JP2007018235A - Illegal use detection system, terminal to be managed and management terminal - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an illegal use detection system, a terminal to be managed and a management terminal for preliminarily preventing the illegal use of a computer. <P>SOLUTION: In this illegal use detection system where at least one terminal 100 to be managed and a management terminal 110 are connected through a network 140, the terminal 100 to be managed is provided with an input information extracting part 103 for generating input information showing the content of an input operation through a keyboard 101 or a mouse 102 for an arbitrary application and an input information transmitting part 105 for transmitting the input information to the management terminal 110, and the management terminal 110 is provided with an input information receiving part 121 for receiving the input information from the terminal 100 to be managed, an inappropriate expression extracting part 122 and an illegal use detecting part 124 for determining whether or not the input operation shown by the received input information is a predetermined input operation and an output part 130 for, when the input operation shown by the received input information is the predetermined input operation, outputting information showing the result. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  Whether the computer is not used for a purpose other than the original purpose in an environment (business, school, etc.) in which a plurality of computers are connected to a network to perform business, and there is no leakage of confidential information Relates to a system for monitoring.

  In recent years, the importance of information leakage countermeasures has been increasing in companies.

  Computer terminals in a company are often used by a specific individual even if they are owned by the company, and their use is largely based on personal management.

  In companies, the use of computers is almost always entrusted to individual management, and there are almost no effective measures to prevent the use of computers for illegal purposes.

  There are some methods such as checking unauthorized use from the log information of emails sent from within the company or checking unauthorized information access from the access log to the server. Since this is a check, unauthorized use of the computer cannot be prevented.

  Therefore, it is difficult to detect and prevent unauthorized use of software, use for personal purposes, or unauthorized access to information related to trade secrets.

As a conventional technique for acquiring an input operation in a computer terminal in real time, there is “a remote display controller, a remote operation terminal, and a remote operation system” disclosed in Patent Document 1.
JP 2001-159944 A

  However, in the invention disclosed in Patent Document 1, the host PC has a remote display controller, so that information of the remote operation terminal can be transmitted to the host PC side or the operation in the reverse direction can be performed. . Therefore, when trying to use the invention disclosed in Patent Document 1 to prevent unauthorized use of a computer, the monitor must always monitor the information input to the monitored terminal. For this reason, it is actually difficult to use the invention disclosed in Patent Document 1 for the purpose of preventing unauthorized use of a computer.

  Thus, conventionally, no unauthorized use detection system that can prevent unauthorized use of a computer has been provided.

  The present invention has been made in view of such a problem, and an object thereof is to provide an unauthorized use detection system, a managed terminal, and a management terminal that can prevent unauthorized use of a computer.

  To achieve the above object, the present invention provides, as a first aspect, an unauthorized use detection system in which at least one managed terminal and a management terminal are connected via a first network, A terminal that obtains information input via a user interface; a means that generates input information indicating the contents of an input operation performed on an arbitrary application via the user interface; and a terminal that manages the input information Means for receiving the input information from the managed terminal, means for determining whether the input operation indicated by the received input information is a predetermined input operation, and receiving When the input operation indicated by the input information is a predetermined input operation, an unauthorized use detection system having means for outputting information indicating that is provided.

  In the first aspect of the present invention, the management terminal preferably has means for storing input information received from the managed terminal.

The management terminal preferably determines whether the received input information is a specific input operation according to the rule information stored in advance. In addition, the management terminal uses the second network. It is more preferable to have means for acquiring rule information from an external device connected via the network.
In addition to these, the predetermined operation includes a first predetermined operation and a second predetermined operation that are different in the rule information used for determination, and the input operation indicated by the received input information is the first predetermined operation. It is more preferable to determine whether or not each of the operation and the second predetermined operation is applicable.

  In any of the above configurations of the first aspect of the present invention, the management terminal performs statistical processing on the input information received during an arbitrary period, and generates statistical data indicating the contents of the input operation performed during that period. It is preferable to have a means to do. Each managed terminal preferably transmits input information to the management terminal at predetermined time intervals. The input information includes information for identifying the user who performed the input operation, information for identifying the application for which the input operation has been performed, information indicating the time at which the input operation was performed, and the type of the input operation It is preferable that the information showing that is included.

  In order to achieve the above object, the present invention provides, as a second aspect, a managed terminal connected to a management terminal via a network, and means for acquiring information input via a user interface; A managed terminal comprising: means for generating input information indicating contents of an input operation performed on an arbitrary application via a user interface; and means for transmitting the input information to the management terminal To do.

  In the second aspect of the present invention, it is preferable to transmit input information to the management terminal at predetermined time intervals.

  In any of the above configurations of the second aspect of the present invention, the input information includes information for identifying a user who has performed an input operation, information for identifying an application in which the input operation has been performed, and the input operation. It is preferable to include information indicating the performed time and information indicating the type of the input operation.

  In order to achieve the above object, according to a third aspect of the present invention, there is provided a management terminal connected to at least one managed terminal via the first network, wherein a user interface is connected to each managed terminal. Means for receiving from the managed terminal input information indicating the contents of the input operation performed on an arbitrary application via the network, and determining whether or not the input operation indicated by the received input information is a predetermined input operation And a means for outputting information indicating that when the input operation indicated by the received input information is a predetermined input operation, a management terminal is provided.

  In the third aspect of the present invention, it is preferable to have means for accumulating input information received from the managed terminal.

It is more preferable to determine whether or not the received input information is a specific input operation according to pre-stored rule information, and in addition to this, an external device connected via the second network It is more preferable to have means for obtaining rule information from
In addition to these, the predetermined operation includes a first predetermined operation and a second predetermined operation that are different in the rule information used for determination, and the input operation indicated by the received input information is the first predetermined operation. It is more preferable to determine whether or not each of the operation and the second predetermined operation is applicable.

  In any of the above configurations of the third aspect of the present invention, there is provided means for statistically processing input information received during an arbitrary period and generating statistical data indicating the contents of the input operation performed during that period. It is more preferable.

  According to the present invention, it is possible to provide an unauthorized use detection system, a managed terminal, and a management terminal that can prevent unauthorized use of a computer.

[First Embodiment]
A first embodiment in which the present invention is suitably implemented will be described. FIG. 1 shows a configuration of an unauthorized use detection system according to the present embodiment. This unauthorized use detection system has a configuration in which a managed terminal 100 and an administrator terminal 110 are connected via a network 140.
The managed terminal 100 is a universal computer terminal used in a general company. The managed terminal 100 includes a keyboard 101, a mouse 102, an input information extraction unit 103, an input information storage unit 104, and an input information transmission unit 105. A keyboard 101 and a mouse 102 are user I / Fs used when a user inputs information to the managed terminal 100. The input information extraction unit 103 acquires information input via the keyboard 101 and the mouse 102 and generates a log file. The log file generated by the input information extraction unit 103 is accumulated in the input information storage unit 104. The input information transmission unit 105 transmits a part of the input information acquired by the input information extraction unit 103 to the administrator terminal 110.

The administrator terminal 110 includes a CPU 120, an input information receiving unit 121, an output device 130, an input information storage unit 131, a statistical data storage unit 132, and a detection rule storage unit 133. The CPU 120 includes an inappropriate expression extraction unit 122, an inappropriate expression detection notification unit 123, an unauthorized use detection unit 124, an unauthorized use detection notification unit 125, and a statistical data generation unit 126.
The CPU 120 executes a program stored in a ROM (not shown) using a RAM (not shown) as a work area, thereby performing an inappropriate expression extraction unit 122, an inappropriate expression detection notification unit 123, an unauthorized use detection unit 124, an unauthorized use. The functions of the detection notification unit 125 and the statistical data generation unit 126 are realized. The input information receiving unit 121 receives input information sent from the managed terminal 100 via the network 140. The inappropriate expression extraction unit 122 refers to the detection rule stored in the detection rule storage unit 133, and the received input information is an inappropriate input operation (an operation related to business, but there is a problem in the content. For example, it is determined whether or not it is generated in accordance with an operation for inputting a word of slander or slander to the e-mail software, or an operation for inputting a word unrelated to business to the browser software. When the inappropriate expression extraction unit 122 detects inappropriate data, the inappropriate expression detection notification unit 123 performs an operation for notifying the user of the administrator terminal 110 to that effect. Based on the detection rules stored in the detection rule storage unit 133, the unauthorized use detection unit 124 performs illegal operations on the received input information (operations not related to business at all. Access to websites unrelated to business, Determine whether it was generated according to the use of software unrelated to the business). The unauthorized use detection notifying unit 125 performs an operation for notifying the user of the administrator terminal 110 when unauthorized use is detected. The statistical data generation unit 126 is started periodically (for example, once a day) at regular time intervals, reads information stored in the input information storage unit 131, performs statistical processing, and generates the generated statistical data. Accumulated in the statistical data accumulation unit 132.

  The managed terminal 100 has two types of modes for sending transmission data to the administrator terminal 110. One mode is a mode (real-time transmission mode) in which input information is acquired to the administrator terminal 110 every time it is acquired. The other is a mode in which input information is transmitted to the administrator terminal 110 at regular intervals.

The operation of the unauthorized use detection system according to this embodiment will be described. FIG. 2 shows an operation flow of the monitored terminal 100.
When an input operation is performed via the keyboard 101 or the mouse 102, the input information extraction unit 103 acquires information regarding the input operation (step S101). As shown in FIG. 3, the information acquired by the input information extraction unit 103 includes an application name 401 in which the input operation has been performed, a window name 402 to be input, and an input type 403 indicating what input operation has been performed. , Input information 404 which is the input information itself, and time information 405 indicating the time when the input operation was performed.

  The input information extraction unit 103 outputs the generated information to the input information storage unit 104 (step S102). As shown in FIG. 3, the input information log file 400 has a data structure in which a plurality of input information is combined.

The input information transmission unit 105 edits the transmission data by adding the personal identification ID 601 to the input information log file generated by the input information extraction unit 103, and outputs it to a transmission buffer (not shown) (step S103). As shown in FIG. 4, the transmission data includes a personal identification ID 601, an application name 602, a window name 603, an input type 604, input information 605, and time information 606.
The personal identification ID 601 is information that can uniquely identify the monitored terminal 100, and for example, a MAC address is applicable. When a plurality of users use the monitored terminal 100, the user ID used at the time of login may be used as the personal identification ID.

If the real-time transmission mode is selected (step S104 / Yes), the input information transmission unit 105 transmits the generated transmission data to the manager terminal 110.
On the other hand, if the real-time transmission mode is not set (step S104 / No), the process returns to the state of waiting for input from the keyboard 101 or the mouse 102. In this case, the input information transmission unit 105 is activated every predetermined time or at a predetermined timing, and the edited transmission data is transmitted to the administrator terminal 110.

  Next, the operation of the administrator terminal 110 will be described. FIG. 5 shows an operation flow of the administrator terminal 110.

  The input information reception unit 121 of the administrator terminal 110 receives transmission data 600 (hereinafter referred to as reception data 600) transmitted by the input information transmission unit 105 via the network 140 (step S201). The input information receiving unit 121 converts the received transmission information into a format suitable for the input information storage unit 131 and stores it (step S202).

Next, the inappropriate expression extraction unit 122 refers to the information stored in the detection rule storage unit 133 and checks whether or not the reception data 600 includes an inappropriate expression (step S203). FIG. 6 shows an example of the detection rule file format 500 stored in the detection rule storage unit 133. Specifically, it is searched whether or not the content of the input information 605 (for example, the character string “ABC study”) of the received data 600 that is the input confirmation character is included as the inappropriate expression 503 in the detection rule file format 500. When an inappropriate expression is included in the input information, the contents of the allowable number of times 504 and the time range setting 505 are referred to and it is determined whether or not an inappropriate input operation has been performed (step S204).
Specifically, for each record of the detection rule file format 500, it is checked whether or not the same information as the input information 605 exists in the personal identification ID 507 of the individual management table 506 developed on the memory. If the same exists, the counter 509 is incremented by “1”. If there is no same thing, the personal identification ID 601, the time 606 and the initial value of the counter are newly added to the individual management table 506 as a personal identification ID 507, a start time 508 and a counter 509.

  Here, the logic of inappropriate expression detection will be described. First, the time range setting 505 is referred to. If the setting content is “none”, the value of the counter 509 is compared with the set number of times 504, and if the value of the counter 509 is larger, it is determined that an inappropriate input operation has been performed.

When the time range setting 505 is other than “none”, that is, when the time is set in the setting content, the start time 508 is subtracted from the current time, and the elapsed time from the start time is calculated. If the elapsed time exceeds the time range setting 505, the current time is set as the start time 508 and the value of the counter 509 is set to “1”. At this time, it is not regarded as inappropriate.
If the elapsed time is within the time set in the time range setting 505, it is determined that an inappropriate input operation has been performed if the value of the counter 509 exceeds the allowable number of times 504 in time. On the other hand, if it is within the allowable number of times 504, it is not considered that an inappropriate input operation has been performed.

  If it is determined that the input information has been generated in response to an inappropriate input operation (step S204 / Yes), the inappropriate expression detection notifying unit 123 outputs information indicating that the inappropriate operation has been determined to be an inappropriate operation. (Step S205).

Next, the unauthorized use detection unit 124 refers to the information stored in the detection rule storage unit 133, and checks whether unauthorized use has been performed (step S206). Specifically, it is checked whether or not the application name 602 of the transmission data 600 is included in the detection rule format 500 registered in the detection rule storage unit 133. At this time, only the record in which the inappropriate term 503 is blank is targeted.
If it is included in the detection rule format 500, the allowable number of times 504 and the contents of the time range setting 505 are checked. Specifically, in the individual management table 506 developed on the memory for each record of the detection rule file format 500 stored in the detection rule storage unit 133, the same identification ID 507 as the input information exists. For example, the counter 509 is incremented by “1”. If not, a personal identification ID 507, a disclosure time 508, and an initial value “1” of the counter 509 are newly added to the individual management table 506.

Here, the unauthorized use detection logic will be described.
First, referring to the time setting range 505, if the setting content is “none”, if the value of the counter 509 exceeds the allowable number of times 504, it is considered that an illegal input operation has been performed, and the value of the allowable number of times 504 It is not considered that an illegal input operation has been performed if:
When the time is set in the time range setting 505, the start time 508 is subtracted from the current time, and the elapsed time from the start time is calculated. If the elapsed time exceeds the time set in the time range setting 505, the current time is set as the start time 508 and “1” is set in the counter 509. In this case, it is not considered that an illegal input operation has been performed. On the other hand, if the elapsed time is within the time set in the time range setting 505, if the value of the counter 509 exceeds the value of the allowable number of times 504, it is determined that an illegal input operation has been performed, and the allowable number of times 504 If it is less than the value of, it is not considered that an invalid input operation has been performed.

  If it is determined that the input information 605 has been generated in response to an unauthorized input operation (step S207 / Yes), the unauthorized use detection notification unit 125 outputs information indicating that the input operation has been determined to be an unauthorized input operation to the output unit 130. (Step S208). The information to be output includes personal identification ID 507, application name 501, and current time 508. In other words, the output unit 130 outputs information that can specify who has used which application illegally.

  Next, the statistical data generation unit 126 will be described. The statistical data generation unit 126 is activated periodically (every hour, once a day, etc.) or at a predetermined timing (Monday, Wednesday, Friday, midnight, etc.) and stored in the input information storage unit 131. Create statistical data based on the data you have. Specifically, the data is read from the input information storage unit 131, and as shown in FIG. 7, the input character amount 704 and the number of mouse clicks 705 are tabulated using the date 701, the personal identification ID 702, and the application name 703 as keys. And output to the statistical data storage unit 132.

By generating statistical data in this way, the usage status of each managed person terminal can be grasped at the administrator terminal 110. Since it is possible to record and manage what kind of software the user of the managed person terminal 110 actually uses and how often it is used, the use of illegal software (illegal copy or pirated software) is suppressed. I can plan.
Further, since it is possible to detect that the software that should be originally used is not used or the operation that should be originally performed is not performed, it is possible to notify the user of the monitored terminal 100 and request improvement.

According to the unauthorized use detection system according to the present embodiment, an inappropriate input operation or an unauthorized input operation can be detected when the user is operating the monitored terminal 100.
By registering operations for unauthorized access to information as unauthorized use, it is possible to prevent information leakage and the like.

  Further, since the character information input via the keyboard 101 in each monitored terminal 100 is recorded in the input information storage unit 131, if the document data being created is lost due to a malfunction of the monitored terminal 100, input is performed. Using the character information recorded in the information storage unit 131, at least the character portion of the lost document can be restored.

[Second Embodiment]
A second embodiment in which the present invention is suitably implemented will be described. FIG. 8 shows the configuration of the unauthorized use detection system according to this embodiment. The system configuration is almost the same as that of the first embodiment, but further includes an inappropriate data server 850. The inappropriate data server 850 is connected to the administrator terminal 110 via the network 840.

  The administrator terminal 110 is substantially the same as in the first embodiment, but further includes a data update unit 816. The detection rule file stored in the detection rule storage unit 820 includes a local file 821 and a general file 822. In the local file 821, local information used within a range managed by the administrator is registered. On the other hand, in the general file 822, for example, general information to be detected from the season and the movement of the world at that time is registered.

An operation when the administrator terminal 110 updates data in the detection rule information storage unit 820 will be described.
The data update unit 816 is activated periodically (for example, once a day or once a week) or at a predetermined timing (for example, midnight on weekdays), and the detection rule file for the inappropriate data server 850 is activated. A download request for updating (general file 822) is transmitted.

  The inappropriate data server 850 that has received this request reads the data of the detection rule file master 852 in which the latest detection rule is stored, and transmits the data to the administrator terminal 110 using the data transmission unit 851.

  In the administrator terminal 110 that has received the data transmitted from the inappropriate data server 850, the data update unit 816 updates the general file 822 in the detection rule storage unit 820.

  In this way, the detection rule file is divided into a local file 821 and a general file 822. In the local file 821, if the department to which the administrator belongs or a small company, unique information is registered within the scope of the company. In the file 822, information common to companies or information that is generally managed by an external organization if it is a small company is registered, and the update is automated, so that a wide range of terms It becomes possible to perform a detailed check about.

  Note that the extraction / generation of input information and the determination of inappropriate expression / inappropriate use are the same as those in the first embodiment, and therefore redundant description is omitted.

Each of the above embodiments is an example of a preferred embodiment of the present invention, and the present invention is not limited to these.
As described above, the present invention can be variously modified.

It is a figure which shows the structure of the unauthorized use detection system which concerns on 1st Embodiment which implemented this invention suitably. It is a figure which shows the flow of operation | movement of the managed terminal of the unauthorized use detection system which concerns on 1st Embodiment. It is a figure which shows an example of an input information log file. It is a figure which shows an example of transmission data. It is a figure which shows the flow of operation | movement of the administrator terminal of the unauthorized use detection system which concerns on 1st Embodiment. It is a figure which shows an example of a detection rule file format. It is a figure which shows an example of statistical data. It is a figure which shows the structure of the unauthorized use detection system concerning 2nd Embodiment which implemented this invention suitably.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Managed terminal 101 Keyboard 102 Mouse 103 Input information extraction part 104 Input information storage part 105 Input information transmission part 110 Management terminal 120 CPU
121 Input Information Receiving Unit 122 Improper Expression Extraction Unit 123 Improper Expression Detection Notification Unit 124 Unauthorized Usage Detection Unit 125 Unauthorized Usage Detection Notification Unit 126 Statistical Data Generation Unit 130 Output Unit 131 Input Information Storage Unit 132 Statistical Data Storage Units 133 and 820 Detection rule storage unit 140, 840 Network 816 Data update unit 821 Local file 820 General file 850 Inappropriate data server 851 Data transmission unit 852 Detection rule file master

Claims (17)

An unauthorized use detection system in which at least one managed terminal and a management terminal are connected via a first network,
Each managed terminal obtains information input via a user interface;
Means for generating input information indicating the content of an input operation performed on an arbitrary application via the user interface;
Means for transmitting the input information to the management terminal;
The management terminal
Means for receiving the input information from the managed terminal;
Means for determining whether or not the input operation indicated by the received input information is a predetermined input operation;
And a means for outputting information indicating that the input operation indicated by the received input information is a predetermined input operation.   2. The unauthorized use detection system according to claim 1, wherein the management terminal has means for storing the input information received from the managed terminal.   The unauthorized use detection system according to claim 1, wherein the management terminal determines whether the received input information is a specific input operation according to rule information stored in advance.   4. The unauthorized use detection system according to claim 3, wherein the management terminal has means for acquiring the rule information from an external device connected via a second network. The predetermined operation includes a first predetermined operation and a second predetermined operation that are different in rule information used for determination,
The fraud according to claim 3 or 4, wherein it is determined whether or not the input operation indicated by the received input information corresponds to each of the first predetermined operation and the second predetermined operation. Use detection system.   The said management terminal has a means which statistically processes the said input information received in arbitrary periods, and produces | generates the statistical data which show the content of the input operation performed in the period. The unauthorized use detection system according to any one of the above.   The unauthorized use detection system according to claim 1, wherein each managed terminal transmits the input information to the management terminal at a predetermined time interval.   The input information includes information for identifying a user who has performed an input operation, information for identifying an application for which the input operation has been performed, information indicating the time at which the input operation has been performed, the type of the input operation, The unauthorized use detection system according to claim 1, further comprising: information representing A managed terminal connected to a management terminal via a network,
Means for obtaining information entered via a user interface;
Means for generating input information indicating the content of an input operation performed on an arbitrary application via the user interface;
A managed terminal comprising: means for transmitting the input information to the management terminal.   The managed terminal according to claim 9, wherein the input information is transmitted to the management terminal at a predetermined time interval.   The input information includes information for identifying a user who has performed an input operation, information for identifying an application for which the input operation has been performed, information indicating the time at which the input operation has been performed, the type of the input operation, 11. The managed terminal according to claim 9, further comprising information representing A management terminal connected to at least one managed terminal via a first network,
Means for receiving, from each managed terminal, input information indicating the content of an input operation performed on an arbitrary application via the user interface in each managed terminal;
Means for determining whether or not the input operation indicated by the received input information is a predetermined input operation;
And a means for outputting information indicating that when the input operation indicated by the received input information is a predetermined input operation.   13. The management terminal according to claim 12, further comprising means for accumulating the input information received from the managed terminal.   14. The management terminal according to claim 12 or 13, wherein it is determined whether or not the received input information is a specific input operation according to rule information stored in advance.   15. The management terminal according to claim 14, further comprising means for acquiring the rule information from an external device connected via a second network. The predetermined operation includes a first predetermined operation and a second predetermined operation that are different in rule information used for determination,
The management according to claim 15 or 16, wherein it is determined whether or not the input operation indicated by the received input information corresponds to each of the first predetermined operation and the second predetermined operation. Terminal.   17. The apparatus according to claim 12, further comprising: a unit that statistically processes the input information received during an arbitrary period and generates statistical data indicating the content of an input operation performed during the period. The management terminal described.

Images