JP2010061390A - Computer program, file transfer system, file transmitting/receiving method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To strengthen security by considering fragility of a terminal on a transmission side or a reception side in file transfer. <P>SOLUTION: A file transfer system 1 for transmitting/receiving a file between a plurality computers 2, 3 connected with a network includes a means for determining whether or not a file transmission side computer satisfies a predetermined security policy; a means for determining whether or not a file reception side computer satisfies the predetermined security policy; and a means for permitting file transmission/reception in a case where the file transmission side computer and the file reception side computer satisfy the security policy. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a computer program, a file transfer system, and a file transmission / reception method.

In recent years, files on a terminal are transferred in various forms due to remarkable development of information communication technology. As a technique for transferring a file within a network, for example, there is one described in Non-Patent Document 1. In the technique of Non-Patent Document 1, a file can be attached and transmitted together with a message.
IP Messenger, [online], H.M. Shirouzu, [retrieved July 14, 2008], Internet <http://www.ipmsg.org/index.html.en>

Information leakage is a problem with file transfer as described above. Therefore, it is required to enhance security when exchanging files.
However, in the technique of Non-Patent Document 1, the file is simply sent to the other party, and security is not considered.

  Further, as security enhancement for countermeasures against file leakage, for example, it is conceivable to encrypt a file.

However, file encryption is a countermeasure against file leakage during communication on the network, but the OS is up to date with software that is inappropriate for security and other illegal software installed, such as file sharing software. It is not a measure against file leakage caused by a vulnerable terminal itself due to insufficient security measures such as no anti-virus software or no anti-virus software installed.
For example, even if the terminal on the file transmission side is not vulnerable, if the terminal that received the file is vulnerable, the file may leak from the receiving terminal.
Also, if a vulnerable terminal is brought into the network and a file sent from the vulnerable terminal is received unconditionally, depending on the contents of the file, the receiving terminal may be vulnerable, and then the file There is a risk of leakage.

However, conventionally, there has been no focus on the vulnerability of the terminal itself with regard to security enhancement in file transfer.
Accordingly, an object of the present invention is to enhance security in consideration of the vulnerability of a terminal on a transmission side or a reception side when transferring a file.

  The present invention relates to a computer program for monitoring and controlling file transmission or reception performed by a computer connected to a network, and determining whether or not the state of the computer satisfies a predetermined security policy And a computer program that causes the computer to function as a unit that determines whether or not to execute file transmission or reception by the computer based on a determination result of the unit and the determination unit.

According to the present invention, it is possible to determine whether or not a computer that intends to transmit or receive a file satisfies the security policy and determine whether the computer can execute file transmission or reception. Therefore, file transmission / reception by a vulnerable computer can be prevented.
If it is determined that the file transmission can be executed, the file transmission may be executed by the file transmission side computer actively performing the transmission process, or the file reception side computer may be changed to the file transmission side computer. It may be performed by accessing to get the file.
When it is determined that the file reception can be executed, the file reception may be executed by receiving a file actively transmitted by the file transmitting computer, or the file receiving computer may You may carry out by accessing and acquiring a file transmission side computer.
When it is determined that the execution of file transmission or reception is not allowed, the execution of file transmission or reception as described above is not performed.

  Another aspect of the present invention is a computer program for monitoring and controlling file transmission or reception performed by a computer connected to a network, wherein the state of a partner computer that is a partner of file transmission or reception is A computer that causes the computer to function as a confirmation unit that confirms whether or not a predetermined security policy is satisfied, and a unit that determines whether or not to execute file transmission or reception by the computer based on a confirmation result of the confirmation unit A program (claim 2).

According to the present invention, it is possible to determine whether or not a computer that is a file transmission or reception partner satisfies a security policy, and determines whether the computer can execute file transmission or reception. Therefore, file transmission / reception by a vulnerable computer can be prevented.
The mode of processing when it is determined that file transmission or reception can be executed is the same as described above.

Another aspect of the present invention is a computer program for monitoring and controlling file transmission or reception performed by a computer connected to a network,
Determination means for determining whether or not the state of the computer satisfies a predetermined security policy, confirmation means for confirming whether or not the state of the counterpart computer that is the counterpart of file transmission or reception satisfies a predetermined security policy, And a computer program that causes the computer to function as a unit that determines whether the computer can execute file transmission or reception based on a determination result of the determination unit or a confirmation result of the confirmation unit.

According to the present invention, it is determined whether or not a computer that is a file transmission or reception partner satisfies a security policy, and whether or not a computer that is a file transmission or reception partner satisfies a security policy is confirmed. Thus, it is possible to determine whether the computer can execute file transmission or reception. Therefore, file transmission / reception by a vulnerable computer can be prevented.
The mode of processing when it is determined that file transmission or reception can be executed is the same as described above.

When it is determined that the file transmission can be executed, means for granting file acquisition permission to the file transmission destination computer, and causing the file transmission destination computer that has acquired the acquisition permission to acquire the file Therefore, a computer program that causes the computer to function as a transmission unit that executes file transmission is preferable.
In this case, the file transmission destination computer can determine whether or not to acquire the file by its own judgment, compared to the case where the file transmission source computer unilaterally sends the file to the file transmission destination computer. Unnecessary file reception can be avoided, and security is improved.

  It is preferable that the transmission means can acquire a file by the file transmission destination computer only within a set time during which the file can be acquired. In this case, since the file can be acquired only within the set time, security is improved. That is, by setting a time when a file can be acquired as the set time, for example, file access outside business hours can be prohibited. Also, by setting the file acquisition time limit as the set time, unlimited file leakage can be prevented. If unlimited file acquisition is permitted, the file flows over the network many times, so even if the file is encrypted, it may be decrypted, but it may be decrypted by preventing unlimited file leakage Can also be reduced.

  Preferably, the computer program further causes the computer to function as means for deleting a file to be transmitted from the computer when the set time during which file acquisition is possible has elapsed. In this case, file acquisition after the set time becomes impossible, and security is improved.

  It is preferable that a limit number of file acquisitions by the file transmission destination computer is set in the transmission means. In this case, since a file can be acquired only within the limited number of times, unlimited file leakage can be prevented, and security is improved.

  A computer program for causing the computer to further function as a means for canceling the file acquisition permission given to the file transmission destination computer is preferable. In this case, in response to a change in the situation (for example, when the state of the file transmission destination computer changes so as not to satisfy the security policy), the file acquisition permission once given can be canceled to make the file acquisition impossible.

  From another viewpoint, the present invention provides a computer program for monitoring and controlling file transmission performed by a computer connected to a network, and whether or not the state of the computer satisfies a predetermined security policy. Determining means for determining whether the status of the file transmission destination computer satisfies a predetermined security policy, and both the computer and the file transmission destination computer have the security policy Is a computer program that causes the computer to function as a means for enabling the execution of file transmission.

  Preferably, the computer program further causes the computer to function as a receiving unit that receives the file transmission permission from the file transmission source computer and accesses the file transmission source to acquire the file to acquire the file. (Claim 10). In this case, the file transmission destination computer can determine whether or not to acquire the file by its own judgment, compared to the case where the file transmission source computer unilaterally sends the file to the file transmission destination computer. Unnecessary file reception can be avoided, and security is improved.

  When the file transmission source computer is a preset computer for rejecting file reception, a computer program that further functions the computer as a means for rejecting execution of file reception is preferable. In this case, file reception from the computer to be rejected can be prevented.

When the file to be received is a preset file reception refusal file, a computer program that causes the computer to further function as means for rejecting file reception is preferable. In this case, reception of the rejection target file can be prevented.
From another aspect, the present invention provides a computer program for monitoring and controlling file reception performed by a computer connected to a network, wherein the computer status is determined from a predetermined security policy by a file transmission source computer. Means for receiving an inquiry as to whether or not the condition is satisfied; when the inquiry is received, a determination means for determining whether or not a state of the computer satisfies a predetermined security policy; A computer that causes the computer to function as means for transmitting to the computer, and means for receiving file acquisition permission from the file transmission source computer and executing file reception by acquiring the file from the file transmission source computer. A-menu data program (claim 13). In this case, a determination result as to whether or not the state of the computer satisfies a predetermined security policy can be transmitted to the file transmission source computer.

  From another point of view, the present invention provides a computer program for a relay computer that relays file transmission / reception performed between a plurality of computers connected to a network, wherein the file transmission computer satisfies a predetermined security policy. After confirming, it is possible to execute the file transmission to the file receiving computer after confirming that the receiving means for receiving the file from the file transmitting computer and the file receiving computer satisfy the predetermined security policy. A computer program that causes the relay computer to function as a means for (claim 14).

  According to the present invention, the file transmission to the receiving side via the relay computer can be executed only when both the sending side computer and the receiving side computer satisfy the security policy. Therefore, file transmission / reception by a vulnerable computer can be reliably prevented.

  From another viewpoint, the present invention is a file transfer system for performing file transmission / reception between a plurality of computers connected to a network, and determines whether or not a file transmission computer satisfies a predetermined security policy. Based on the first determination means, the second determination means for determining whether the file receiving computer satisfies a predetermined security policy, the determination result of the first determination means and the determination result of the second determination means, the file And a means for determining whether transmission / reception can be executed or not (claim 15).

  According to the present invention, it is possible to determine whether or not execution of file transmission / reception can be performed by determining whether or not the transmission side computer and the reception side computer satisfy the security policy. Therefore, file transmission / reception by a vulnerable computer can be reliably prevented.

  From another viewpoint, the present invention is a file transfer system in which file transmission / reception between a plurality of computers connected to a network is performed via a relay computer, and the file transmission computer satisfies a predetermined security policy. Means for determining whether or not the file receiving computer satisfies a predetermined security policy, and the relay computer is configured such that the file transmitting computer and the file receiving computer are A file transfer system configured to determine whether or not to execute file relay based on a determination result of whether or not a security policy is satisfied (claim 16).

  According to the present invention, it is determined whether or not the file relay can be executed by determining whether or not the transmission side computer and the reception side computer satisfy the security policy. Therefore, file transmission / reception by a vulnerable computer can be reliably prevented.

  From another viewpoint, the present invention is a method for performing file transmission / reception between a plurality of computers connected to a network, wherein the first step of determining whether or not the file transmission side computer satisfies a predetermined security policy. And whether to execute file transmission / reception based on the second step of determining whether or not the file receiving computer satisfies a predetermined security policy, the determination result in the first determination step, and the determination result in the second step A method for transmitting and receiving a file.

  From another viewpoint, the present invention is a method for performing file transmission / reception between a plurality of computers connected to a network via a relay computer, and whether or not the file transmission side computer satisfies a predetermined security policy. A step of determining whether the file receiving computer satisfies a predetermined security policy, and the relay computer if the file transmitting computer and the file receiving computer satisfy the security policy Includes a step of relaying a file (claim 18).

  According to the present invention, file transmission or reception by a vulnerable terminal can be prevented, and security can be enhanced.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[1. Overall configuration of file transfer system]
FIG. 1 shows the overall configuration of the file transfer system 1. The file transfer system 1 is configured by connecting a plurality of terminals 2 and 3 and a management server (relay server) 4 in a network such as an intranet.

  The terminals 2 and 3 and the server 4 are configured by a computer that can execute a computer program. Each of the terminals 2 and 3 and the server 4 includes a storage device (not shown) such as a hard disk or a memory that stores the computer program, and a computer program. An arithmetic unit (not shown) such as a CPU is included.

  As shown in FIG. 1, an agent computer program (hereinafter simply referred to as “agent”) P1 is resident in the terminals 2 and 3 to check the status of the terminals 2 and 3 and control file transmission / reception. In addition, a storage area M1 dedicated to the agent program is secured in the storage devices of the terminals 2 and 3. In the storage area M1, various information tables described later exist.

  A management computer program (hereinafter simply referred to as “management program”) P2 resides in the server 4 and manages the terminals 2 and 3 where the agent program resides and relays file transmission / reception. In addition, a storage area M2 dedicated to the management program is secured in the storage device of the server 4. In the storage area M2, various information tables described later exist.

  The “computer program set for the file transfer system” including the agent program P1 and the management program P2 is recorded on one or a plurality of computer-readable recording media (CD-ROM or the like) and provided to the user of the system 1 Is done. It is also possible to provide the user with the agent program P1 and the management program P2 preinstalled in the terminals 3 and 4 or the server.

[2. Overview of file transfer system functions]
In the file transfer system 1 according to the embodiment, file transfer between the terminals 2 and 3 and network management are performed by the agent P1 and the management program P2.

[2.1 File transfer function]
In the present system 1, the terminals 2 and 3 whose safety is guaranteed by the agent P 1 perform file transfer directly to other terminals or via the server 4. This enhances security against information leakage associated with file transfer.
The server 4 can set a security policy for determining the security status of the terminals 2 and 3, and the terminals 2 and 3 can determine the status of the own terminal or the other terminal of the file transfer according to the security policy. Can do.

The security policy is a condition for file transfer specified by the network administrator. For example, the following points are judged, and if passed, the file transfer permission is given to the terminals 2 and 3 and the test fails. If so, file transfer is not permitted.
(1) Is unauthorized software installed? (2) Is the latest Windows® security patch applied? (3) Is anti-virus software updated? (4) Is logged in to the OS? (5) Is the agent P1 version the latest? (6) Is the security policy version the latest?

[2.1.1 Direct transfer]
At the time of file transfer, the transmission side terminal and the reception side terminal mutually inquire about the security status of the other party. If either the own terminal or the partner terminal does not satisfy the security policy, the file transfer is not permitted and the file transfer cannot be started.

Even if the file is being transferred, if the transfer condition is not satisfied, the transfer is stopped. That is, in the present system 1, even if file transfer is permitted, the file transfer permission can be canceled at any time until the file transfer is completed. When the file transfer permission is revoked, the file transfer is stopped.
The cancellation of file transfer permission may be performed by an instruction from the user after the file transfer is permitted, or the security status of the transmitting terminal and / or the transmitting terminal is determined again after the file transfer permission, and the security policy is not satisfied. You may go in case.
The file transfer permission can be canceled from either the transmission side or the reception side.

  In this system 1, the file transfer is not performed by the transmitting terminal actively transmitting the file to the receiving terminal, but the transmitting terminal grants the file acquisition permission (access right) to the receiving terminal. This is executed by the side terminal accessing the transmitting side terminal and downloading the file. By executing the file transmission by downloading the receiving side terminal, the receiving side terminal can decide whether to receive it by its own judgment instead of receiving the unilaterally sent file. And unnecessary file reception can be avoided.

The transmitting terminal can revoke the access right of the receiving terminal at any time. If the access right is revoked, the file transfer is canceled. For example, when the state of the receiving terminal changes so as not to satisfy the security policy, the access right once given can be canceled and the file cannot be acquired.
In the system 1, the number of files to be transferred can be arbitrarily set. Terminals other than the transmitting terminal and receiving terminal of the file cannot access the file to be transferred and cannot see the file. Therefore, information leakage to other terminals can be prevented even if file transmission is performed by downloading from the receiving terminal.
Further, when the file transfer is completed or when the file transfer has not been performed and the time limit of the file transfer has passed, the file is deleted from the transmission side terminal. In this way, by setting the file transfer time limit, it is possible to prevent unlimited file leakage and improve security.

The agent P1 has a rejection list created by the user in the storage area M1. In the rejection list, a terminal (transmission side terminal) that rejects file transfer and the file name and / or extension of the file to be rejected are set. A terminal that refuses file transfer is selected from a list of terminals that can transfer files (terminal list).
When receiving the file, the agent P1 of the receiving terminal determines whether the transmitting terminal or file is registered in the rejection list. Therefore, reception of a file from a terminal included in the rejection list and reception of a file included in the rejection list can be prevented.
Further, the user of the receiving terminal can select whether to receive the file before actually receiving (downloading) the file. Therefore, it is possible to select a file that the user does not want to receive at the user's will.

[2.1.2 Transfer via server]
When transferring a file, in addition to a method of directly transmitting from the terminal to the terminal, a method of transferring the file after temporarily storing it on the server can be selected. This selection can be performed by the user at the transmission side terminal or the reception side terminal.
The ability to select transfer via the server allows the sending terminal to be able to communicate later even if the receiving terminal does not exist on the network or does not meet the policy, such as not being able to communicate. You can get the file even if is finished. At that time, the time at which the receiving terminal can receive the file placed on the server can be set at the transmitting terminal, and access other than the set time can be restricted.

Regardless of which of the direct transfer method and the transfer method via the server is selected, the file is automatically encrypted and decrypted during the file transfer.
The policy set by the system administrator is given the highest priority when selecting the transfer method. Next, restrictions are imposed by the policy specified by the user of the receiving terminal. The user of the transmission side terminal selects a transmission method from among them. For example, when “via server” is prohibited by the system administrator, the receiving side and the transmitting side cannot select “via server”.

  In addition, the user of the file transmission side terminal can limit the number of times the recipient can download the same file for a single file transfer. The upper limit can be set to any value, and it is possible not to specify the upper limit. The receiving-side terminal can acquire a file only when it is within the receivable time (setting deadline) and within the downloadable number of times. In this way, since the file can be acquired only within the limited number of times, unlimited file outflow can be prevented and security is improved.

[2.2 Management functions]
[2.2.1 Terminal list]
In the transmission side terminal, the file transfer destination (reception side terminal) is selected from the terminal list managed by the server. In the terminal list, terminals 2 and 3 on which the agent P1 is installed are described in the network. Therefore, a terminal on which the agent P1 is not mounted cannot be selected as a transfer destination, and file transmission to a terminal with low security is prevented.

  The agent P1 periodically transmits information about its own terminals 2 and 3 to the server. This includes information such as the IP address of the terminal and the department to which it belongs. A terminal list is created based on the sent information.

[2.2.2 Security policy]
The security policy is uniformly set by the system administrator in the management server 4. The terminals 2 and 3 obtain a security policy from the management server 4 as necessary. It periodically inquires the server whether the terminal 2 and 3 policy has been updated. In this way, the security policies in the system can be unified by using the security policies set in a unified manner by the terminals 2 and 3. Note that the security policy may be set independently by each of the terminals 2 and 3.
[2.2.3 Log]
The file transfer history is recorded as a log in the transmission side and reception side terminals 2 and 3. Logs of the terminals 2 and 3 are periodically transmitted to the server 4 and stored.

[3. Information table for agents and management programs]
[3.1 Agent information table]
Each of the terminals 2 and 3 has a file transfer table (agent management table) T1 in the agent storage area M1. The agent P1 refers to this file transfer table and controls file transfer.
The contents of the file transfer table T1 are as follows.

  In the file transfer table T1, information of “table for recording network arrangements such as policies” of the management server 4 is recorded in the “policy” column. Each terminal 2, 3 determines the security status of its own device according to the contents of this “policy”. This “policy” column is updated when the terminals 2 and 3 refer to the server 4 periodically.

In the file transfer table T1, the “terminal list” column stores a list of terminals on the network on which the agent P1 is installed and executed. The terminals included in the “terminal list” column are terminals that can transmit files. A terminal that does not have agent P1 installed or is not executed even though it is installed does not exist in the terminal list, and therefore file transmission to such a terminal is impossible.
This “terminal list” column is updated when the terminals 2 and 3 refer to the server 4 periodically.

In the file transfer table T1, a list of cases in which reception is rejected is recorded in the “rejection list” column. The case where reception is rejected corresponds to a terminal set as reception rejection, a file set as reception rejection, a file extension set as reception rejection, or the like.
This “rejection list” column can be set by the user in each of the terminals 2 and 3.

In the agent storage area M1 of each terminal 2 and 3, a file table T2 and a download table T3 are generated.
The contents of the file table T2 are as follows.

  This file table T2 is generated by the file transmission side terminal at the time of file transfer, and is transmitted to the file reception side terminal as a pull request. The reception-type terminal can grasp the time during which a file can be received, the file name, and the number of downloads from this table T2. The file table T2 is also accumulated in the server 4.

The contents of the download table T3 are as follows.

  The download table T3 is generated by the reception side terminal when the file reception side terminal downloads the file from the transmission side terminal, and is transmitted to the file transmission side terminal as a file acquisition request. Upon receiving the file acquisition request with this content, the transmission side terminal permits download execution by the reception side terminal.

[3.2 Server Information Table]
The server 4 has a table T4 for recording network arrangements in the storage area M2 for the management program P2.
The contents of the table T4 for recording the network arrangement are as follows.

In the table T4, the “policy” column is a condition (security policy) for determining whether or not file transfer is possible, and is set in the server 4 to be acquired by each of the terminals 2 and 3 to determine the state of the own terminal. Used.
In the table T4, the “number of simultaneously transferable” is the upper limit of the number of files that can be transferred at the same time.
In the table T4, the “terminal list” is a list of terminals constituting the network, and is used by each of the terminals 2 and 3 to select a file transfer destination.
In the table T4, the “transfer method” column is a flag indicating whether direct transfer or server transfer relayed by the server is possible. The transfer method is set in the server 4, and the terminals 2 and 3 are restricted by the transfer method specified in the table T4 when the transfer method is selected.

The server 4 further has an access information table T5 and a log table T6 in the storage area M2 for the management program P2.
The contents of the access information table T5 are as follows.

    The access information table T5 is a table for aggregating information transmitted from each agent P1 in the server 4, and associates the IP address of the terminal itself with the agent ID. Thus, when the server 4 detects the agent P1 existing in the network, the server 4 can specify the IP address (file transfer destination) of the terminal on which the agent P1 is mounted.

The contents of the log table T6 are as follows.

  In the log table T6, logs transmitted from the agents P1 are collected by the server 4. A log having the same content is also stored in each of the terminals 2 and 3.

[4. File transfer processing: Direct transfer]
Hereinafter, processing in the case where the file is directly transmitted / received between the terminals 2 and 3 in the system 1 will be described (FIGS. 2 and 3). These processes are executed by the agent P1 of each terminal.

[4.1 Processing of sending terminal in direct transfer]
Step S1-1:
First, the user of the transmission side terminal selects the transmission target file and instructs the agent P1 of the transmission side terminal to transmit the file.

Step S1-2:
Then, in the next step S1-2, the agent P1 determines whether or not the state of the own terminal (transmission side terminal) satisfies the security policy. If the transmitting terminal satisfies the policy, the process proceeds to step S1-3 (transmission permitted), and if not satisfied, the process proceeds to step S1-7 (transmission not permitted).
Based on the determination in step S1-2, it is determined whether or not the own terminal has eligibility as a transmission side terminal.

Step S1-3:
Subsequently, the user of the transmission type terminal designates a terminal (transmission destination terminal; reception side terminal) to which the file is to be transmitted from the terminal list displayed on the terminal. Here, the terminal list refers to a list such as a user list or a terminal list, and lists terminals on which agents are installed. Since only the terminals equipped with the agent P1 are displayed in the terminal list, it is impossible to transmit to terminals with low security because the agent P1 is not installed.
If a file is transmitted to a plurality of terminals, the subsequent operations are repeated for the terminals.

Step S1-4:
When the receiving terminal is designated, the agent P1 inquires about the state of the receiving terminal. This inquiry is for confirming whether the receiving terminal is in a receivable state, such as whether the security policy is satisfied. At the time of this inquiry, information for specifying a file such as a file name to be transmitted is not transmitted, but only information for identifying the transmitting terminal such as the ID of the transmitting terminal is transmitted. This prevents the file information from leaking to the receiving terminal when inquiring about the status of the receiving terminal.

Step S1-5:
Then, as a result of the inquiry in step S1-4, the transmission side terminal receives a response indicating whether reception is possible from the reception side terminal. Here, there are three types of responses: receivable, unreceivable, and no response. When receiving the inquiry, the receiving side terminal determines whether or not its own terminal device satisfies the security policy. If the receiving side terminal does not satisfy the policy, it responds that reception is impossible. Therefore, the transmission side terminal can confirm that the reception side terminal satisfies the security policy when the response from the reception side is “receivable”.

Step S1-6:
If the response from the receiving side is “receivable”, the process proceeds to step S1-8 (proceeds to a), and otherwise proceeds to step S1-7. In the case where the reception side cannot receive and when the inquiry is made again to the reception side, the process proceeds to step S1-4.

Step S1-7:
When the transmission side does not satisfy the security policy, or when the reception side is “unreceivable”, the result is recorded in a log and the process is terminated. In other words, if there is a situation such as the transmission side or the reception side not satisfying the security policy, the file transfer is not permitted, and the process ends without performing a substantial process for the file transfer.

Step S1-8:
When the reception side is “receivable”, it is confirmed that both the transmission side and the reception side satisfy the security policy (permitted state of file transfer).
Therefore, the transmission side subsequently performs processing for file transmission.
First, in the transmission side terminal, a file receivable time is set. The receivable time can be determined as appropriate by the user, and can be set as a time period during which reception is possible (for example, a weekday daytime period) or as a period during which reception is possible (for example, three days). .

Step S1-9:
Subsequently, the transmitting terminal generates an encrypted file (transmission target file) and stores it in the download storage area. This download storage area can be accessed from other terminals having access rights.

Step S1-10:
Further, the transmission side terminal transmits a file pull request to the designated transmission destination terminal. This pull request is a request message including the contents of the aforementioned file table T2 and other contents. For example, information included in the pull request includes “agent ID of transmission type terminal”, “IP address of transmission side terminal”, “transfer target file name”, transfer method (directly or via server) ”,“ receivable ” There are “time” and “download count”.
This pull request is a file acquisition permission that the transmitting terminal gives to the specified receiving terminal, and the receiving terminal is given access rights to the transmission target file on the transmitting terminal.

Step S1-11:
When the transmitting terminal transmits a pull request, it waits for the file to be pulled (downloaded). When the access right is given, the receiving side terminal can download any number of times as long as it is within the set limit number of times (download number) and within the set receivable time.

Step S1-12:
When the transmission side terminal receives the transfer end notification from the reception side terminal, the transmission side terminal proceeds to Step 1-17. Otherwise, go to step 1-13.
Note that, even after transmitting the pull request, the transmitting terminal performs a determination whether or not the terminal satisfies the security policy and an inquiry for confirming the state of the receiving terminal periodically or at any time. As a result, when either the transmission side or the reception side is in a state where file transfer is not permitted, the file transfer is stopped.
Further, the transmission side can cancel the file transfer at any time. For example, after the pull request is transmitted, if the user wants to cancel the file transfer, the file transfer can be canceled.

Step S1-13:
The file can be downloaded any number of times as long as it is within the downloadable number of times, but if the number of downloadable times is exceeded, the process proceeds to step S1-15.

Step S1-14:
The file can be downloaded at any time within the receivable time, but if the receivable time is exceeded, the process proceeds to step S1-15.

Step S1-15:
When the receivable time or the downloadable number of times is exceeded, the transmitting side terminal notifies the receiving side to that effect.

Step S1-16:
Then, the transmission side terminal deletes the transmission target file (encrypted file) from the download storage area. As a result, after that, downloading by the receiving side becomes impossible.

Step S1-17:
When the transfer is completed, or when the receivable time / downloadable number of times is exceeded, the result is recorded in the log. The file transfer process (file transmission / reception process) ends here.

[4.2 Processing of receiving terminal in direct transfer (preprocessing)]
Step S2-1:
A status inquiry (step S1-4) from the transmission side terminal reaches the reception side terminal.

Step S2-2:
Then, the agent P1 of the receiving terminal determines whether the transmitting terminal is on the rejection list. If not, the process proceeds to step S2-3. Otherwise, the file reception is not permitted, and the process proceeds to step S2-5.

Step S2-3:
The agent P1 of the receiving terminal determines whether or not the own terminal satisfies the security policy. If the policy is satisfied, file reception is permitted, and the process proceeds to step 2-4. If not, file reception is not permitted and the process proceeds to step S2-5.

Step S2-4:
When the agent P1 of the receiving terminal permits the file reception, the agent P1 responds “Receivable” to the transmitting terminal.

Step S2-5:
On the other hand, when the file reception is not permitted, the agent P1 of the receiving terminal responds to the transmitting terminal with “unreceivable”.

Step S2-6:
When the receiving terminal responds to the transmitting terminal, the result is recorded in a log. Preprocessing ends.

[4.3 Processing of receiving terminal in direct transfer (post-processing)]
Step S3-1:
When a pull request is transmitted from the transmission side terminal, the reception side terminal receives it. As a result, the receiving side terminal acquires the access right to the transfer target file. Moreover, since the pull request includes the contents shown in the file table T2, the file name to be transferred can be grasped.

Step S3-2:
The agent P1 of the receiving terminal determines whether the transmitting terminal and the transfer target file are on the rejection list. If not, the process proceeds to step S3-3, and if not, the process proceeds to step S3-5.

Step S3-3:
Subsequently, the user of the receiving terminal determines whether to receive the file, and the agent P1 of the receiving terminal accepts an instruction as to whether to receive the file. When receiving, it progresses to step S3-4, and when that is not right, it progresses to step S3-5.

Step S3-4:
When it is received by user judgment, the agent P1 of the receiving side terminal acquires the file from the transmitting side terminal. This acquisition is performed when the receiving terminal accesses the download storage area of the transmitting terminal and downloads the transfer target file name.

Step S3-5:
When it is rejected by the rejection list or when it is not received due to user judgment, the receiving terminal sends a response indicating that file transfer is impossible to the transmitting terminal. When receiving a response indicating that file transfer is not possible, the transmission side terminal records it in a log (step S1-17), and ends the file transfer process.

Step S3-6:
When the file is acquired, the agent P1 of the receiving terminal decrypts the file.

Step S3-7:
Then, when the file acquisition is completed, the transmission end is notified to the transmission side terminal.

Step S3-8:
Then, the receiving terminal records a file transfer log. The file send / receive process is now complete.

[5. File transfer processing (via server)]
Hereinafter, in the present system 1, processing when files are transmitted and received between the terminals 2 and 3 via the management server (relay server) 4 will be described (FIGS. 4, 5 and 6). These processes are executed by the agent P1 of each terminal and the management program P2 of the server.

[5.1 Processing of sending terminal in pre-server transfer (preprocessing)]
Step S4-1:
First, the user of the transmission side terminal selects the transmission target file and instructs the agent P1 of the transmission side terminal to transmit the file.

Step S4-2:
In step S4-2, the agent P1 determines whether or not the state of the own terminal (transmission side terminal) satisfies the security policy. If the transmitting terminal satisfies the policy, the process proceeds to step S4-3 (transmission permitted). If not satisfied, the process proceeds to step S4-13 (transmission not permitted).
Based on the determination in step S4-2, it is determined whether or not the own terminal has eligibility as a transmission side terminal.

Step S4-3:
Subsequently, the user of the transmission type terminal designates a terminal (transmission destination terminal; reception side terminal) to which the file is to be transmitted from the terminal list displayed on the terminal. Here, the terminal list refers to a list such as a user list or a terminal list, and lists terminals on which agents are installed. Since only the terminals equipped with the agent P1 are displayed in the terminal list, it is impossible to transmit to terminals with low security because the agent P1 is not installed.
If a file is transmitted to a plurality of terminals, the subsequent operations are repeated for the terminals.

Step S4-4:
When the receiving terminal is specified, the file receivable time is set. The receivable time can be appropriately determined by the user.

Step S4-5:
Subsequently, the transmitting terminal generates an encrypted file (transmission target file) and stores it in the download storage area. This download storage area can be accessed from other terminals having access rights.

Step S4-6:
The transmitting terminal transmits a file pull request to the server 4. This pull request is a request message including the contents of the aforementioned file table T2 and other contents. For example, information included in the pull request includes “agent ID of transmission type terminal”, “IP address of transmission side terminal”, “transfer target file name”, transfer method (directly or via server) ”,“ receivable ” There are “time” and “download count”. This pull request is a file acquisition permission that the transmission side terminal gives to the server that is the transmission destination (relayer), and the server is given access rights to the transmission target file on the transmission side terminal.

Step S4-7:
When the transmitting terminal transmits a pull request, the transmitting terminal waits for the file to be pulled (downloaded) from the server 4.

Step S4-8:
When the transmission side terminal receives the transfer end notification from the server, the transmission side terminal proceeds to step S4-13. Otherwise, the process proceeds to step S4-9.
Note that the transmission side terminal determines whether or not the terminal itself satisfies the security policy periodically or at any time after transmitting the pull request. As a result, when the transmission side is in a state where the file transfer is not permitted, the file transfer is stopped.
Further, the transmission side can cancel the file transfer at any time. For example, after the pull request is transmitted, if the user wants to cancel the file transfer, the file transfer can be canceled.

Step S4-9
The file download by the server 4 can be performed any number of times as long as it is within the downloadable number of times, but if the number of downloadable times is exceeded, the process proceeds to step S4-11.

Step S4-10:
The file download by the server 4 can be performed at any time within the receivable time, but when the receivable time is exceeded, the process proceeds to step S4-11.

Step S4-11:
When the receivable time or the downloadable number of times is exceeded, the transmitting side terminal notifies the server 4 to that effect.

Step S4-12:
Then, the transmission side terminal deletes the transmission target file (encrypted file) from the download storage area. As a result, after that, downloading by the server 4 becomes impossible.

Step S4-13:
When the file transfer to the server 4 is completed, or when the receivable time / downloadable number of times is exceeded, the result is recorded in the log.

[5.2 Server Processing for Transfer via Server]
Step S5-1:
When a pull request is transmitted from the transmission side terminal, the server 4 receives it. As a result, the server 4 acquires the access right to the transfer target file. Further, the server 4 can grasp the file name to be transferred, the original transmission destination (reception side terminal), and the like by the pull request.

Step S5-2:
The server 4 determines whether the sending terminal and the transfer target file are on the rejection list. If not, the process proceeds to step S5-3, and if not, the process proceeds to step S5-4.

Step S5-3:
The server 4 acquires a file from the transmission side terminal. This acquisition is performed by the server 4 accessing the download storage area of the transmission side terminal and downloading the transfer target file name. The downloaded file is stored in the download storage area of the server 4 for downloading by the receiving terminal.

Step S5-4:
When rejected by the reject list, the server 4 sends a response indicating that the file transfer is impossible to the transmitting terminal. When receiving a response indicating that the file transfer is impossible, the transmission side terminal records it in the log (step S4-13), and ends the file transfer process.

Step S5-5:
When the server 4 acquires the file, the server 4 notifies the transmission side terminal of the end of transfer to the server.

Step S5-6:
When the server 4 sends a response indicating that the file transfer is impossible to the sending terminal, the server 4 records the result in a log and ends the process.

Step S5-7:
When the server 4 acquires the file, the server 4 designates the file transmission destination (reception side terminal) based on the information sent from the transmission side terminal (information on the transmission destination (reception side terminal)).

Step S5-8:
When the receiving terminal is designated, the server 4 inquires about the state of the receiving terminal. This inquiry is for confirming whether the receiving terminal is in a receivable state, such as whether the security policy is satisfied. At the time of this inquiry, information for specifying a file such as a file name to be transmitted is not transmitted, but only information for identifying the transmitting terminal such as the ID of the transmitting terminal is transmitted. This prevents the file information from leaking to the receiving terminal when inquiring about the status of the receiving terminal.

Step S5-9:
Then, as a result of the inquiry in step S5-8, the server 4 receives a response indicating whether reception is possible from the reception side terminal. Here, there are two types of responses: receivable and unreceivable. When receiving the inquiry, the receiving side terminal determines whether or not its own terminal device satisfies the security policy. If the receiving side terminal does not satisfy the policy, it responds that reception is impossible. Therefore, the server 4 can confirm that the receiving terminal satisfies the security policy when the response from the receiving side is “receivable”.

Step S5-10:
If the response from the receiving side is “receivable”, the process proceeds to step S5-11 (proceed to e), otherwise proceeds to step S5-18 (proceeds to f).

Step S5-11:
When the receiving side is “receivable”, it is confirmed that the receiving side satisfies the security policy.
Therefore, the server 4 transmits a file pull request to the receiving terminal for file transmission, and grants an access right to the receiving terminal.

Step S5-12:
When the server 4 sends a pull request, it waits for the file to be pulled (downloaded). When the access right is given, the receiving side terminal can download any number of times as long as it is within the set limit number of times (download number) and within the set receivable time.

Step S5-13:
When the server 4 receives the transfer end notification from the receiving terminal, the server 4 proceeds to Step 5-18. Otherwise, go to step 5-14.
Note that the server 4 makes an inquiry for confirming the state of the receiving terminal periodically or at any time after transmitting the pull request. As a result, when the receiving terminal enters a state where file transfer is not permitted, the file transfer is stopped.
In addition, when there is a file transfer cancel instruction from the transmission side, the server can cancel the file transfer at any time. For example, if the user wants to cancel the file transfer after the pull request is transmitted, You can cancel the transfer.

Step S5-14:
The file can be downloaded any number of times as long as it is within the downloadable number of times, but if the number of downloadable times is exceeded, the process proceeds to step S5-16.

Step S5-15:
The file can be downloaded at any time within the receivable time, but if the receivable time is exceeded, the process proceeds to step S5-16.

Step S5-16:
When the receivable time or the downloadable number of times is exceeded, the server 4 notifies the receiving side to that effect.

Step S5-17:
Then, the server 4 deletes the transmission target file (encrypted file) from the download storage area. As a result, after that, downloading by the receiving side becomes impossible.

Step S5-18:
When the transfer is completed, when the receivable time / downloadable number of times is exceeded, or when the receiving side is “unreceivable”, the result is recorded in the log of the server 4.

Step S5-19:
Thereafter, the server 4 notifies the transmitting side terminal that the processing between the receiving side terminal and the server 4 has been completed. The file transmission / reception process ends here.

[5.3 Processing of the receiving terminal in server transfer (preprocessing)]
Step S6-1:
A status inquiry (step S5-8) from the server 4 reaches the receiving terminal.

Step S6-2:
Then, the agent P1 of the receiving terminal determines whether the transmitting terminal is on the rejection list. If not, the process proceeds to step S6-4. Otherwise, the file reception is not permitted, and the process proceeds to step S6-6.

Step S6-4:
The agent P1 of the receiving terminal determines whether or not the own terminal satisfies the security policy. If the policy is satisfied, file reception is permitted, and the process proceeds to step 6-5. If not, file reception is not permitted and the process proceeds to step S6-6.

Step S6-5:
When the agent P1 of the receiving terminal permits the file reception, the agent P1 responds “Receivable” to the server 4.

Step S6-6:
On the other hand, when the file reception is not permitted, the agent P1 of the receiving terminal responds to the server 4 with “unreceivable”.

Step S6-7:
When the receiving side terminal responds to the server 4, the result is recorded in the log. Preprocessing ends.

[5.4 Processing of receiving terminal in post-server transfer (post-processing)]
Step S7-1:
When a pull request is transmitted from the server 4, the receiving terminal receives it. As a result, the receiving side terminal acquires the access right to the transfer target file. Moreover, since the pull request includes the contents shown in the file table T2, the file name to be transferred can be grasped.

Step S7-2:
The agent P1 of the receiving terminal determines whether the transmitting terminal and the transfer target file are on the rejection list. If not, the process proceeds to step S7-3, and if not, the process proceeds to step S7-5.

Step S7-4:
Subsequently, the user of the receiving terminal determines whether to receive the file, and the agent P1 of the receiving terminal accepts an instruction as to whether to receive the file. If received, the process proceeds to step S7-4, and if not, the process proceeds to step S7-5.

Step S7-4:
When receiving by user judgment, the agent P1 of the receiving terminal acquires a file from the server 4. This acquisition is performed when the receiving terminal accesses the download storage area of the server 4 and downloads the transfer target file name.

Step S7-5:
When it is rejected by the rejection list or when it is not received due to user judgment, the receiving side terminal sends a response to the server 4 indicating that file transfer is impossible. When the server 4 receives the response indicating that the file transfer is impossible, the server 4 records it in the log (step S5-18).

Step S7-6:
When the file is acquired, the agent P1 of the receiving terminal decrypts the file.

Step S7-7:
When the file acquisition is completed, the server is notified of the transfer end.

Step S7-8:
Then, the receiving terminal records a file transfer log. The file send / receive process is now complete.

[5.5 Processing of sending terminal in post-server transfer (post-processing)]
Step S8-1:
When the processing between the server 4 and the receiving side terminal is completed, the transmitting side terminal receives a transfer processing end notification from the server 4.

Step S8-2:
Then, the transmission side terminal records the result in a log.

[6. Terminal management processing]
FIG. 7 shows terminal management processing for the server 4 to collect information on the terminals 2 and 3 on the network and create a terminal list and the like. The process in FIG. 7 is periodically executed. These processes are executed by the agent P1 of the terminals 2 and 3 and the management program P2 of the server 4.

Step S9-1:
First, the agent P1 of the terminals 2 and 3 collects its own information. The own information is information necessary for creating the terminal list, such as the IP address of the own terminal on which the agent is installed and information on the department to which the agent belongs.

Step S9-2:
The agent P1 of the terminals 2 and 3 collects the logs recorded in the terminals 2 and 3 into a format that can be transmitted to the server 4.

Step S9-3:
Thereafter, if the terminals 2 and 3 can connect to the server 4, the process proceeds to step S <b> 9-4. If the connection cannot be established, the process is terminated and transmission is attempted again at the next regular transmission.

Step S9-4:
When the terminals 2 and 3 are able to connect to the server 4, the information collected in steps S9-1 and S9-2 is transmitted to the server.

Step S9-5:
The server 4 receives information transmitted from the terminals 2 and 3.

Step S9-6:
Then, the server 4 updates the terminal list (transmission destination list) based on the information transmitted from the terminals 2 and 3. As a result, only the terminals 2 and 3 where the agent is currently operating are listed in the terminal list (transmission destination list).

Step S9-7:
Further, the server 4 stores the logs transmitted from the terminals 2 and 3.

Step S9-8:
Subsequently, the server 4 transmits the latest terminal list (transmission destination list) to the terminals 2 and 3.

Step S9-9:
Then, the terminals 2 and 3 receive the latest terminal list (transmission destination list) from the server 4. As a result, only the terminals 2 and 3 in which the agent P1 is currently operating are terminals that can transmit files.

[7. Log reference processing]
FIG. 8 shows processing for the system administrator to refer to the logs stored in the server 4.

Step S10-1:
An administrator accesses the server.

Step S10-2:
Subsequently, information necessary for logging in to the server, such as an ID and a password, is input.

Step S10-3:
If the input information is correct, the process proceeds to step S10-4. If it is not correct, it asks for input again or terminates the process.

Step S10-4:
If the entered information is correct, the server login is successful.

Step S10-5:
The log recorded in the server 4 is displayed on the screen of the server 4, and the administrator can view the log. The log is as shown in FIG. 9, and the “file name” of the transferred file, the IP address of the “transmission terminal”, the IP address of the “reception terminal”, “transmission date / time”, “reception date / time”, “ “Transfer method”, “Result” (success / failure of transfer), “NG factor” (cause of transfer failure), and the like are displayed.

Step S10-6:
When browsing is completed and a logout operation is performed by the administrator, the server 4 performs logout processing, and the processing ends.

  In addition, this invention is not limited to the said embodiment, A various deformation | transformation is possible. For example, the execution of file transmission from the transmission side to the reception side is not limited to download performed in response to a pull request, and the transmission side may actively execute file transmission to the reception side.

1 is an overall view of a file transfer system. It is a flowchart which shows a direct transfer process. It is a flowchart which shows a direct transfer process. It is a flowchart which shows the transfer process via a server. It is a flowchart which shows the transfer process via a server. It is a flowchart which shows the transfer process via a server. It is a flowchart which shows a terminal management process. It is a flowchart which shows a log reference process. It is a figure which shows the example of a log display.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 File transfer system 2 Terminal 3 Terminal 4 Server P1 Agent computer program P2 Management computer program M1 Storage area M2 Storage area

Claims (18)

A computer program for monitoring and controlling file transmission or reception performed by a computer connected to a network,
Determining means for determining whether or not a state of the computer satisfies a predetermined security policy; and means for determining whether the computer can execute file transmission or reception based on a determination result of the determining means;
A computer program for causing the computer to function as A computer program for monitoring and controlling file transmission or reception performed by a computer connected to a network,
Confirming means for confirming whether the state of the partner computer that is the partner of file transmission or reception satisfies a predetermined security policy, and execution of file transmission or reception by the computer based on the confirmation result of the confirmation means A means of determining availability,
A computer program for causing the computer to function as A computer program for monitoring and controlling file transmission or reception performed by a computer connected to a network,
Determining means for determining whether the state of the computer satisfies a predetermined security policy;
Confirmation means for confirming whether the state of the partner computer that is the counterpart of the file transmission or reception satisfies a predetermined security policy, and based on the determination result of the determination means or the confirmation result of the confirmation means, Means for deciding whether to execute file transmission or reception;
A computer program for causing the computer to function as When it is determined that file transmission can be executed, means for granting file acquisition permission to the file transmission destination computer, and causing the file transmission destination computer that has acquired the acquisition permission to acquire the file In the transmission means for executing the file transmission,
The computer program according to any one of claims 1 to 3, which causes the computer to function as: The computer program according to claim 4, wherein the transmission unit is capable of acquiring a file by the file transmission destination computer only within a set time during which the file can be acquired. Means for deleting a file to be transmitted from the computer when the set time allowing file acquisition has elapsed;
The computer program according to claim 5, which causes the computer to function as: The computer program according to any one of claims 4 to 6, wherein a limit number of file acquisitions by the file transmission destination computer is set in the transmission means. Means to revoke the file acquisition permission given to the file destination computer;
The computer program according to any one of claims 4 to 7, which causes the computer to function as: A computer program for monitoring and controlling file transmission performed by a computer connected to a network,
Determining means for determining whether the state of the computer satisfies a predetermined security policy;
Means for inquiring of the file destination computer whether or not the state of the file destination computer satisfies a predetermined security policy;
Means for allowing execution of file transmission when both the computer and the file transmission destination computer satisfy the security policy;
A computer program for causing the computer to function as Receiving means for receiving the file by obtaining the file by accessing the file transmission source upon receiving the file acquisition permission from the file transmission source computer;
The computer program according to any one of claims 1 to 8, which causes the computer to function as: Means for rejecting execution of file reception when the file transmission source computer is a preset computer for rejecting file reception;
The computer program according to claim 1, which causes the computer to function as: Means for rejecting file reception if the file to be received is a preset file reception rejection file;
The computer program according to claim 1, which causes the computer to function as: A computer program for monitoring and controlling file reception performed by a computer connected to a network,
Means for receiving from the file transmission source computer an inquiry as to whether or not the state of the computer satisfies a predetermined security policy;
When the inquiry is received, a determination unit that determines whether the state of the computer satisfies a predetermined security policy,
A means for transmitting the determination result by the determination means to the file transmission source computer, and receiving a file acquisition permission from the file transmission source computer and executing the file reception by acquiring the file from the file transmission source computer means,
A computer program for causing the computer to function as A computer program for a relay computer that relays file transmission / reception between a plurality of computers connected to a network,
Receiving means for receiving a file from the file transmitting computer after confirming that the file transmitting computer satisfies a predetermined security policy;
Means for allowing execution of the file transmission to the file receiving computer after confirming that the file receiving computer satisfies a predetermined security policy;
A computer program for causing the relay computer to function. A file transfer system for transmitting and receiving files between a plurality of computers connected to a network,
First determination means for determining whether or not the file transmitting computer satisfies a predetermined security policy;
Second determination means for determining whether or not the file receiving computer satisfies a predetermined security policy;
Means for determining whether or not to execute file transmission / reception based on the determination result of the first determination means and the determination result of the second determination means;
A file transfer system comprising: A file transfer system in which file transmission / reception between a plurality of computers connected to a network is performed via a relay computer,
Means for determining whether or not the file sending computer satisfies a predetermined security policy;
Means for determining whether or not the file receiving computer satisfies a predetermined security policy;
With
The relay computer is configured to determine whether or not to execute file relay based on a determination result of whether the file transmitting computer and the file receiving computer satisfy the security policy. Transfer system. A method for sending and receiving files between a plurality of computers connected to a network,
A first step of determining whether or not the file transmitting computer satisfies a predetermined security policy;
A second step of determining whether or not the file receiving computer satisfies a predetermined security policy;
Determining whether to execute file transmission / reception based on the determination result in the first determination step and the determination result in the second step;
A file transmission / reception method comprising: A method of transmitting and receiving files between a plurality of computers connected to a network via a relay computer,
Determining whether the file sending computer satisfies a predetermined security policy;
Determining whether the file receiving computer satisfies a predetermined security policy; and
Determining whether or not to execute file relay based on a determination result of whether the file transmitting computer and the file receiving computer satisfy the security policy;
A file transmission / reception method comprising:

Images