JP2007249304A - Information processor, secret data monitoring method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information processor capable of suppressing information leakage from a person who rightly has an access right to secret information when sharing the secret information in a company, and to provide a secret data monitoring method and a program. <P>SOLUTION: Secret information is capsuled by a DRM system, and the use of the capsuled secret information by a user is monitored by a monitoring system so that it is possible for a secrecy deciding means to control a monitor level in real time, and to leave the absolute minimum log. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an information processing apparatus, a confidential data monitoring method, and a program, and in particular, when confidential data created by a word processor or spreadsheet software is shared internally, information leakage by a person who has a legitimate access right to the confidential data The present invention relates to an information processing apparatus, a confidential data monitoring method, and a program.

  As techniques for countermeasures against leakage of confidential information (sensitive data), (1) a technique for protecting confidential information by encryption and (2) a technique for monitoring the use of a personal computer are widely known.

(1) Protection technology by encryption of confidential information As a technology for preventing unlimited use of contents on electronic devices, digital rights management technology (hereinafter referred to as DRM, also referred to as prior art 1) is often used. Used. DRM encrypts original data by a secret code scheme. This encrypted data is called a capsule, and the capsule cannot be used unless it is decrypted. That is, the use of this data requires a decryption key for decrypting the capsule. A person who has been granted the use authority can use this data by authenticating by some method, obtaining a decryption key, and returning to normal data immediately before use. DRM is generally used to prevent illegal duplication of multimedia information such as movies and music, but it is also effective for so-called office texts created with word processors and spreadsheet software. I'm starting. For example, by encapsulating accounting information files that can only be used by executives with DRM, and giving only the executives a decryption key that decrypts this capsule, it is possible to protect confidential information from other employees and those outside the company. Become.

(2) Technology for Monitoring the Use of a Personal Computer An example in which a technology for monitoring the use of a personal computer is used is described in the product InfoTrace (manufactured by Soliton Systems Co., Ltd .: hereinafter referred to as Conventional Technology 2). From the description of the operating environment of the catalog, the configuration of Non-Patent Document 1 is as shown in FIG. A personal computer OS (Opereting System) Windows (Microsoft Corporation: registered trademark), a Windows (registered trademark) Agent that collects file access events generated by this Windows (registered trademark), and this Windows (registered trademark) ) Consists of log upload means for uploading the file access events collected by the Agent to the server as a log, the Log Server that accumulates the uploaded logs, and the Trace Browser that displays the file flow from this Log Server log Has been.
The related art 2 having such a configuration can monitor the operation of the user's personal computer using the Trace Browser.

Also, as an example of a conventional technique for countermeasures against leakage of confidential information, when an execution state of application software is estimated based on an OS event message and an access to a document is detected, based on an estimation result of the execution state of the application software By deciding whether to encrypt or decrypt the document, the confidential document is automatically encrypted when the user performs an application operation to publish the confidential document to the outside. Therefore, there is a “confidential document management device, confidential document management method, and confidential document management program” that can prevent leakage of confidential information even if an authorized user makes an operation mistake (for example, Patent Document 1). reference).
JP 2005-222155 A InfoTrace (Soliton Systems Co., Ltd.) Catalog, P2

  In the DRM of Prior Art 1, there is a problem that it is impossible to prevent information leakage from a person who has a right to access confidential information. Those who have legitimate access rights have the key to decrypt the capsule, so they can freely perform operations that lead to information leakage such as copying the decrypted data, printing, and capturing the screen. End up. In other words, DRM is effective as a countermeasure against information leakage due to negligence such as inadvertently apologizing for the address and sending confidential information by e-mail outside the company, but it is effective because the other party does not know the decryption key. The problem is that it is easy for a person with access rights to intentionally leak information maliciously. Since there are reports that more than 70% of information leakage cases are caused by internal accomplices, there is a problem with DRM that cannot prevent information leakage from the inside.

  On the other hand, the prior art 2 is considered as a countermeasure against information leakage from the inside. That is, since the user's operation on the personal computer is monitored, the morale of the employee is improved, and the effect of suppressing information leakage from the inside can be expected. However, the prior art 2 has the following two problems and is not widely used.

  (1) The problem that the amount of monitoring logs becomes enormous: Generally, the amount of events from the OS of a personal computer is enormous, and the monitoring system that leaves this in the log emits enormous logs. For example, when a screen change, a user menu operation, file access, network access, or the like is monitored, the monitoring result is always written to the log. For this reason, in general operation, logs are stored only for a certain period, and old logs are often discarded. Looking at past incidents of information leakage, there are many examples that could not be elucidated because the logs were already discarded, and this is a problem. Furthermore, even if all the logs can be saved, the problem is that the analysis takes a very long time. In order to distinguish between a normal state and an illegal state, it is necessary to analyze from various angles while making hypotheses regarding user operations. If the amount of logs is enormous, the analysis will be very time consuming.

  (2) The operation of the personal computer becomes slow: In general, monitoring the use of the personal computer is a process of intercepting an event from the OS of the personal computer, which slows down the operation of the OS. Conventional technology 2 and the like have a function that allows selection of the type of event to be intercepted. However, if the number of monitoring targets is reduced, it becomes impossible to predict what the user is doing during log analysis. This is an end-to-end fall and is not a solution. Under these circumstances, monitoring software is not widely used in current offices, and a method that can monitor without reducing the performance of a personal computer is desired.

  The invention described in Patent Document 1 also has a problem that the amount of the monitoring log as described in (1) becomes enormous.

  The present invention has been made in view of the above circumstances, and when confidential information created by an office application such as a word processor or spreadsheet software is shared internally, information leakage by a person who has a right to access this information is prevented. An object of the present invention is to provide an information processing apparatus, a confidential data monitoring method, and a program that can be more efficiently suppressed than in the prior art.

  In order to achieve such an object, an invention according to claim 1 is an information processing apparatus that includes an operating system, application software, and a device driver, and monitors predetermined confidential data. Sensitive data creation / editing means that can be created and edited, and confidential data created or edited by the confidential data creation / editing means are encrypted when the confidential data is saved, and the confidential data is decrypted only when the specified authentication is successful Classified data management means, monitoring means for monitoring operating system events based on monitoring items in which at least one or more events to be monitored are preset, and based on the monitoring results of the monitoring means, Sensitivity judgment means that estimates the current usage situation in real time, and sensitivity judgment means Based on the constant result, determines an event to be monitored by the monitoring means, based on the determination result, characterized by comprising a monitoring method setting means for changing the settings of the monitoring items.

  According to a second aspect of the present invention, in the first aspect of the invention, the confidentiality determination means includes a monitoring result temporary storage means for temporarily accumulating the monitoring results of the monitoring means as data, and a monitoring result of the monitoring means. The application knowledge, which is the data that corresponds to the current usage status of the confidential data, and the data accumulated in the monitoring result temporary storage means are analyzed using the application knowledge, and the confidential data is analyzed by the confidential data creation and editing means. Analyzing the data stored in the confidential information activation determining means and the monitoring result temporary storage means in real time to determine whether or not it is being activated, using application knowledge, and analyzing the confidential data with the confidential data creation and editing means. Current data sensitivity determination means for determining in real time whether or not the user is using ground processing, and monitoring results Analyzing the data stored in the storage means using application knowledge, and determining in real time whether or not the confidential data has been changed from the confidential data to the normal data by the confidential data creation editing means, Sensitive information activation determination means, current data confidentiality determination means, and confidentiality state storage means for storing the determination results of the non-encapsulated data activation determination means.

  According to a third aspect of the present invention, in the first or second aspect of the invention, the monitoring method setting means is data in which the current usage status of confidential data is associated with each event set as a monitoring item. A monitoring item setting unit that sets each event of a monitoring item based on a monitoring level setting rule, each determination result stored in the confidentiality state storage unit, and the monitoring level setting rule, To do.

  According to a fourth aspect of the present invention, in the invention of the second or third aspect, the application knowledge relates to the occurrence order of the event, the event parameter, and the type of the confidential data creation / editing unit monitored by the monitoring unit, respectively. It consists of a semantic field expressed with the meaning of, an application field that describes the type of confidential data creation and editing means, an event order field that describes the order of event occurrence, and a parameter field that describes the event parameters It is characterized by being.

  According to a fifth aspect of the present invention, in the invention according to the fourth aspect, the meaning field of the application knowledge is a value of encapsulation that means that the function of encapsulating the confidential data of the confidential data management means is executed, and the confidential data The value of decapsulation, which means that the function of removing the capsule of the management means has been executed, the value of capsule opening, which means that the function of using the capsule of the confidential data management means has been executed, and the capsule being used are terminated The value of capsule end, which means that it has been changed, and the vertical relationship of the window are switched, the value of current document confidential document switching, which means that the secret document is in focus, and the vertical relationship of the window are switched to normal data. Current document normal document switch value that means that it is in focus , In characterized in that it is expressed.

  The invention according to claim 6 is the invention according to claim 4, wherein the event order field of the application knowledge is generated when the window at the top changes, and when the title of the window changes. A title change event, a file read event that occurs when a file is read from the disc, a file write event that occurs when a file is written to the disc, and a dialog event that occurs when a dialog is opened in the application It is described in order.

  The invention according to claim 7 is the invention according to claim 4, wherein the parameter field of application knowledge includes a character string of a window title that has changed, a file path of a file being read, and a file path of a file being written And the character string value of the window title of the opened dialog are described.

  The invention according to claim 8 is the invention according to any one of claims 2 to 7, wherein the confidentiality state storing means is a foreground field indicating whether or not the data of the currently focused window is confidential data. And a background field that indicates whether confidential data is included in the data of the window that is not currently focused, and an unencapsulated field that indicates the number of times the decapsulation operation has been performed. And

  The invention according to claim 9 is the invention according to any one of claims 3 to 8, wherein the monitoring level setting rule is monitored by an importance field describing a current use state of confidential data and a monitoring means. A monitoring item field describing at least one or more events to be set.

  In the invention according to claim 10, in the invention according to claim 9, the importance field of the monitoring level setting rule includes the value of the most important meaning that the situation needs to be monitored in detail and the monitoring item. It is characterized by comprising an important value that means a situation that may be narrowed down to some extent and a normal value that means a situation that does not need to be monitored.

  The invention according to claim 11 is the invention according to claim 10, wherein the monitoring item setting means stores the values of the foreground field, the background field, and the non-encapsulated field stored in the confidentiality state storage means. It is characterized by judging the most important, important and normal situations based on the values.

  The invention according to claim 12 is the invention according to any one of claims 9 to 11, wherein the monitoring item field of the monitoring level setting rule includes monitoring of a clipboard which is a copy buffer of the operating system and a predetermined application. Monitoring of startup, monitoring of application menu operations by the user, monitoring of key input by the user, monitoring of screen capture for capturing the entire screen by the user, monitoring of the use of external media by the user, and printer by the user Monitoring of network usage and monitoring of network usage by the user are set.

  A thirteenth aspect of the present invention is a confidential data monitoring method performed by an information processing apparatus for monitoring confidential data managed by the information processing apparatus, and an office application monitoring step of monitoring an operation of an office application by a user And the monitoring result of the office application monitoring step, the monitoring result addition judgment step for judging whether the log has been added, the judgment result of the monitoring result addition judgment step, and the log, if the log has been added, the meaning of the monitoring result is estimated A monitoring result analysis step for estimating the current status of handling confidential data in the information processing apparatus, a sensitivity determination step for determining a currently required monitoring level based on the analysis result of the monitoring result analysis step, and a sensitivity Based on the monitoring level determined in the decision step, the office application A monitoring method setting changing step of changing the monitor to be operated in ® down, characterized in that the run.

  According to a fourteenth aspect of the present invention, in the invention according to the thirteenth aspect, the information processing apparatus searches for a log encapsulating normal data from the monitoring results and counts the number of records as the monitoring result analyzing step. A count count step, a log that returns the encapsulated data from the monitoring results to normal data, and a non-encapsulated count count step that counts the number of records. The number of records is searched by searching the log that reads the data read by the specified application and counting the number of records, and the end of the confidential data activated by the specified application is searched from the monitoring result log. Capsule end count counting step, encapsulation result count step result, Confidential information that counts the number of currently activated confidential data in the information processing device based on the result of the cell opening number count step, the result of the decapsulation number count step, and the result of the capsule end number count step Current data machine that determines whether the data currently in focus is confidential data or normal data by searching the most recent data switch log from the start count calculation step and monitoring results Based on the results of the density determination step, current data confidentiality determination step, confidential information activation number calculation step, and decapsulation number count step, the number of foreground confidential information and background confidential information An analysis result storing step for storing the number of information and the number of unencapsulated data, respectively. Characterized in that row.

  According to a fifteenth aspect of the present invention, there is provided a program for causing an information processing apparatus to execute a confidential data monitoring method in order to monitor confidential data managed by the information processing apparatus, and monitors an operation of an office application by a user. The monitoring result of the office application monitoring process, the monitoring result of the office application monitoring process, the monitoring result addition determination process for determining whether or not the log has been added, the determination result of the monitoring result addition determination process, and the log are added. Monitoring result analysis process that estimates the meaning of the current situation and the current handling status of confidential data in the information processing device, and sensitivity determination process that determines the currently required monitoring level based on the analysis result of the monitoring result analysis process And monitoring of office applications based on the monitoring level determined by the sensitivity determination process A monitoring method setting change process for changing the operation should, characterized in that to execute the information processing apparatus.

  In the invention described in claim 16, in the invention described in claim 15, as the monitoring result analysis process, a log encapsulating normal data is searched from the monitoring result, and an encapsulated number counting process for counting the number of records; Search the log that returns the encapsulated data from the monitoring results to normal data, count the number of records, and count the number of records. Capsule opening number count processing that searches the log read by the application and counts the number of records, and the end of the secret data that is running in a given application is searched from the monitoring result log, and the number of capsule ends that counts the number of records Count processing result, encapsulation number count processing result, capsule opening number count processing result, Based on the result of the count count processing and the result of the capsule end count count process, the confidential information activation number calculation process that counts the number of currently activated confidential data in the information processing device, and the monitoring result From the most recent data switch log, current data sensitivity determination processing to determine whether the currently focused data is confidential data or normal data, and current data sensitivity determination The number of foreground sensitive information, background sensitive information, and unencapsulated data based on the result of processing, the result of confidential information activation number calculation processing, and the result of unencapsulated number counting processing And an analysis result storage process for storing each of the numbers.

According to the present invention, the following effects can be obtained.
The first effect is that a minimum necessary monitoring result is recorded as a log. This is because the confidentiality determining means determines whether the encapsulated important document is decrypted and used in the application, and the monitoring method setting means changes the items to be monitored based on this result. . In other words, if confidential information is used, monitoring can be strengthened, and if not, the amount of monitoring log can be reduced by roughly monitoring. As described above, since the log is the minimum necessary, the log can be operated without being discarded.

  The second effect is that the performance of the personal computer is not lowered. This is because the confidentiality determination means and the monitoring method setting means are included in the configuration, so that it is not necessary to intercept unnecessary OS events, and as a result, performance is hardly lowered. Furthermore, since the amount of logs is reduced as described in the first effect, the load of processing for uploading logs to the server is reduced. This alleviates the barrier to introducing monitoring software.

  A third effect is that monitoring can be performed according to the sensitivity of dynamically changing documents. Usually, the confidential classification of text changes. For example, a public relations document is a confidential matter until the publicity is complete, but once published, this sentence need not be kept secret. In this way, it is common that the secret classification of a sentence is changed. However, an operation for changing the secret classification of a document may lead to information leakage. A malicious employee can change a sentence that should be kept secret into a regular document. The confidentiality determination means can detect a change in the confidential classification of the text and can monitor in accordance with the sensitivity of the dynamically changing document in order to set an appropriate monitoring level.

  The fourth effect is that it can cooperate with various DRM systems. This is because the sensitivity determination means is not premised on a specific DRM system. The confidentiality determining means indirectly determines the confidentiality from the window title of the application by having application knowledge in the configuration. That is, it is possible to cope with the problem by simply rewriting the application knowledge in accordance with the DRM system introduced.

  The best mode for carrying out the present invention will be described below in detail with reference to the accompanying drawings.

<Description of configuration>
Next, the best mode for carrying out the invention will be described in detail with reference to the drawings.
Referring to FIG. 1, in the first embodiment of the present invention, when confidential information (confidential data) such as word processors and spreadsheet software is shared in the company, information leakage from employees who can access this information properly In a confidential document monitoring device (an example of an information processing device) that can deter encryption, encryption is performed when confidential text (an example of confidential data) is stored, and decryption is performed only when authentication is successful when used. DRM system 01 (an example of confidential data management means) that can make confidential text only available to users who have created and edited confidential information such as word processors and spreadsheet software, and in conjunction with DRM system 01, Office application 02 (an example of secret data creation and editing means) that can set secret classification of text, keyboard input, menu operation, window Monitoring system 03 that intercepts events from the OS to monitor user operations that may lead to information leakage such as changes in title character strings, file access, network access, use of external media, use of the clipboard, etc. (An example of monitoring means), and by analyzing the result of the monitoring system 03, from the estimation result of the confidentiality determination means 04 and the confidentiality determination means 04 that estimates the usage status of the confidential information of the current user in real time, It is configured to include monitoring method setting means 05 that determines which of the monitoring items of the monitoring system 03 should be monitored and updates the setting of the monitoring system 03. This confidential document monitoring apparatus is an information processing apparatus such as a personal computer equipped with an operating system, application software, and a device driver.

  Further, referring to FIG. 2, the confidentiality determination unit 04 may extract the monitoring result temporary storage unit 0401 for temporarily accumulating the monitoring result of the monitoring system 03 and the meaning of the monitoring result of the monitoring system 03. For the purpose, application knowledge 0402, which is the knowledge describing the order of monitored events, the parameters of each event, and the relationship between the handling status of confidential information in the DRM system 01 and the office application 02, and the monitoring result temporary storage unit 0401 Analyzing the data using application knowledge 0402 and determining whether the text encrypted by the DRM system 01 is currently activated by the office application 02 or not, and a monitoring result temporary storage unit 0401 Data using application knowledge 0402 The current sentence density determination unit 0404 for determining whether the user is currently using the sentence encrypted by the DRM system 01 as the current foreground process in the office application 02, and the data in the monitoring result temporary storage unit 0401 A non-encapsulated sentence activation determination unit 0405 for estimating the use state of a sentence that has been analyzed using the application knowledge 0402 and encrypted by the DRM system 01 and is now changed from a confidential sentence to a normal sentence by the office application 02; The confidential information activation determining unit 0403, the current sentence device density determination unit 0404, and the confidentiality state storage unit 0406 that stores the determination result of the non-encapsulated sentence collection activation determination unit 0405 are configured.

  Referring to FIG. 2, the monitoring method setting unit 05 includes a monitoring level setting rule 0502 describing the current handling state of confidential information of the personal computer and the relationship between monitoring items, a confidentiality state storage unit 0406, and a monitoring level setting. And a monitoring item setting unit 0501 for setting the monitoring item of the monitoring system 03 from the rule 0502.

Next, embodiments of the above means will be described below.
The DRM system 01 considered in the present invention has the following functions for data of office applications 02 such as word processors and spreadsheet software.

  [Function for Encapsulating Confidential Data] The capsule is composed of a body text in which the confidential data is encrypted and a header describing the handling information of the confidential data. The encrypted text is generated at the same time as a decryption key and is usually stored in the server. In the header, information such as the capsule ID and the expiration date of the data is generally described.

  [Function to Use Capsule] Before using a capsule, authentication is performed, and a decryption key is issued to a user who has succeeded in authentication. The DRM system decrypts the capsule using this decryption key and passes it to the application in plain text, so that it can be used in the same way as normal text. The encapsulated text read into the office application by this method is re-encapsulated when saved. Thereby, the encapsulated text is permanently encapsulated even after being used in the office application 02.

  [Function to remove capsule] Function to return encapsulated text that has been changed to a state that can be disclosed to the outside to normal text. First, it is authenticated whether the user is permitted to execute this function, and if successful, a decryption key is issued and decrypted to return to normal text. Unlike the function using the capsule, it is not re-encapsulated.

  The DRM system 01 having the above functions is a general DRM system and is widely known. In this invention, what is necessary is just to have said function, and what is necessary is just to implement using the well-known commercially available DRM system.

  The office application 02 is software that creates, browses, and edits confidential information such as a word processor and spreadsheet software, and is only required to be encapsulated by the DRM system 01. In other words, there are no file format or necessary function requirements. For example, a commercially available application such as a Microsoft office may be used.

The monitoring system 03 is a system that leaves OS events in a log. Normally, there are a lot of types of OS events, but it is necessary to monitor the following functions related to information leakage.
[1] A change in the window title is detected, and the character string is acquired.
[2] A file read / write access is detected and the file name is acquired.
[3] The change in the focus of the window can be detected, and the ID of the window at the top can be acquired.
[4] The activation of the application can be detected and the name of the activated application can be acquired.
[5] A change in the clipboard is detected, and data stored in the clipboard is acquired.
[6] The menu operation of each application is detected, and the menu label is acquired.
[7] The input of the user's key is detected, and the input key is acquired.
[8] The activation of the screen capture function is detected, and the captured data is acquired.・ Detects the use of external media and obtains the name of the media to be used.
[9] Use of the printer is detected, and the name of the printer to be used is acquired.
[10] Detect the use of the network and detect the protocol, port, IP address, etc. to be used.
These are only examples, and other events may be monitored if they are useful for situational evidence regarding information leakage.

  The event acquisition method can be easily realized by using a method called “hook”. “Hook” is a mechanism in which an external program intercepts an event occurring in an application, and is a function provided as a standard in the OS. In the case of Windows (registered trademark), an MSAA (Microsoft Active Accessibility) that acquires GUI operations, a message hook that acquires an event occurring in the application, and an API that acquires a system call from the application to the OS Hooks and the like are disclosed, and if these are used, the above monitoring function can be easily realized.

  Also, a commercially available monitoring system such as the above-described prior art 2 is realized by the same method, and these may be used.

An example of the monitoring result temporary storage means is shown in FIG.
It consists of the following four fields.

  [1] Date and time (T-0401-01): Date and time when the event occurred

  [2] Application (T-0401-02): Name of the application in which the event has occurred

[3] Event (T-0401-03): Name of the event. In the example of FIG. 3, there are the following types.
Focus change: An event that occurs when the top window changes. For example, this occurs when the user restores the iconized window.
Title change: An event that occurs when the title of a window changes. For example, when the file name is changed and saved, this event occurs in an application whose file name is displayed in the window.
File read: Occurs when a file is read from disk. Occurs when the user opens a file from an application or loads a temporary file created for management by the application.
File write: Occurs when a file is written to disk. This occurs when the user performs a save operation on the application or writes a temporary file created for management by the application.
Dialog: Occurs when a dialog opens in the application.

[4] Parameter (T-0401-04): A parameter acquired for each event. In the case of FIG. 3, the parameters are as follows.
Focus change: Character string of the window title of the focused window Title change: Character string of the changed window title File read: File path of the file being read File write: File path of the file being written Dialog: Open Dialog window title string

  The monitoring result temporary storage unit 0401 may store a set of data composed of the above fields as a relational database or text data in CSV (Comma Separated Values) format.

  The monitoring result temporary storage unit 0401 may be cleared when the personal computer is restarted because an old monitoring result is meaningless.

An example of application knowledge is shown in FIG.
It consists of the following four fields.

[1] Meaning (T-0402-01): Means the order of monitored events, the relationship between parameters of each event, and the handling of confidential information in the DRM system and office application.
[Encapsulation]: Indicates that a function for encapsulating the confidential data of the DRM system has been executed. In other words, it means that the normal text collection is encapsulated.
[Non-encapsulation]: Indicates that the function of removing the capsule of the DRM system has been executed. That is, it means that the encapsulated sentence is returned to the normal sentence.
Capsule open: means that a function that uses the capsule of the DRM system has been executed. That is, it means that the authentication is successful, the capsule is decrypted, and the application can be used.
[Capsule End]: This means that the capsule being used is ended.
Switch the current document to a secret document: This means that the top / bottom relationship of the window is switched and the secret document is in focus.
Switch the current sentence to a normal sentence: This means that the vertical relation of the window is changed and the normal sentence is focused.

  [2] Application (T-0402-02): This field lists applications to which this meaning can be applied, separated by commas.

  [3] Event order (T-0402-03): A field that defines this meaning in the order of event occurrence. In the case of the first record in FIG. 4, it is determined that encapsulation has been executed when events occur in the order of focus change, dialog, and title change. Note that events occur asynchronously between a plurality of applications in an actual multitasking OS, and therefore do not always occur continuously as in the example of FIG. Events from multiple applications may accumulate alternately. In the present embodiment, in order to simplify the explanation, an example in which consecutive events occur in an application is shown. In order to actually implement a multitasking OS, it is necessary to devise a method for analyzing events separately for each application.

[4] Parameter (T-0402-04): A parameter for each event. In the example of FIG. 4, it is described in the following format.
"Event type. Parameter attribute name: Condition"

  The event type is an event registered in the event order field, and serial numbers are assigned in the order of appearance of this field.

  The parameter attribute name is a title or a file name in the example of FIG. This is because, in this embodiment, there are only two types of parameters for each event, and it may be changed according to the event to be handled and its parameters. For example, a change in the status bar label may be used as a rule.

  The condition describes whether a character string is included or not. However, this is also an example, and other conditions may be added. For example, it may be used on the condition of ON / OFF of a certain GUI component.

  In the example of the first record in Fig. 4, "In any application of MS-EXCEL, MS-WORD, MS-PPT, events occur in the order of focus change, dialog, title change, and the parameters of the dialog event that occurred If the character string “encapsulation” is included and the parameter of the title change event includes the character string “secret”, it is determined that the encapsulation has been performed.

  The confidential information activation determining unit 0403, the current sentence machine density determining unit 0404, and the unencapsulated sentence activation determining unit 0405 start analysis using the application knowledge 0402 every time data is registered in the monitoring result temporary storage unit 0401. . The analysis method will be described below.

Confidential information activation determining unit 0403: It is determined whether the confidential information is activated by counting the following.
"Number of activations of confidential information = (number of encapsulations + number of capsules open)-(number of decapsulation + number of capsule ends)"

  Therefore, the secret information activation determining unit 0403 may store four counters storing the above numbers in the memory.

  Current sentence density determination unit 0404: As a result of analyzing the monitoring result temporary storage unit, focusing on two of application knowledge 0402, “switch current sentence to secret sentence” and “switch current sentence to normal sentence”. Judgment should be made from which one is.

  Unencapsulated sentence activation determining unit 0405: paying attention to “unencapsulated” in the application knowledge 0402, and analyzing the monitoring result temporary storage unit 0401. You only need one memory to remember only that decapsulation has taken place.

  Sensitivity state storage means 0406: Stores the following information.

  [1] Foreground (T-0406-01): Indicates whether the data of the currently focused window is confidential information. In FIG. 5, 1 indicates a confidential document, and 0 indicates a normal document.

  [2] Background (T-0406-02): Indicates whether confidential data is included in the data of a window that is not currently focused (hidden in another window, iconified, etc.) . FIG. 5 shows the number included. In the case of 0, it means that confidential information is not included.

  [3] Decapsulation (T-0406-03): Indicates the number of times of decapsulation work. If it is 0, it indicates that it has not been performed.

An example of the monitoring level setting rule 0502 is shown in FIG.
It consists of the following two fields.

  [1] Importance (T-0502-01): Indicates the current status of handling confidential documents in a personal computer. In the example of FIG. 6, there are three states of “most important”, “important”, and “normal”. “Most important” means a situation in which it is necessary to monitor very closely, and a situation in which confidential text is being edited by the office application 02 is assumed. “Important” means a situation in which the monitoring items can be narrowed down. A secret sentence is activated by the office application 02, but the sentence currently operated by the user is assumed to be a normal sentence. “Normal” means a situation in which it is not necessary to monitor, and assumes a situation in which confidential text is not activated by the office application.

  [2] Monitoring item (T-0502-02): The monitoring item includes items that can be monitored by the monitoring system 03. In the case of the example in FIG. 6, it includes a clipboard, application activation, menu operation, key input, screen capture, use of external media, use of a printer, and use of a network. In FIG. 6, ◯ means that it is necessary to monitor, and × means that it is not necessary to monitor. In the case of the example of FIG. 6, in the most important case, all items are monitored. In the important case, the clipboard and application start-up and screen capture are monitored. In normal cases, nothing is monitored. Means. However, this setting is merely an example, and another setting may be made. The window title change, file read and write access are monitored regardless of the importance value because the window focus change is used by the sensitivity determination means.

The monitoring item setting unit 0501 is a unit that determines a monitoring item from the value of the confidentiality state storage unit 0406 and the monitoring level setting rule 0502 and sets the monitoring item in the monitoring system 03. The monitoring item setting unit 0501 determines the importance according to the following rules.
[Most important]: When the foreground value is 1, or when the decapsulation value is 1. Intuitively, this means that confidential information is currently being used in an office application, or that there is an unencapsulated sentence, and that it is necessary to monitor very closely.
[Important]: When the foreground value and the unencapsulated value are both 0, and the background value is positive. Intuitively, the confidential information is activated by the office application, but the user is not currently using it, which means that the minimum monitoring is performed.
[Normal]: When the foreground value, the background value, and the decapsulation value are all 0. Intuitively, it means a situation where confidential text is not handled.

  As described above, according to the present invention, the confidentiality determination unit 04 determines the usage status of the confidential document encapsulated by the DRM system 01, so that the information leakage such that the confidential information is edited by the office application 02. Monitoring can be strengthened in situations where there is a possibility of information leakage, and monitoring can be relaxed in situations where there is little possibility of information leakage, such as when confidential information is not activated. As a result, the minimum necessary logs can be collected, and effective information leakage countermeasures can be taken against internal crimes.

<Description of operation>
The present invention only uses the office application 02 and the DRM system 01 in the same manner as usual when viewed from the user. It operates when the monitoring system monitors this usage. This operation will be described with reference to the flowchart of FIG.

  The result log of the office application monitoring step S-01 for monitoring the operation of the office application by the user, the monitoring result addition determining step S-02 for determining whether or not the monitoring result has been added, and the monitoring result addition determining step S-02. If it has been added, the current necessity is determined from the analysis result of the monitoring result analysis step S-03 for estimating the meaning of the monitoring result and estimating the current state of handling of confidential information of the personal computer and the analysis result of the monitoring result analysis step S-03 Sensitivity determination step S-04 for determining a proper monitoring level, and monitoring method setting change step S-05 for changing the monitoring item of the office application to an appropriate value from the value of the sensitivity determination step S-04 Is done.

  The start of this processing flow may be automatically started when the user starts the personal computer. Moreover, although this flow does not end, this means that the user continues to operate while using the personal computer. Actually, it ends when the computer is closed.

A more detailed processing flow of the monitoring result analysis step S-03 will be described with reference to FIG.
Search the log that encapsulates the normal sentence from the monitoring results, count the number of records, and the encapsulated number counting step S-03-01, and return the encapsulated sentence from the monitoring result to the normal sentence Unencapsulated number counting step S-03-02 for searching the log and counting the number of records, and opening the capsule for searching the log obtained by reading the encapsulated text from the monitoring result by the application and counting the number of records The monitoring result of the count count step S-03-03 and the end of the confidential text (encapsulated confidential text read by the application or confidential text encapsulated from the normal text) currently activated by the application Capsule end count counting step S-03-04 which searches from the log and counts the number of records The result of the encapsulation number counting step S-03-01, the result of the capsule opening number counting step S-03-03, the result of the non-encapsulation number counting step S-03-02, and the capsule end number step S-03 From the result of -04, the secret information activation number calculation step S-03-05 for counting the number of activation of confidential information on the personal computer currently used by the user, and the sentence switching from the monitoring result most recently A current sentence machine density determination step S-03-06 for determining whether the sentence currently in focus is a confidential sentence or a normal sentence by searching the logs performed, and a current sentence machine density determination step S-03- The result of 06, the result of the confidential information activation number calculation step S-03-05, the result of the non-encapsulation number counting step S-03-02, Each number of confidential information foreground, the number of confidential information background, the analysis result storing step S-03-07 for storing the number of non-encapsulated sentence composed.

  The encapsulation number counting step S-03-01, the non-encapsulation number counting step S-03-02, the capsule opening number counting step S-03-03, and the capsule end number counting step S-03-04- are executed in this order. You don't have to do it, you can replace it. Furthermore, the flow from the encapsulation number counting step S-03-01 to the confidential information activation number calculation step S-03-05 and the current writing machine density determination step S-03-06 need not be executed in this order, and are switched. It doesn't matter.

  In FIG. 7, the confidentiality determination step S-04 is performed based on the result of the monitoring result analysis step S-03 according to the same rules as the description of the monitoring item setting means.

  In FIG. 7, a monitoring method setting change step S-05 determines an item to be monitored by matching a monitoring level setting rule with the importance as a result of the confidentiality determination step S-04 as a key.

  Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the scope of the invention.

  According to the present invention, when confidential information created by a word processor or spreadsheet software is shared internally, it is applied to the confidential document management field that can suppress information leakage from a person who has a right to access this information. it can.

[BRIEF DESCRIPTION OF THE DRAWINGS] It is a block diagram which shows the structure of the best form for implementing 1st invention of this invention. [BRIEF DESCRIPTION OF THE DRAWINGS] It is a block diagram which shows the structure of the best form for implementing 1st invention of this invention. It is a figure which shows an example of the data of the best form for implementing 1st invention. It is a figure which shows an example of the data of the best form for implementing 1st invention. It is a figure which shows an example of the data of the best form for implementing 1st invention. It is a figure which shows an example of the data of the best form for implementing 1st invention. It is a figure which shows the processing flow of the best form for implementing 1st invention. It is a figure which shows the processing flow of the best form for implementing 1st invention. It is a block diagram which shows the structure of the prior art 2. FIG.

Explanation of symbols

01 DRM system 02 Office application 03 Monitoring system 04 Sensitivity determination means 05 Monitoring method setting means 0401 Monitoring result temporary storage means 0402 Application knowledge 0403 Confidential information activation determining means 0404 Current sentence machine density determination means 0405 Unencapsulated sentence activation determination means 0406 Confidential state storage unit 0501 Monitoring item setting unit 0502 Monitoring level setting rule T-0401-01 Date / time field T-0401-02 Application field T-0401-03 Event field T-0401-04 Parameter T-field T-0402-01 Meaning field T-0402-02 Application field T-0402-03 Event order field T-0402-04 Parameter field T- 406-01 foreground Fi - field T-0406-02 background Fi - field T-0406-03 unencapsulated Fi - field T-0501-01 Severity Fi - field T-0501-02 monitored item Fi - field

Claims (16)

An information processing apparatus equipped with an operating system, application software, and a device driver that monitors predetermined confidential data,
Confidential data creation and editing means capable of creating and editing predetermined confidential data;
Confidential data management means for encrypting the confidential data when the confidential data created or edited by the confidential data creating / editing means is stored, and decrypting the confidential data only when a predetermined authentication is successful;
Monitoring means for monitoring events of the operating system based on monitoring items in which at least one event to be monitored is set in advance;
Based on the monitoring result of the monitoring means, sensitivity determination means for estimating the current usage status of the confidential data in real time;
Monitoring method setting means for determining an event to be monitored by the monitoring means based on the estimation result of the sensitivity determination means, and changing the setting of the monitoring item based on the determination result;
An information processing apparatus comprising: The sensitivity determination means includes
Monitoring result temporary storage means for temporarily storing the monitoring results of the monitoring means as data;
Application knowledge that is data in which the monitoring result of the monitoring means is associated with the current usage status of the confidential data;
Analyzing data accumulated in the monitoring result temporary storage means using the application knowledge and determining in real time whether or not the confidential data is being activated by the confidential data creation and editing means When,
Analyze the data accumulated in the monitoring result temporary storage means using the application knowledge, and determine in real time whether or not the user is currently using the confidential data as a foreground process in the confidential data creation / editing means. Current data sensitivity determination means,
A non-capsule that analyzes data accumulated in the monitoring result temporary storage means using the application knowledge and determines in real time whether or not the confidential data has been changed from confidential data to normal data by the confidential data creation / editing means Data activation determination means,
Sensitivity information storage determining means, current data confidentiality determination means, and confidentiality state storage means for storing determination results of the unencapsulated data activation determination means,
The information processing apparatus according to claim 1, further comprising: The monitoring method setting means includes
A monitoring level setting rule that is data in which the current usage status of the confidential data is associated with each event set as the monitoring item;
Monitoring item setting means for setting each event of the monitoring item based on each determination result stored in the confidentiality state storage means and the monitoring level setting rule;
The information processing apparatus according to claim 1, further comprising: The application knowledge is
The meaning field expressed by giving a predetermined meaning, associating the occurrence order of the event, the parameter of the event, and the type of the confidential data creation / editing means monitored by the monitoring means,
An application field describing the type of the confidential data creation / editing means;
An event order field describing the order of occurrence of the events;
A parameter field describing the parameters of the event;
The information processing apparatus according to claim 2, comprising: The meaning field of the application knowledge is
A value of encapsulation meaning that the function of encapsulating the confidential data of the confidential data management means has been executed;
A value of decapsulation, which means that the function of removing the capsule of the confidential data management means has been executed;
A value of capsule open that means that the function of using the capsule of the confidential data management means has been executed;
The value of capsule end, which means that the capsule in use has ended,
Switch the top and bottom relationship of the window, the value of current document secret document switching that means that the secret document is in focus,
Switch the vertical relationship of the window, the value of current document normal document switching, which means that normal data is in focus,
The information processing apparatus according to claim 4, wherein The event order field of the application knowledge is
Focus change event that occurs when the top window changes,
Title change event that occurs when the window title changes,
A file read event that occurs when a file is read from the disk,
A file write event that occurs when a file is written to disk,
Dialog events that occur when a dialog is opened in the application,
The information processing apparatus according to claim 4, wherein the information processing apparatus is described in the order of: The parameter field of the application knowledge is
The text of the window title that has changed,
The file path of the file being read, and
The file path of the file being written, and
The string value of the window title of the opened dialog,
The information processing apparatus according to claim 4, wherein: The confidentiality state storage means is
A foreground field that indicates whether the data in the currently focused window is sensitive data;
A background field that indicates whether the data in the window that is not currently in focus contains sensitive data,
An unencapsulated field indicating the number of times the unencapsulation work has been performed;
The information processing apparatus according to any one of claims 2 to 7, wherein the information processing apparatus is stored. The monitoring level setting rule is:
An importance field describing the current usage of the confidential data;
A monitoring item field describing at least one event to be monitored by the monitoring means;
The information processing apparatus according to claim 3, wherein the information processing apparatus is set. The importance field of the monitoring level setting rule is:
The most important value, which means that the situation needs to be monitored very closely,
A value that is important means a situation where the monitoring items may be narrowed down to some extent, and
A normal value, meaning a situation that does not need to be monitored,
The information processing apparatus according to claim 9, comprising: The monitoring item setting means includes
Based on the value of the foreground field, the value of the background field, and the value of the non-encapsulated field stored in the sensitivity state storage unit, the most important, important, and normal situations are determined. The information processing apparatus according to claim 10. The monitoring item field of the monitoring level setting rule is:
Monitoring the clipboard which is a copy buffer of the operating system;
Monitoring the launch of a given application,
Monitoring the menu operation of the application by the user;
Monitoring key input by the user;
Monitoring the screen capture to capture the entire screen by the user as an image;
Monitoring the use of external media by the user;
Monitoring the use of the printer by the user;
Monitoring network usage by the user;
The information processing apparatus according to claim 9, wherein: is set. In order to monitor confidential data managed by the information processing apparatus, a confidential data monitoring method performed in the information processing apparatus,
An office application monitoring step for monitoring the operation of the office application by the user;
Monitoring result of the office application monitoring step, a monitoring result addition determination step for determining whether a log has been added,
The monitoring result analysis step of estimating the meaning of the monitoring result and estimating the current handling status of confidential data in the information processing apparatus when a log is added in the determination result of the monitoring result addition determination step;
A sensitivity determination step for determining a currently required monitoring level based on the analysis result of the monitoring result analysis step;
A monitoring method setting changing step for changing an operation to be monitored of the office application based on the monitoring level determined in the sensitivity determination step;
A method for monitoring confidential data, characterized in that: The information processing apparatus includes:
As the monitoring result analysis step,
Search the log encapsulating normal data from the monitoring results, counting the number of records, encapsulated number counting step,
Searching a log in which the encapsulated data is returned to normal data from the monitoring results, and counting the number of records, a decapsulation number counting step;
A capsule opening number counting step for searching a log obtained by reading data encapsulated from the monitoring result with a predetermined application and counting the number of records;
Capsule end count counting step for searching the end of confidential data running in a given application from the monitoring result log and counting the number of records,
Based on the result of the encapsulation number counting step, the result of the capsule opening number counting step, the result of the non-encapsulated number counting step, and the result of the capsule end number counting step, the information processing apparatus is currently In the confidential information activation number calculation step to count the number of activated confidential data in,
A current data sensitivity determination step for searching a log in which data has been switched most recently from the monitoring result and determining whether the currently focused data is confidential data or normal data;
Based on the result of the current data confidentiality determination step, the result of the secret information activation number calculation step, and the result of the non-encapsulated number count step, the number of foreground confidential information and the background confidential information An analysis result storing step for storing the number and the number of unencapsulated data respectively;
The secret data monitoring method according to claim 13, wherein: A program for causing the information processing apparatus to execute a confidential data monitoring method in order to monitor confidential data managed by the information processing apparatus,
An office application monitoring process for monitoring the operation of the office application by the user;
A monitoring result of the office application monitoring process, a monitoring result addition determination process for determining whether a log has been added, and
When the result of the monitoring result addition determination process is a log, a monitoring result analysis process for estimating the meaning of the monitoring result and estimating the current handling status of confidential data in the information processing apparatus;
Sensitivity determination processing for determining a currently required monitoring level based on the analysis result of the monitoring result analysis processing;
A monitoring method setting change process for changing an operation to be monitored of the office application based on the monitoring level determined in the sensitivity determination process;
The information processing apparatus executes the program. As the monitoring result analysis process,
Search the log encapsulating normal data from the monitoring results, and count the number of records encapsulated,
Search the log in which the encapsulated data is returned to normal data from the monitoring results, and count the number of records, and the decapsulation count processing,
A capsule opening number counting process for searching a log obtained by reading data encapsulated from the monitoring result with a predetermined application and counting the number of records;
Capsule end number count processing that searches the end of confidential data running in a given application from the monitoring result log and counts the number of records,
Based on the result of the encapsulation number counting process, the result of the capsule opening number counting process, the result of the non-encapsulated number counting process, and the result of the capsule end number counting process, the information processing apparatus is currently In the confidential information activation number calculation process to count the number of activated confidential data in,
A current data sensitivity determination process for searching a log in which data has been switched most recently from the monitoring results and determining whether the currently focused data is confidential data or normal data;
Based on the result of the current data confidentiality determination process, the result of the secret information activation number calculation process, and the result of the non-encapsulated number count process, the number of foreground confidential information and the background confidential information Analysis result storage processing for storing the number and the number of unencapsulated data,
The program according to claim 15, wherein the information processing apparatus is executed.

Images