present invention is the access movement information or terminal, program or check and registered in the authentication system when entering or moving in the facility or An authentication information collecting step (S1) of the data management unit 600 which collects and manages the information used in the authentication system from the authentication information DB 100 which stores access information which is checked and registered in the authentication system when connecting to the network; Information that all employees in the company use in authentication system, ie company number, name, social security number, biometric information, access card information, terminal IP address, terminal access ID, mail (messenger) access ID, remote server system access ID, groupware system access A user of the data management unit 600 that collects and manages authentication system usage information for each employee from the user identification DB 200 storing database IDs, network system connection IDs, database server connection IDs, and program connection IDs for each employee. Identification information collection step (S2); Personal information of all employees in the company, that is, company number, name, social security number, company name, company code, department name, department code, position, date of employment, address, contact information from each personnel information database (300) to store each database Personnel information collection step (S3) of the data management unit 600 to collect and manage the personal information for each employee; Data used to determine whether or not a single user by comparing and analyzing the information used in the authentication system obtained through the authentication information collection step (S1) and the authentication system usage information for each employee obtained through the user identification information collection step (S2). Single user discrimination step (S6) of the analysis unit 700; An information leakage analysis step (S7) of the information leakage analysis unit 800 for detecting an internal information leakage sign by analyzing the access movement information and the access information of the single user determined through the single user discrimination step (S6); In addition, it is possible to detect an internal information leakage sign in advance by determining whether a single user is determined from various access movement information or access information checked and registered in the authentication system for each employee.

The authentication information collecting step (S1) is an authentication for storing access movement information checked and registered in the authentication system when entering or moving in a facility or access information checked and registered in the authentication system when accessing a terminal, a program or a network. The data management unit 600 collects necessary information for identifying a user from the information DB 100. For example, the user may access the door authentication system 1 installed at the door or the terminal authentication system 3 installed at the terminal, and the network. In the case of checking and accessing the network authentication system (4), etc. that must pass through to access the image, each authentication system (1, 3, 4) checks whether the information to be checked and connected is matched, and if the information does not match, the authentication is rejected. If the information is matched, the access or access is approved. When the connection is approved, access or access records are generated in each authentication system (1, 3, 4) at each approval, so that authentication information storage modules (101, 103, 104) of each authentication system (1, 3, 4), that is, the authentication The information is stored in the DB 100, the authentication information collection step (S1) is the information required for the user identification of the information stored in the data management unit 600 in the authentication information DB 100, that is, four times or resident registration number, It refers to the step of performing a function for providing the data analysis unit 700 or the information leakage analysis unit 800 by collecting information such as a fingerprint, ID.

In the user identification information collection step (S2), the data management unit 600 uses the authentication system for each employee from the user identification DB (200), which stores the information used in the authentication system by all employees in the database into a database for each employee. In the step of collecting, as described above, the user identification DB (200) is the information used by all employees in the company authentication system, that is, company number, name, social security number, biometric information, access card information, terminal IP address, terminal access ID, mail (messenger) access ID, remote server system access ID, groupware system access ID, network system access ID, database server access ID, program access ID, etc. are stored in database for each employee, and the user identification information is collected. Step S2 is the user identification if the data management unit 600 is required It means a step of collecting the authentication system usage information for each employee stored in the DB (200).

The personnel information collection step (S3) is a step in which the data management unit 600 collects personal information of each employee from the personnel information DB 300 which stores personal information of all employees in the company in a database. As described above, the personnel information DB 300 is a database of personal information of all employees in the company, that is, company number, name, social security number, company name, company code, department name, department code, position, date of employment, address, contact information, etc. for each employee. The personnel information collection step (S3) refers to a step of collecting personnel information for each employee stored in the personnel information DB 300 when the data management unit 600 is required.

The single user discriminating step (S6) is a step of determining whether the same user, that is, a single user among the users who check and connect to each authentication system, through the authentication information collecting step (S1) the authentication information DB (100) The data management unit uses the authentication system usage information for each employee obtained from the user identification DB 200 through the user identification information collection step (S2) and information necessary for user identification among records of each authentication system obtained from the data management unit. Received from the 600, the data analysis unit 700 compares the authentication information checked and connected to each authentication system and the authentication system usage information for each employee to determine whether a single user.

Referring to FIG. 6, the single user discrimination step S6 may include a first authentication information request step S61 for requesting information used for a specific authentication system collected in the authentication information collection step S1; A user who requests information used by all authentication systems collected in the user identification information collection step S2 for a specific person using information used in a specific authentication system obtained through the first authentication information request step S61. Identification information request step (S62); Personnel information request step (S63) for requesting personal information collected in the personnel information collection step (S3) for a specific person using the information used in the specific authentication system obtained through the first authentication information request step (S61) ; A second requesting information used in all other authentication systems of a specific person collected in the authentication information collection step S1 based on information used by the specific person obtained through the user identification information request step S62 in all authentication systems; Authentication information request step (S64); A single user information storing and providing step (S65) of storing and providing access movement information or access information of a specific person used in all authentication systems based on the information obtained through the second authentication information request step (S64); Can be done.

The first authentication information request step (S61) is, for example, when a specific person in the terminal authentication system 3 has been checked and authenticated using his terminal connection ID, authentication information storage module 103, that is, authentication information DB ( 100 is stored in the authentication information, the information necessary to identify a specific person from the authentication information collected through the authentication information collection step (S1) of the data management unit 600, that is, the terminal connection ID to the data analysis unit 700 Means a step of requesting the data manager 600.

The user identification information request step (S62) is the terminal connection ID when a specific person obtains the terminal access ID used in the terminal authentication system (3) through the first authentication information request step (S61), as an example. It means the step of requesting the information used in all other authentication system of the specific person using the terminal access ID from the information used in each employee-specific authentication system collected through the user identification information collection step (S2).

The personnel information request step (S63) is the terminal connection ID when a specific person obtains the terminal access ID used in the terminal authentication system (3) through the first authentication information request step (S61), as an example. Based on the personnel information collected through the personnel information collection step (S3) means a step of requesting personal information of a specific person using the terminal access ID.

When the second authentication information request step (S64) is obtained as an example, through the user identification information request step (S62) obtained information used by all other authentication system of the specific person using the terminal access ID. Based on this, door authentication except for all the authentication systems other than the specific person, that is, the terminal authentication system 3, among the authentication information checked and stored in all authentication systems collected through the authentication information collection step S1 of the data management unit 600. The data analyzing unit 700 stores the information corresponding to the information used in the system 1, the elevator authentication system 2, the network authentication system 4, the DB server authentication system 9, and the like. Means to request.

The single user information storage and provision step (S65) is the specific person checked and registered on all authentication systems based on the information obtained through the second authentication information request step (S64) as described above (wherein the specific person This means the step of storing the access movement information or access information of the person who is identified as a single user and provide it to the information leakage analysis unit (800).

As described above, when it is possible to determine only information corresponding to a specific single user among various information authenticated on all authentication systems through the single user discrimination step (S6), a specific employee (single user) enters and exits through any path. You will be able to see at a glance whether you are mobile and which terminal you are connected to.

In the information leakage analysis step (S7), the information leakage analysis unit 800 detects an internal information leakage signal by analyzing the access movement information and the access information of the single user determined through the single user determination step (S6). For example, even if a specific employee does not access the corresponding door authentication system 1 on the floor where the specific terminal is installed, the specific employee's ID is used in the terminal authentication system 3 of the specific terminal to allow access. In this case, the information leakage analysis unit 800 analyzes the access movement information and the access information of the specific employee determined through the single user discrimination step (S5), and then detects and detects the internal information leakage symptoms accordingly. Corresponding measures can be taken, such as denying access to the terminal or alerting the relevant parties.

The improved security control method through the identification of a single user according to an embodiment of the present invention is integrated management of separate information used by each individual on various authentication systems for security and connected to each authentication system through this. By accurately identifying a single user from the information and managing all trends of a specific person therefrom, it is possible to effectively detect or block security incidents.

In accordance with another embodiment of the present invention, the improved security control method through the identification of a single user includes a management target information DB for selecting key management targets and storing information according to the degree of access and handling of internal information among employees in the company. A management target information collection step (S4) of the data management unit 600 for collecting key management target information from 400; An abnormal symptom scenario collection step (S5) of the data management unit 600 which collects and manages the abnormal symptom scenario from the profile DB 500 which stores the abnormal symptom scenario for predicting the abnormal behavior of the target management subject; Key management target information obtained from the management target information DB 400 through the management target information collection step S4, and access movement information and access information of the key management target identified through the single user discrimination step S6. And an abnormality of the information leakage analysis unit 800 that detects and blocks abnormal symptoms of the key management subject in advance by analyzing the abnormal symptom scenarios obtained from the profile DB 500 through the abnormal symptom scenario collection step (S5). Symptom analysis step (S8); characterized in that it further comprises.

In the management target information collection step (S4), the data management unit 600 collects the key management target information from the management target information DB 400 which stores information on the person selected as the key management target among the employees in the company. As described above, the management target information DB (400) has the access rights and handling rights for the confidential information according to the degree of access and handling of internal information among the employees in the company having the possibility of security leakage accident Selected as a key management target to manage and store it so that it can be specially managed, the management target information collection step (S4) is the key management that is stored in the management target information DB (400) when the data management unit 600 is required It means the step of collecting subject information.

The abnormal symptom collecting step (S5) is a step in which the data management unit 600 collects an abnormal symptom scenario from the profile DB 500 storing an abnormal symptom scenario predicting an abnormal behavior of a key management subject. As described above, the profile DB 500 is an abnormal symptom capable of predicting an abnormal symptom of a security accident risk in advance based on an abnormal behavior pattern of a specific person, in particular, a key management subject registered and managed on the subject information DB 400. Storing and managing a scenario, the abnormal symptom collecting step (S5) refers to a step of collecting abnormal symptom scenario information stored in the profile DB 500 when the data manager 600 is needed. As described above, in the abnormal symptom scenario, an analytical prediction scenario for analyzing an abnormal symptom occurring in a single behavioral pattern of a specific person and an anomaly symptom generated in a comprehensive behavior pattern by interconnecting the singular analysis scenario are analyzed and predicted. Among the correlation analysis scenarios and the abnormal behavior patterns detected by a specific person, abnormal behavior patterns or users that do not match the single analysis scenario or the correlation analysis scenario are separately extracted and converted into data to be reflected in the future symptom scenario or key management target information. There are post-analysis scenarios for this purpose, and the detailed description thereof is the same as described above, and the description thereof is omitted here to avoid duplicated materials.

The abnormal symptom analysis step (S8) is a step in which the information leakage analysis unit 800 detects an abnormal symptom in advance by comparing and analyzing the movement and access information and the access information and the abnormal symptom scenario of a particular target management person. Key management target information obtained from the management target information database 400 through the management target information collection step (S4), and access movement information and access information of a single user determined through the single user discrimination step (S6) Analyzing the abnormal movement scenario and the access information and the access information of the key management target, and the abnormal symptoms scenario obtained from the profile DB 500 through the abnormal symptoms scenario collection step (S5), Focused management by checking whether the access route and the number of times of access based on the access information coincide with or similar to the set abnormal symptom scenario. By detecting the internal information leakage indication of the box in advance it is possible to prevent warning.

Referring to Figure 7, the abnormal symptom analysis step (S8) is a management subject information request step (S81) for requesting information on the key management subjects collected through the management target information collection step (S4); Single user information request for requesting access information or access information of a specific person stored in the single user information storage and provision step (S65) for a specific person corresponding to the key management subject obtained through the management subject information request step (S81) Step S82; An abnormal symptom scenario request step (S83) for requesting information on the abnormal symptom scenario collected through the abnormal symptom scenario collection step (S5); A comparative analysis step (S84) of comparing and analyzing the access movement information or the access information of the specific person obtained through the single user information request step (S82) and the abnormal symptom scenario scenario obtained through the abnormal symptom scenario request step (S83); Notification and storage step (S85) for notifying and storing the information that turns out to be an abnormal symptom through the comparative analysis step (S84), or to store the information that is not found to be an abnormal symptom (S85).

The management target information request step (S81) is the information leakage analysis of the information on the key management target data collected by the data management unit 600 from the management degree DB 400 through the management target information collection step (S4). It means that the step 800 requests the data management unit 600.

The single user information request step (S82) is the management target information request step of the access information or access information for the specific person stored in the data analysis unit 700 through the single user information storage and providing step (S65) The information flow analysis unit 800 requests the data analysis unit 700 for access movement information or access information for a specific person corresponding to the key management subject obtained through S81.

The abnormal symptom scenario request step (S83) includes information on the abnormal symptom scenario collected by the data manager 600 from the profile DB 500 through the abnormal symptom scenario collection step (S5). 800 refers to the step of requesting the data manager 600.

The comparative analysis step (S84) is a comparative analysis of the abnormal movement scenario or the abnormal symptoms obtained through the abnormal symptom scenario request step (S83) and the access movement information or access information of the specific person obtained through the single user information request step (S82) For example, if a particular key management object has more than one hour of leaving work than usual, the number of times he or she enters more than three times more security-related places at work is delayed. When comparing the access analysis information or access information of one of the key management subjects with the linkage analysis scenario, the comparative analysis is performed to determine whether the access movement record or access record of one of the key management subjects matches the interconnection analysis scenario. Means step.

The notification and storage step (S85) is to inform and store the matters found to be an abnormal symptom through the comparative analysis step (S84), or to store the matters that are not found to be an abnormal symptom. As a result of the comparative analysis step (S84), if the access movement record or the access record of one of the key management subjects matches the interconnection analysis scenario, the administrator is notified of the fact using a notification signal and the record is stored or the key management subjects are not included. It is possible to block the authentication of one person, and even if the access movement record or the access record of one of the key management subjects does not coincide with the interconnection analysis scenario, the record is stored so that it can be used as a data for the post analysis scenario. Means step.

The improved security control method through the identification of a single user according to another embodiment of the present invention can enhance the efficiency of security incident blocking by allowing the key management targets to be classified and managed in advance. In addition, it is possible to expect the effect of detecting and preventing the risk of security incidents in advance by enabling scenario creation of abnormal symptoms related to internal security in a scenario.

In the above, the Applicant has described preferred embodiments of the present invention, but these embodiments are merely one embodiment for implementing the technical idea of the present invention, and any changes or modifications may be made as long as the technical idea of the present invention is implemented. Should be interpreted as being within the scope.

1 is a block diagram of an improved security control system with single user identification in accordance with an embodiment of the present invention.

Figure 2 is a detailed configuration diagram of the data management unit, data analysis unit and information leakage analysis unit

3 to 4 is a reference diagram for explaining an example in which an improved security control system through a single user identification according to the present invention is implemented.

5 is a block diagram of an improved security control method through single user identification according to an embodiment of the present invention.

6 is a block diagram showing the detailed configuration of a single user discrimination step;

7 is a block diagram showing the detailed configuration of the abnormal symptoms analysis step

* Explanation of the main symbols used in the drawings

1: door authentication system 2: elevator authentication system 3: terminal authentication system

4: network authentication system 5: groupware authentication system 6: remote server authentication system

7: Mail (IM) Authentication System 8: Program Authentication System 9: DB Server Authentication System

100: authentication information DB 200: user identification DB 300: personnel information DB

400: management target information DB 500: profile DB

600: data management unit 700: data analysis unit 800: information leakage analysis unit

601: receiving module 603: control module 605: transmitting module

701: receiving module 703: analysis and processing module 705: sending module

801: receiving module 803: analysis and processing module 805: sending module

Claims (8)

An authentication information DB for storing access movement information checked and registered with the authentication system when entering or going to a facility or access information checked and registered with the authentication system when accessing a terminal, a program or a network, and providing the same to the data management unit; Information that all employees in the company use in authentication system, ie company number, name, social security number, biometric information, access card information, terminal IP address, terminal access ID, mail (messenger) access ID, remote server system access ID, groupware system access A user identification DB for storing one or more databases by each employee in a group consisting of an ID, a network system connection ID, a database server connection ID, and a program connection ID, and providing the data to the data management unit; A data management unit for periodically collecting and managing information stored in the authentication information DB and the user identification DB and providing the same to the data analysis unit or the information leakage analysis unit; A data analysis unit for comparing the access movement information or the access information obtained from the authentication information DB with the data management unit and the information used in the authentication system for each employee stored in the user identification DB to determine whether a single user exists; And an information leakage analysis unit for detecting an internal information leakage signal by analyzing the access movement information and the access information of the single user determined by the data analysis unit. Security control system through single user identification, characterized in that it is possible to detect the internal information leakage sign in advance by determining whether a single user from the access movement information or access information checked and registered in the authentication system for each employee. The method of claim 1, wherein the security control system Based on the access and handling of internal information among employees in the company, the subject information DB that selects and stores information on the key management subjects, and the profile DB that stores the abnormal symptom scenarios for predicting abnormal behaviors of the key management subjects. Additionally, The data manager periodically collects and manages information stored in the management target information DB and the profile DB. The information leakage analysis unit compares and analyzes key management target information stored in the management target information DB, access movement information and access information of the key management target identified by the data analysis unit, and abnormal symptom scenarios stored in the profile DB. Security control system through the identification of a single user, characterized in that it can detect and block the abnormal symptoms of the target management in advance. The method of claim 2, wherein the abnormal symptom scenario is A single analysis scenario for analyzing and predicting abnormal symptoms occurring in a single person's behavioral pattern, and a correlation analysis scenario for analyzing and predicting abnormal symptoms occurring in a comprehensive behavioral pattern by linking the single analysis scenarios with each other Security control system through a single user identification characterized in that it comprises a post-analysis scenario for reflecting the abnormal behavior pattern that does not match the single analysis scenario or the correlation analysis scenario among the abnormal behavior patterns to reflect in the future symptom scenario. The method of claim 3, The data management unit includes a first receiving module for receiving information of the authentication information DB, user identification DB, personnel information DB, management target information DB, and profile DB, and the authentication information DB, user identification DB, personnel information DB, management target person. The control module for changing and managing information stored in the information DB and the profile DB, and transmitting the information of the authentication information DB, user identification DB, personnel information DB, management target information DB and profile DB to the data analysis unit or the information leakage analysis unit. Including a first transmission module, The data analysis unit analyzes the information of the authentication information DB, user identification DB or personnel information DB, and a second receiving module for receiving the information of the authentication information DB, user identification DB or personnel information DB from the data management unit and a single user A first analysis and processing module for determining a second and a second transmission module for transmitting an analysis result of the first analysis and processing module to the information leakage analysis unit, The information leakage analysis unit includes a third reception module for receiving the analysis result of the data analysis unit and the information of the management target information DB and the profile DB from the data management unit, the analysis result of the data analysis unit, and the management target information DB and the profile DB. A second analysis and processing module for determining an abnormal symptom by analyzing the information of the second information; and a third transmission module for transmitting the analysis result of the second analysis and processing module. . Information used in the authentication system from an authentication information DB that stores access movement information checked and registered with the authentication system when entering or going to a facility, or access information checked and registered with the authentication system when connecting to a terminal, program, or network. Authentication information collection step of collecting and managing the data management unit; Information that all employees in the company use in authentication system, ie company number, name, social security number, biometric information, access card information, terminal IP address, terminal access ID, mail (messenger) access ID, remote server system access ID, groupware system access Data management part that collects and manages the authentication system usage information of each employee from the user identification DB which stores one or more databases by each employee in the group consisting of ID, network system access ID, database server access ID, and program access ID. Collecting user identification information; Single user discrimination step of the data analysis unit to determine whether a single user by comparing and analyzing the information used in the authentication system obtained through the authentication information collection step and the authentication system usage information for each employee obtained through the user identification information collection step ; And an information leakage analysis step of detecting an information leakage signal by analyzing access movement information and access information of the single user determined through the single user discrimination step. A security control method using a single user identification characterized in that it is possible to detect the internal information leakage sign in advance by determining whether a single user from the access movement information or access information checked and registered in the authentication system for each employee. The method of claim 5, wherein the single user discriminating step A first authentication information request step of requesting information used for a specific authentication system collected in the authentication information collection step; User identification information request step for requesting information used in the authentication system of the specific person collected in the user identification information collection step for a specific person using the information used in the specific authentication system obtained through the first authentication information request step ; A second authentication information request step of requesting the information used in the authentication system of the specific person collected in the authentication information collection step based on the information used by the specific person obtained through the user identification information requesting step; Single user information storage and providing step of storing and providing the access movement information or access information of the specific person used in the authentication system based on the information obtained through the second authentication information request step; Identification of security control through identification. The method of claim 6, wherein the security control method A management information collection step of the data management unit which collects the key management target information from the management target information DB which selects the key management targets and stores the information according to the degree of access and handling of internal information among the employees in the company; An abnormal symptom scenario collection step of a data management unit for collecting and managing abnormal symptom scenarios from a profile DB that stores abnormal symptom scenarios for predicting abnormal behaviors of the key management subjects; Focus management subject information obtained from the management target information DB through the management target information collection step, access movement information and access information of the key management target identified through the single user discrimination step, and the abnormal symptom scenario collection step. Analyze the abnormal symptom scenario obtained from the profile DB through the above, and analyze the abnormal symptom of the target management subject in advance and analyze the abnormal symptom of the information leakage analysis unit. Control method. According to claim 7, wherein the abnormal symptoms analysis step A management target information request step for requesting information on the central management target collected through the management target information collection step; A single user information request step of requesting access information or access information of a specific person stored in the single user information storage and providing step to a specific person corresponding to the key management target object obtained through the management subject information request step; An abnormal symptom scenario request step for requesting information on the abnormal symptom scenario collected through the abnormal symptom scenario collection step; A comparative analysis step of comparing and analyzing the access movement information or the access information of the specific person obtained through the single user information request step and the abnormal symptom scenario obtained through the abnormal symptom scenario request step; And a notification and storage step of notifying and storing the information found to be an abnormal symptom through the comparative analysis step, or storing the information not found to be an abnormal symptom.

Images