JP2011065397A - Unauthorized access detection device, unauthorized access detection program, and unauthorized access detecting method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an unauthorized access detection device which is capable of posteriorly and quickly recognizing the execution of unauthorized access to information to be restricted for browsing. <P>SOLUTION: The unauthorized access detection device includes: a log holding part 10 which acquires access logs of a server 2 holding a plurality of pieces of restricted information to be restricted for browsing and holds the access logs as a log file; a browsing permission information holding part 20 which holds browsing permission information associating respective pieces of restricted information and authority users permitted to browse respective pieces of restricted information with each other; an unpermitted browsing detection part 30 which detects an access log where unpermitted browsing has been performed by a user who is not permitted to browse, on the basis of browsing permission information; a policy violation log recording part 40 which generates a policy violation log showing contents of the unpermitted browsing and records the log in the log file; a retrospective approval accepting part 50 which accepts retrospective approval of unpermitted browsing from an authority user; and a writing part 60 which records contents of the accepted retrospective approval in the log file. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an unauthorized access detection device, an unauthorized access detection program, and an unauthorized access detection method.

  In recent years, sharing of all kinds of information has been attempted with the spread of networks. However, there is also information that should restrict free browsing from the viewpoint of personal information protection.

  As a means for restricting browsing of information placed on the network, access restriction that restricts access to the information to only a specific user can be considered. However, considering emergency response, there are cases where access restrictions cannot be strictly set.

  Consider the medical field as an example. From the viewpoint of protecting personal information, it is desirable to strictly restrict access to personal information including patient medical records so that only the doctor in charge can view it. However, in the event of an emergency that requires a patient to be consulted by an unsupported doctor, if the unsupported doctor cannot view personal information including the patient's medical records, the appropriate There is a risk of inconvenience that treatment cannot be performed. For this reason, in the medical field, it is necessary to make it possible for not only a doctor in charge but also a doctor outside the charge to view the patient's personal information.

  As mentioned above, there are cases where access restrictions on information that should be restricted cannot be strictly set (eg in the medical field), but even in this case, from the viewpoint of personal information protection, etc. It is necessary to provide means to strictly control browsing and use.

  Here, Patent Document 1 describes a system that simply detects unauthorized access without strictly restricting access to information that should be restricted. Specifically, when a user accesses a patient information database in which patient information is recorded, the access log is acquired, and the access described in the access log can be used for purposes other than browsing. It is determined whether or not it is a malicious access. When it is determined that the access is an unauthorized access, a technique for notifying a user who has accessed a warning indicating the access is described. As a means of determining whether unauthorized access is made, the tendency of the number of accesses to patient information is analyzed by occupation (radiologist, pharmacist, etc.), and patient information is accessed by occupation based on this analysis result. The threshold of the number of times to perform is determined. Then, using the access log, if the number of occupations of the user who has accessed the patient information and the cumulative number of accesses to the patient information of the user are grasped, the cumulative number exceeds the threshold set for the occupation of the user. Judge whether there is. As a result of the determination, there is described a technique for determining that the access is an unauthorized access when the threshold is exceeded.

JP 2009-48410 A

  Certainly, according to the technique described in Patent Document 1, it is possible to detect an access from a user who may be an unauthorized access and to notify the user of a warning. However, the technique described in Patent Document 1 may detect an access from a user who is not an unauthorized access as an unauthorized access and notify a warning. Such a warning may be bothersome for a user who accesses for a valid reason in an emergency, and may hinder the smooth processing of emergency work.

  In addition, the technique described in Patent Document 1 determines that access to certain patient information from a certain user is unauthorized access, issues a warning to the user, and then instructs the user to continue accessing the patient information. Upon receipt of an input to be configured, access to the patient information is continued. That is, the warning to the user has become famous. Furthermore, the technique described in Patent Document 1 does not include a technique for recognizing an access that is determined to be unauthorized access by another user (eg, a doctor in charge of a patient who has been illegally accessed on patient information). In the case of the technique described in Patent Document 1, it is not possible to strictly control unauthorized access.

  Here, the present inventor determined that there was an unauthorized access act afterwards by determining whether or not there was unauthorized access using an access log of a server holding information that should be restricted from browsing. Recognized and considered a means to crack down on the act afterwards. However, when the amount of access logs is enormous, it is not easy to find an access log with a possibility of unauthorized access from a log file in which a large amount of access logs are recorded.

  The present invention provides an unauthorized access detection device, an unauthorized access detection program, and an unauthorized access detection method capable of quickly and immediately recognizing that there has been unauthorized access to information whose browsing should be restricted. This is the issue.

  According to the present invention, an access log of a server that holds a plurality of restriction information that is information that should be restricted for browsing is acquired, a log holding unit that holds the log as a log file, and information that specifies each of the plurality of restriction information; From the access log based on the browsing permission information, a browsing permission information holding unit that holds browsing permission information that associates information that identifies authorized users who are permitted to browse the restriction information, and , Using an unauthorized browsing detection unit that detects the access log in which unauthorized browsing by a user who is not permitted to browse is performed, and using the description content of the access log detected by the unauthorized browsing detection unit, Generate a policy violation log indicating the contents of the unauthorized browsing and record it in the log file, and the unauthorized browsing indicated in the policy violation log A post-approval accepting unit that accepts post-approval of the non-permitted browsing from the authorized user of the restriction information, and the non-permitted viewing is post-approved in the log file according to the acceptance of the post-approval accepting unit And an unauthorized access detection device having a writing unit for recording information indicating that the message has been received.

  In the present invention, the policy violation log may be provided with a post-approval area for recording information indicating that the writing unit has received post-approval.

  In the present invention, the post-approval accepting unit accepts post-approval of non-permitted browsing only from the authorized user who has accessed the server, and the writing unit performs non-permitted browsing shown in the policy violation log. The first hash value calculated using the access log approved after the fact and the policy violation log may be recorded in the post-approval area of the policy violation log.

  In the present invention, a second hash value is recorded in each access log and each policy violation log of the log file, and the writing unit has subsequently approved the unauthorized browsing indicated in the policy violation log. The first hash value calculated using the second hash value recorded in the access log and the second hash value recorded in the policy violation log is used as the first hash value in the policy violation log. It may be recorded in the post-approval area.

  In the present invention, there is an unauthorized browsing extraction unit that extracts the policy violation log indicating unauthorized browsing that has not received post-approval of the authorized user, and the unauthorized browsing extraction unit extracts the policy violation from the log file. Extracting the policy violation log in which information indicating that the post-approval has been received is not recorded from the first extraction unit for extracting the log and the policy violation log extracted by the first extraction unit A second extraction unit.

  In the present invention, there is an unauthorized browsing extraction unit that extracts the policy violation log indicating unauthorized browsing that has not received post-approval of the authorized user, and the unauthorized browsing extraction unit extracts the policy violation from the log file. A first extraction unit for extracting a log; and a policy violation log in which the first hash value is not recorded in a post-approval area from the policy violation log extracted by the first extraction unit. The first hash value of each policy violation log is recorded using two extraction units and the first hash value of each of the policy violation logs in which the first hash value is recorded in the post-approval area. A fraud determination unit that determines whether the fraud has been made fraud, and the policy violation log for which the fraud decision unit has determined that the recording of the post-approval area has been fraudulent. A fourth extraction for extracting the policy violation log extracted by the output unit, the second extraction unit, and the third extraction unit as the policy violation log indicating non-permitted browsing that has not received subsequent authorization of the authority user; And may have a part.

  In the present invention, when the access log for which the unauthorized browsing is performed by the address information holding unit that holds the address information of the authorized user and the unauthorized browsing detection unit is detected, the unauthorized browsing is performed. A notification unit that notifies the authorized user who is permitted to browse the restriction information using the address information.

  According to the present invention, a step of acquiring an access log of a server that holds a plurality of restriction information that is information that should be restricted for browsing and holding it as a log file, information for specifying each of the plurality of restriction information, Based on browsing permission information that associates information that identifies authorized users who are permitted to browse the restriction information, unauthorized browsing by users who are not permitted to browse was performed from the access log. The step of detecting the access log, and using the description content of the access log detected as the access log where unauthorized browsing was performed, generate a policy violation log indicating the content of the unauthorized browsing, A step of recording in the log file, and from the authorized user of the restriction information that has been viewed in the policy violation log, An illegal operation that causes the computer to execute a post-approval of browsing and a step of recording information indicating that the non-permitted browsing has received post-approval in the log file in response to the acceptance of the post-approval. An access detection program is provided.

  In the present invention, the step of generating and recording the policy violation log generates the policy violation log provided with a post-approval area for recording information indicating that the post-approval is accepted, The step of recording in the log file, the step of receiving the post-approval is a step of receiving post-approval of unauthorized browsing only from the authorized user who has accessed the server, and the post-approval received The step of recording information indicating the fact is that the first hash value calculated by using the access log that has been approved after the unauthorized browsing shown in the policy violation log and the policy violation log is used as the policy violation. It may be a step of recording in the post-approval area of the log.

  In the present invention, a second hash value is recorded in each access log and each policy violation log of the log file, and the step of recording information indicating that the post-approval is received includes the policy violation log The first hash value calculated using the second hash value recorded in the access log that has subsequently approved the unauthorized browsing shown in FIG. 4 and the second hash value recorded in the policy violation log. The hash value may be recorded in the post-approval area of the policy violation log.

  The present invention has a step of extracting the policy violation log indicating non-permitted browsing that has not received post-approval of the authority user, and the step of extracting the policy violation log not receiving the post-approval includes the step of Extracting the policy violation log from the log file, and extracting the policy violation log from which the information indicating that the post-approval has been received is not recorded from the extracted policy violation log Steps may be included.

  The present invention has a step of extracting the policy violation log indicating non-permitted browsing that has not received post-approval of the authority user, and the step of extracting the policy violation log not receiving the post-approval includes the step of Extracting the policy violation log from a log file; and extracting the policy violation log in which the first hash value is not recorded in a post-approval area from the extracted policy violation log. And using the first hash value of each of the policy violation logs in which the first hash value is recorded in the post-approval area, the first hash value of each of the policy violation logs is illegally recorded. And a step of extracting the policy violation log that is determined to have been illegally recorded in the post-approval area. And the policy violation log in which the first hash value is not recorded in the post-approval area, and the policy violation log in which the first hash value is illegally recorded in the post-approval area. And extracting the policy violation log indicating unauthorized browsing that has not received the user's post-approval.

  According to the present invention, a process of acquiring an access log of a server that holds a plurality of restriction information that is information that should be restricted for browsing and holding it as a log file, information that specifies each of the plurality of restriction information, Based on browsing permission information that associates information that identifies authorized users who are permitted to browse the restriction information, unauthorized browsing by users who are not permitted to browse was performed from the access log. The step of detecting the access log, and using the description content of the access log detected as the access log where unauthorized browsing was performed, generate a policy violation log indicating the contents of the unauthorized browsing, A step of recording in the log file, and from the authority user of the restriction information that has been viewed in the policy violation log, after the unauthorized viewing And an unauthorized access detection method comprising: a step of accepting approval, and a step of recording information indicating that the unauthorized browsing has been approved afterwards in response to acceptance of the post-approval. The

  In the present invention, there is no need to provide any access restriction for access to restriction information that is information that should be restricted from browsing. For this reason, each user can browse the restriction information without any influence, and can smoothly proceed with his / her business.

  However, in the above case, there is a risk that unauthorized access to the restriction information may be freely performed. Therefore, in the present invention, an access log that has been subjected to unauthorized browsing that may be unauthorized access from among the plurality of access logs by using an access log of a server that holds a plurality of restriction information is post-mortem. To detect. According to this configuration, it is possible to specify unauthorized browsing that may be unauthorized access afterwards, and to control unauthorized access afterwards.

  In general, the access log is often enormous, and it is not easy to find an access log that has been subjected to unauthorized browsing that may be unauthorized access from a log file that records a large amount of access log.

  Therefore, in the present invention, when an access log that has been subjected to unauthorized browsing that may be unauthorized access is detected, information indicating that fact (policy violation log) is newly generated and recorded in the log file. According to this configuration, by extracting the policy violation log from the log file, it is possible to easily know the contents of unauthorized browsing that may be unauthorized access. In other words, it is possible to quickly audit unauthorized access using a log file.

  Further, in the present invention, when an authorized user later approves the unauthorized browsing recorded as the policy violation log as not unauthorized access, information indicating that is recorded in the log file. For example, information indicating that may be recorded in each policy violation log in the log file. According to this configuration, it is possible to extract only non-permitted browsing that has not been approved afterwards by an authorized user in the non-permitted browsing recorded as a policy violation log. Moreover, this extraction can be realized using only the log file. That is, it is possible to reduce the amount of data handled in auditing of unauthorized access acts, and it is possible to improve the processing speed of the computer and the processing efficiency of human work.

  In the present invention, the hash function is used so that the information indicating the post-approval recorded in the log file cannot be falsified. According to such a configuration, it is possible to strictly detect an unauthorized access action using a log file.

  According to the present invention, it is possible to quickly recognize afterwards that there has been an unauthorized access to information whose browsing should be restricted.

1 is a block diagram illustrating an example of a configuration of an unauthorized access detection device according to a first embodiment. 1 is a block diagram illustrating an example of a configuration of an unauthorized access detection device according to a first embodiment. 1 is a block diagram illustrating an example of a configuration of an unauthorized access detection device according to a first embodiment. It is the figure which showed an example of the access log (browsing log) typically. It is the figure which showed an example of the policy violation log typically. It is the figure which showed an example of the access log (approval log) typically. It is the flowchart figure which showed an example of the flow of a process of a restriction | limiting information server. FIG. 3 is a flowchart illustrating an example of a process flow of the unauthorized access detection device according to the first embodiment. It is a block diagram showing an example of a structure of the unauthorized access detection apparatus of Embodiment 2. It is the figure which showed an example of the log file of Embodiment 2 typically. It is the figure which showed an example of the 1st hash value of Embodiment 2 typically.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In all the drawings, the same components are denoted by the same reference numerals, and description thereof will be omitted as appropriate.

  In addition, each part which comprises the unauthorized access detection apparatus of each embodiment is CPU of a computer, memory, the program loaded in memory (In addition to the program stored in memory from the stage which shipped an apparatus beforehand, CD) Including a program downloaded from a storage medium such as an Internet server), a storage unit such as a hard disk for storing the program, and an interface for network connection, and any combination of hardware and software. . It will be understood by those skilled in the art that there are various modifications to the implementation method and apparatus.

In addition, the functional block diagrams of FIGS. 1, 2, 3, and 9 used in the description of each embodiment show functional unit blocks, not hardware unit configurations. The unauthorized access detection device of the present embodiment may be realized by one physically separated device, or two or more physically separated devices are connected by wire or wirelessly, and these plural devices are used. It may be realized.
<Embodiment 1>

  FIG. 1 shows a functional block diagram of the unauthorized access detection device 1 of the present embodiment. As shown in the figure, the unauthorized access detection device 1 of the present embodiment includes a log holding unit 10, a browsing permission information holding unit 20, a non-permitted browsing detection unit 30, a policy violation log recording unit 40, and a post-approval acceptance. Part 50 and writing part 60. The unauthorized browsing extraction unit 70 may be included. Alternatively, the address information holding unit 80 and the notification unit 90 may be included. Or you may have the unauthorized browsing extraction part 70, the address information holding | maintenance part 80, and the notification part 90. FIG. The unauthorized browsing extraction unit 70 includes a first extraction unit 71 and a second extraction unit 72.

  Here, in FIG. 1, the unauthorized access detection device 1 and the restriction information server 2 that holds a plurality of restriction information that is information that should be restricted are configured as separate devices that are physically separated from each other. An example configured to be able to perform wired or wireless communication is shown. However, the unauthorized access detection device 1 of the present embodiment is not limited to such a configuration. For example, as shown in FIG. 2, the unauthorized access detection device 1 may be configured in the restriction information server 2. This configuration may be realized, for example, by installing the unauthorized access detection program of the present invention so as to be executable in the restriction information server 2.

  As another example, as shown in FIG. 3, two physically separated devices (the first unauthorized access detection device 1A and the second unauthorized access detection device 1B) can perform wired or wireless communication. The unauthorized access detection device may be configured by these two devices. The examples in FIGS. 1 to 3 are merely examples, and other configurations are possible.

  Next, each part which comprises the unauthorized access detection apparatus 1 of this embodiment is demonstrated.

  The log holding unit 10 is configured to acquire an access log of a server 2 (hereinafter simply referred to as “restricted information server 2”) that holds a plurality of pieces of restriction information, which is information that should be restricted, and hold it as a log file. Yes. The “restriction information” includes any information that needs to be restricted, and its type is not particularly limited. For example, it may be patient information including a patient chart and the like utilized in the medical field. This restriction information is held in the restriction information server 2 as electronic data.

  The restriction information server 2 is placed on a computer network (not shown). The computer network is not particularly limited, and for example, a LAN (Local Area Network), a WAN (Wide Area Network), the Internet, and the like can be considered. With this configuration, the user can browse the restriction information held in the restriction information server 2. It should be noted that although no strict access restriction to the restriction information server 2 is provided, it is desirable to provide a certain access restriction. With this constant access restriction, it becomes possible to restrict the access of a user who has no need to view the restriction information held by the restriction information server 2. This access restriction may be realized by, for example, a method of inputting “user ID” and “password”.

  Here, the restriction information server 2 includes an access log generation unit 100 that generates an access log. The access log generation unit 100 generates an access log (hereinafter referred to as “browsing log”) in which the user has accessed the restriction information. Note that the access log generation unit 100 may generate an access log having other contents. The contents of the browsing log are not particularly limited, but are configured to include at least “information for specifying the accessed user” and “information for specifying the accessed restricted information”. Furthermore, “accessed date and time” and / or “information specifying a user who is permitted to view the accessed restriction information” may be included. Furthermore, other contents may be included.

  FIG. 4 shows an example of the browsing log. In the figure, “ID for identifying the type of log” is an ID for identifying the type of log. “A” of “A1” shown in the figure is an ID indicating that it is a browsing log (access log accessing restricted information). “1” is a serial number assigned to the browsing log in chronological order. “Access date and time” is the date and time when the restriction information is accessed. The “information specifying the accessing user” and the “information specifying the user who is permitted to view the access restriction information” are, for example, user IDs assigned to each user who accesses the restriction information server 2. May be. The “information for specifying accessed restriction information” may be, for example, a restriction information ID allocated in advance for each piece of restriction information.

  In order for the access log generation unit 100 to acquire “information for identifying an accessed user” in order to generate a browsing log, for example, a user who accesses the restriction information server 2 is obliged to input a “user ID” It may be realized by acquiring the user ID that accepted the input. From the viewpoint of preventing impersonation, it is desirable to input not only the “user ID” but also the “password”. Next, as means for acquiring “information for specifying accessed restriction information”, the restriction information ID allocated in advance to the accessed restriction information is set as the file name of the restriction information, and the accessed file It may be realized by acquiring a name. The means for acquiring the “accessed date and time” may be realized by acquiring the date and time information at that time from, for example, a clock built in the server, triggered by accepting access to the restriction information. . As means for acquiring “information for identifying a user who is permitted to view the access restriction information”, the view permission information (restriction information and each restriction information held by the view permission information holding unit 20 described below) is used. The information may be realized by acquiring desired information from the authorized user who is permitted to view the information. Note that the above-described example is merely an example, and each piece of information may be acquired by other means.

  The unauthorized access detection device 1 is configured to be able to communicate with the restriction information server 2 in a wired or wireless manner. When the log holding unit 10 acquires the access log generated by the access log generating unit 100 of the restriction information server 2, the log holding unit 10 accumulates the acquired access logs in time series and holds them as log files. The timing at which the log holding unit 10 acquires the access log from the restriction information server 2 is not particularly limited, and may be acquired at regular intervals (batch processing), or the access log generation unit 100 may access the access log. May be acquired every time the is generated (real-time processing).

  The browsing permission information holding unit 20 associates information specifying each of the plurality of pieces of restriction information held by the restriction information server 2 with information specifying an authorized user who is a user permitted to view each piece of restriction information. It is configured to hold browsing permission information. The “information specifying each of the plurality of pieces of restriction information” may be, for example, a restriction information ID allocated in advance for each piece of restriction information. In addition, the “information for identifying the authorized user” may be a user ID allocated in advance for each user who accesses the restriction information server 2. That is, the browsing permission information may be a table in which the limitation information ID of each of the plurality of limitation information is associated with the user ID of an authorized user who is permitted to browse each limitation information. In addition, the browsing permission information may be information in a format in which information specifying an authorized user is written in the metadata of each restriction information instead of the information in the table format. The browsing permission information holding unit 20 may be configured in the restriction information server 2 that holds restriction information.

  The non-permitted browsing detection unit 30 is based on the browsing permission information held by the browsing permission information holding unit 20, and the non-permitted browsing by a user who is not permitted to browse from among a plurality of access logs held by the log holding unit 10. Is configured to detect the access log that was made. The specific process of detection is not particularly limited, but the following process may be used.

  For example, based on the browsing permission information, as shown in FIG. 4, both “information for identifying the accessing user” and “information for identifying the user permitted to browse the restricted information accessed” are included. In the case where the browsing log is configured to be generated, the unauthorized browsing detection unit 30 extracts the browsing log from the access log held by the log holding unit 10, and specifies “accessed user” of each browsing log. "Information to identify" and "information to identify users who are permitted to view restricted information that has been accessed", and browsing logs that do not match these information are not permitted to be viewed by users who are not permitted to view. It may be detected as a broken access log.

  In addition, for example, if the browsing log is extracted from the access log held by the log holding unit 10, the unauthorized browsing detection unit 30 identifies “the accessed user included in the log content for each browsing log. "Information (example: user ID)" and "information for specifying accessed restriction information (example: restriction information ID)" are acquired (see FIG. 4). And the combination of the acquired information is "information specifying an authorized user (example: user ID)" and "information specifying restricted information that the authorized user is permitted to browse (example: restricted information ID)". Judgment is made on whether or not it exists in the associated browsing permission information, and the browsing log including the combination determined not to exist as an access log in which unauthorized browsing is performed by a user who is not permitted to browse It may be detected.

  The process of detecting the access log on which unauthorized browsing is performed by the unauthorized browsing detection unit 30 may be performed at regular intervals (batch processing), or the log holding unit 10 may process the access log by real-time processing. When acquiring, it may be performed whenever the log holding | maintenance part 10 acquires an access log (real time process).

  The policy violation log recording unit 40 uses the description content of the access log detected as the access log in which the unauthorized browsing detection unit 30 performed the unauthorized browsing, and shows the policy violation log indicating the content of the unauthorized browsing. Is generated and recorded in a log file held by the log holding unit 10.

  FIG. 5 shows an example of a policy violation log. In the figure, “ID for identifying log type” is an ID for identifying the type of log, and “P” of “P1” shown in the figure is an ID indicating that it is a policy violation log. It is. In this policy violation log, “information for identifying a user who has been viewed without permission (user ID)”, “information for identifying restricted information for which unauthorized browsing has been performed (eg, restricted information ID)”, “unauthorized browsing has been viewed "Date and time", "Information for identifying a user who is permitted to view restricted information that has been viewed without permission" (example: user ID), and "Policy violation number". The “policy violation number” is a serial number assigned to unauthorized browsing actions in chronological order. The contents of this log are merely an example, and what kind of contents are included as information indicating the contents of unauthorized browsing is an arbitrary design matter. As shown in the figure, the policy violation log is provided with a post-approval area for recording information indicating that the writing unit 60 described below has received post-approval from the authorized user. Also good. The number of bits in the post-approval area of this embodiment is not particularly limited, and may be 1 bit, for example. In this case, “0” may be recorded before the post-approval is received, and “1” may be recorded when the post-approval is received.

  The post-approval accepting unit 50 is configured to accept post-approval of the non-permitted browsing from the authority user of the restriction information that has been viewed non-permitted shown in the policy violation log. The “authorized user of restriction information” is an authorized user who is permitted to view the restriction information. “Post-approval” refers to post-approval that the unauthorized browsing is not browsing for an unauthorized purpose (illegal browsing). The authorized user can determine whether or not to approve the unauthorized browsing based on the user who has performed the unauthorized browsing, the restriction information for which the unauthorized browsing has been performed, the date and time when the unauthorized browsing has been performed, and the like.

  The means for receiving the post-approval from the authorized user is not particularly limited. For example, an input device such as an input button, a keyboard, a touch panel display, and a mouse is provided in the unauthorized access detection apparatus 1, and the post-approval accepting unit 50 performs this input. Information specifying the non-permitted browsing to be approved afterwards (information specifying the policy violation log, policy violation number, etc.) and input indicating that the post-approval is accepted may be received via the device. In the case of such means, the post-approval accepting unit 50 may generate a log describing the contents of the post-approval accepted and record it in a log file held by the log holding unit 10.

  As other means, for example, the restriction information server 2 is configured to receive an input of post-approval from the authorized user who has accessed the restriction information server 2 using the above-described means, and the access log generation unit 100 The access log (hereinafter referred to as “approval log”) indicating the contents of the post-approval is generated. Then, the post-approval accepting unit 50 acquires the access log from the access log generating unit 100, and acquires the above-described approval log from the log holding unit 10 held as a log file, so that post-approval from the authorized user May be accepted.

  FIG. 6 shows an example of the approval log. In the figure, “ID for identifying the type of log” is an ID for identifying the type of log, and “S” in “S1” shown in the figure indicates an approval log (the contents of post-approval) Access log). “Access date and time” is the date and time when the authorized user inputs post-approval. The “post-approved policy violation number” included in the access log is described in accordance with the policy violation number input by the authorized user who has accessed the restriction information server 2 to specify the non-permitted browsing to be post-approved. If the authority user who has accessed the restriction information server 2 is configured to input the policy violation log ID as information for specifying the unauthorized browsing to be approved after the fact, the “policy violation number approved after the fact” will be displayed. Instead, “post-approved policy violation log ID” may be described.

  The writing unit 60 is configured to record information indicating that the non-permission browsing has received the post-approval in the log file in response to the reception of the post-approval receiving unit 50. Specifically, when the writing unit 60 of the present embodiment obtains information (for example, policy violation number, policy violation log ID) that identifies post-approved non-permitted browsing from the post-approval accepting unit 50, the log In the file, record information that can identify which of the policy violation logs indicates that the unauthorized browsing is approved after the fact. For example, if each policy violation log has a post-approval area, the policy violation log that shows the post-approved non-permitted browsing in the log file using information that identifies post-approved non-permitted browsing Is recorded, and a post-approval record is made in the post-approval area of the policy violation log.

  The unauthorized browsing extraction unit 70 is configured to extract a policy violation log indicating unauthorized browsing that has not received post-approval of the authorized user. In order to realize this configuration, the unauthorized browsing extraction unit 70 includes a first extraction unit 71 and a second extraction unit 72.

  The first extraction unit 71 is configured to extract a policy violation log from the log file. This processing may be realized, for example, by searching the log file using “ID for identifying the type of log” indicating that the log is a policy violation log.

  The second extraction unit 72 is configured to extract, from the policy violation log extracted by the first extraction unit 71, a policy violation log that is not recorded with information indicating that subsequent approval has been received. This process may be realized, for example, by determining the description content of the post-approval area included in the policy violation log.

  With the above-described configuration, the unauthorized access detection device of the present embodiment quickly recognizes afterwards that there has been an unauthorized browsing activity that may be an unauthorized access to information that should be restricted from browsing. Is possible.

  In addition, it is possible to quickly recognize only an unauthorized browsing act that has not been approved afterwards, except for an unauthorized browsing activity that has been subsequently approved by an authorized user. In such a case, the number of data handled as unauthorized browsing can be narrowed down to what is really necessary, so that the data processing speed on the computer is improved and the work efficiency of human beings who audit unauthorized access is also improved. It becomes possible.

  Here, the unauthorized access detection apparatus according to the present embodiment may include means for recognizing the fact that the authorized user has browsed the restriction information that the user is permitted to browse. This means is realized by the address information holding unit 80 and the notification unit 90.

  The address information holding unit 80 is configured to hold the address information of the authorized user. That is, the address information holding unit 80 holds data in which information (eg, user ID) for specifying an authorized user is associated with address information of the authorized user. As address information, for example, a mail address, a telephone number, a FAX number, and the like can be considered.

  When the non-permitted browsing detection unit 30 detects an access log in which unauthorized browsing has been performed, the notification unit 90 notifies the authority user who is permitted to browse the restricted information that has been viewed without permission. It is configured as follows. This notification is realized using the address information held by the address information holding unit 80. As a means for notification, e-mail, FAX, telephone and the like can be considered. The content of the notification is not particularly limited, and may simply be a notification of unauthorized browsing, or the content of unauthorized browsing (users who have been unauthorized browsing, restricted information that has been unauthorized browsing) Information etc.) may also be notified. When notifying the contents of unauthorized browsing together, the notification unit 90 holds template data for notification in advance, and the template data includes necessary information (unauthorized browsing). Notification data may be created and embedded for notification. The template data can be appropriately selected from text data, voice data, etc. according to the notification means.

  As means for specifying the authorized user to be notified, an access log (see FIG. 4) detected by the unauthorized browsing detection unit 30 or a policy violation log generated based on the access log (see FIG. 5). You may implement | achieve using. Or you may implement | achieve using the access log (refer FIG. 4) detected by the unauthorized browsing detection part 30, and browsing permission information. When the post-approval by the authorized user is configured to be performed by accessing the restriction information server 2, the address information (URL or the like) of the restriction information server 2 may be notified together.

  According to the configuration of the address information method holding unit 80 and the notification unit 90 described above, it is possible to allow an authorized user who has been browsed without permission to view restriction information that the user is permitted to browse, and as a result, , Can prompt post-approval processing.

  Here, the configuration shown in FIG. 3 will be described. In FIG. 3, the unauthorized access detection device is composed of two devices (first unauthorized access detection device 1A and second unauthorized access detection device 1B) which are physically separated, and the unauthorized access detection device and the restriction information server 2 Are configured as separate devices that are physically separated. As an application example of such a configuration, for example, the following can be considered. The second unauthorized access detection device 1B is used as a log server for storing the access log generated by the restriction information server 2 for a long term. A device (first unauthorized access detection device 1A) for editing an access log is provided between the restriction information server 2 and the log server (second unauthorized access detection device 1B). Note that the storage unit 110 described in the second unauthorized access detection device 1B of FIG. 3 is configured to store electronic data for a long period of time.

  Next, an example of the processing flow of the present embodiment will be described with reference to the flowcharts of FIGS. Here, the flow of processing for batch processing will be described by taking as an example the case where the unauthorized access detection device 1 and the restriction information server 2 are configured as shown in FIG. Even when the configuration other than that shown in FIG. 1 is used, the processing can be executed in accordance with the processing flow described below.

  FIG. 7 shows an example of the processing flow of the restriction information server.

  First, when the restriction information server in the access waiting state from the user detects access to the restriction information (Yes in S701), an access log (browsing log: see FIG. 4) indicating that is generated and accumulated (S702). ). In addition, the restriction information server in a waiting state for access from the user accesses the restriction information server so that an authorized user who has been prohibited from browsing the restriction information that he / she is allowed to view can access the restriction information server for subsequent approval. When it is detected that post-approval has been performed (Yes in S703), an access log (approval log: see FIG. 6) indicating that is generated and stored (S704).

  Thereafter, the above-described processing is repeated until a predetermined timing for transmitting the accumulated access log to the unauthorized access detection device (No in S705). Then, at a predetermined timing for transmitting the accumulated access log to the unauthorized access detection device (Yes in S705), the restriction information server transmits the accumulated access log to the unauthorized access detection device (S706). After this transmission, the transmitted access log stored in the restriction information server may be deleted.

  FIG. 8 shows an example of the processing flow of the unauthorized access detection device.

  When receiving the access log from the restriction information server (Yes in S801), the unauthorized access detection device accumulates the received access log as a log file (S802).

  Thereafter, the browsing log is extracted from the access log newly received in step S801 in the accumulated log file (S803). Then, the browsing log extracted in step S803 is searched for an access log indicating that browsing is prohibited (S804).

  As a result of the search in step S804, if there is an access log indicating that the unauthorized browsing has been performed (Yes in S805), the contents described in the access log are used to indicate the contents of the unauthorized browsing. Generate a policy violation log and record it in the log file. This process is performed on the access log indicating that all unauthorized browsing detected in step S804 has been performed (S806).

  Thereafter, the access log newly searched in step S801 in the accumulated log file is searched for an approval log (S807).

If there is an approval log as a result of the search in step S807 (Yes in S808), the policy violation log indicating the post-approved non-permitted browsing is specified using the contents described in the access log. (S809), information indicating that the post-approval is approved is recorded in the post-approval area of the specified policy violation log. This process is performed on the access log indicating that all subsequent approvals detected in step S807 have been made (S810).
<Embodiment 2>

  FIG. 9 shows a functional block diagram of the unauthorized access detection device 1 of the present embodiment. As shown in the figure, the unauthorized access detection device 1 of the present embodiment includes a log holding unit 10, a browsing permission information holding unit 20, a non-permitted browsing detection unit 30, a policy violation log recording unit 40, and a post-approval acceptance. Part 50 and writing part 60. The unauthorized browsing extraction unit 70 may be included. Alternatively, the address information holding unit 80 and the notification unit 90 may be included. Or you may have the unauthorized browsing extraction part 70, the address information holding | maintenance part 80, and the notification part 90. FIG. The unauthorized browsing extraction unit 70 includes a first extraction unit 71, a second extraction unit 72, a third extraction unit 73, a fourth extraction unit 74, and an unauthorized determination unit 75.

  Note that the configuration of the unauthorized access detection device 1 of the present embodiment is not limited to that shown in FIG. 9, and other configurations can be used as in the first embodiment. Examples of other configurations here are omitted.

  The unauthorized access detection device 1 of the present embodiment is based on the unauthorized access detection device 1 of the first embodiment, and differs in the following points. Note that the restriction information server 2 of the present embodiment is the same as the restriction information server 2 of the first embodiment, and a description thereof will be omitted here.

  The post-approval accepting unit 50 of the present embodiment is configured to accept post-approval of non-permitted browsing only from authorized users who have accessed the restriction information server 2. Since a specific configuration example has been described in the first embodiment, a detailed description thereof is omitted here.

  The writing unit 60 according to the present embodiment calculates using an access log (approval log: see FIG. 6) that has been approved after the unauthorized browsing shown in the policy violation log and the policy violation log (see FIG. 5). The first hash value is recorded in the post-approval area of the policy violation log. The hash value is a value calculated from an arbitrarily determined hash function. The first hash value is obtained by substituting the value recorded in each log as data indicating the contents of the approval log and policy violation log into an arbitrarily defined hash function (h (x, y)). Value.

  In the unauthorized access detection device 1 according to the present embodiment, the second hash value may be recorded in each access log of the log file (a log accessing the restriction information and an approval log) and each policy violation log. Then, the writing unit 60 of the present embodiment uses the second hash value recorded in the approval log and the second hash value recorded in the policy violation log indicating the post-approved non-permitted browsing. The first hash value calculated in this way may be recorded in the post-approval area of the policy violation log. The second hash value is, for example, as data indicating the contents of an arbitrarily defined hash function (h (x, y)), the log, and the log immediately before the log in the log file. It may be a value obtained by substituting values recorded in each log. The hash function for calculating the second hash value and the hash function for calculating the first hash value may be the same or different.

  FIG. 10 schematically shows an example of the log file of this embodiment. In the case of this example, each log is provided with an area for describing the second hash value next to the area for describing the contents of the log (see FIGS. 4, 5, and 6). In this area, each log and the content of the log immediately before that log (value recorded in the “area describing the log contents” of each log) are stored as a hash function (h (x, y)). The second hash value obtained by substituting for is recorded. In the example of FIG. 10, a post-approval area is provided in the policy violation log (log starting with P). In the case of a policy violation log that has not been approved for unauthorized viewing (log starting with P18 in the figure), information indicating that it has not been approved, for example, “0” is arranged in the area for subsequent approval ( The number of bits is an arbitrary design matter). And in the case of a policy violation log (log starting with P1 in the figure) in which unauthorized browsing has been approved afterwards, the policy violation log (log starting with P1 in the figure) and its unauthorized browsing are displayed in the post-approval area. Substituting the contents of the approval log (log starting with S1 in the figure) (the value recorded in the “area describing the log contents” of each log) into the hash function (h (x, y)) The first hash value obtained in this way is recorded. As shown in FIG. 11, the first hash value includes the policy violation log (log starting with P1 in the figure) and the approval log (log starting with S1 in the figure) that approved the unauthorized browsing afterwards. It may be a value obtained by substituting the second hash value into the hash function (h (x, y)).

  The unauthorized browsing extraction unit 70 of the present embodiment is configured to extract a policy violation log indicating unauthorized browsing that has not received post-approval of the authorized user. In order to realize this configuration, the unauthorized browsing extraction unit 70 of the present embodiment includes a first extraction unit 71, a second extraction unit 72, a third extraction unit 73, a fourth extraction unit 74, and an unauthorizedness determination unit 75.

  The first extraction unit 71 is configured to extract a policy violation log from the log file. This processing may be realized, for example, by searching the log file using “ID for identifying the type of log” indicating that the log is a policy violation log.

  The second extraction unit 72 stores the first hash in the policy violation log in which information indicating that the post-approval has been received is not recorded from the policy violation log extracted by the first extraction unit 71, that is, the post-approval area. It is configured to extract policy violation logs with no recorded values. In order to realize this extraction, information (for example, “000000”) indicating that the post-approval is not recorded is recorded in the post-approval area of the policy violation log that is not post-approved. Then, the second extraction unit 72 extracts the policy violation log in which information indicating that the post-approval is not made (for example, “000000”) is recorded in the post-approval area, so that the post-approval area is extracted. The policy violation log in which the first hash value is not recorded is extracted.

  The fraud determination unit 75 uses the first hash value of each policy violation log in which the first hash value is recorded in the post-approval area, and the first hash value of each policy violation log is illegally recorded. It is comprised so that it may be judged whether it is a thing.

  That is, the fraud determination unit 75 first extracts a policy violation log in which information indicating that post-approval is not performed (for example, “000000”) is not recorded in the post-approval area. Then, an approval log is extracted that subsequently approves the unauthorized browsing indicated in each policy violation log. The extraction of the approval log may be realized, for example, by searching a log file using the policy violation number recorded in the approval log (see FIG. 6) and the policy violation log (see FIG. 5) as a key. Note that the extraction example using the policy violation number as a key is merely an example, and may be realized by a search using other information as a key according to the contents of a log that can be arbitrarily designed.

  Thereafter, the fraud determination unit 75 includes the contents of the policy violation log (log starting with P1 in FIG. 10) and the approval log (log starting with S1 in FIG. 10) that subsequently approved the unauthorized viewing (“ The first hash value is calculated by substituting the value recorded in “area describing log contents” into the hash function (h (x, y)). Then, the calculated first hash value is compared with the first hash value recorded in the post-approval area of the policy violation log. If the comparison results indicate that they are identical, it is determined that the first hash value recorded in the post-approval area of the policy violation log is a valid record. On the other hand, if they are not the same, it is determined that the first hash value recorded in the post-approval area of the policy violation log is an illegal record.

  In the post-approval area, a hash function is used to store the second hash value of the policy violation log (log starting with P1 in FIG. 10) and the approval log (log starting with S1 in FIG. 10) after the post-approval of unauthorized browsing. Even when the value obtained by substituting (h (x, y)) is recorded, the fraud determination unit 75 records the second hash value of each policy violation log in accordance with the above-described processing. It is determined whether or not is illegal.

  The third extraction unit 73 is configured to extract a policy violation log that is determined by the fraud determination unit 75 to have been recorded in the post-approval area as illegal.

  The fourth extraction unit 74 is configured to extract the policy violation log extracted by the second extraction unit 72 and the third extraction unit 73 as a policy violation log indicating non-permitted browsing that has not received the post-approval of the authorized user. ing.

  According to the unauthorized access detection apparatus of this embodiment, even if any value is recorded or altered by an unauthorized means in the post-approval area, the unauthorized activity can be detected. As a result, it is possible to strictly detect unauthorized access using a log file.

  The unauthorized access detection apparatus, unauthorized access detection program, and unauthorized access detection method of the present invention have been disclosed by the description of the first and second embodiments described above.

DESCRIPTION OF SYMBOLS 1 Unauthorized access detection apparatus 1A 1st unauthorized access detection apparatus 1B 2nd unauthorized access detection apparatus 2 Restriction information server 10 Log holding | maintenance part 20 Browsing permission information holding | maintenance part 30 Unpermitted browsing detection part 40 Policy violation log recording part 50 Subsequent approval reception part DESCRIPTION OF SYMBOLS 60 Writing part 70 Unauthorized browsing extraction part 71 1st extraction part 72 2nd extraction part 73 3rd extraction part 74 4th extraction part 75 Fraud determination part 80 Address information holding part 90 Notification part 100 Access log generation part 110 Storage part

Claims (13)

A log holding unit for acquiring an access log of a server that holds a plurality of restriction information, which is information that should be restricted, and holding it as a log file;
A browsing permission information holding unit for holding browsing permission information in which information for specifying each of the plurality of restriction information, information for specifying an authorized user permitted to browse each of the restriction information, and
Based on the browsing permission information, from the access log, a non-permitted browsing detection unit that detects the access log in which unauthorized browsing by a user who is not permitted to browse,
Using the description content of the access log detected by the unauthorized browsing detection unit, a policy violation log indicating the unauthorized browsing content is generated, and recorded in the log file, a policy violation log recording unit;
A post-approval accepting unit that accepts post-approval of the non-permitted browsing from the authority user of the restriction information that has been non-permitted viewed shown in the policy violation log;
In response to the acceptance of the post-approval accepting unit, the log file, the writing unit for recording information indicating that the non-permitted viewing has received post-approval,
An unauthorized access detection device. The unauthorized access detection device according to claim 1,
An unauthorized access detection apparatus, wherein the policy violation log is provided with a post-approval area for recording information indicating that the writing unit has received post-approval. The unauthorized access detection device according to claim 2,
The post-approval acceptance department
Accepting post-approval of unauthorized browsing only from the privileged user who has accessed the server,
The writing unit
The first hash value calculated by using the access log that has been approved for the unauthorized browsing shown in the policy violation log and the policy violation log is recorded in the post-approval area of the policy violation log. Unauthorized access detection device. The unauthorized access detection device according to claim 3,
A second hash value is recorded in each access log and each policy violation log of the log file,
The writing unit
It is calculated using the second hash value recorded in the access log that has subsequently approved the unauthorized browsing shown in the policy violation log, and the second hash value recorded in the policy violation log. An unauthorized access detection device that records the first hash value in the post-approval area of the policy violation log. The unauthorized access detection device according to any one of claims 1 to 4, further comprising:
An unauthorized browsing extraction unit that extracts the policy violation log indicating unauthorized browsing that has not received post-approval of the authorized user;
The unauthorized browsing extraction unit
A first extraction unit for extracting the policy violation log from the log file;
From the policy violation log extracted by the first extraction unit, a second extraction unit that extracts the policy violation log that is not recorded with information indicating that the post-approval has been received;
An unauthorized access detection device. The unauthorized access detection device according to claim 3 or 4, further comprising:
An unauthorized browsing extraction unit that extracts the policy violation log indicating unauthorized browsing that has not received post-approval of the authorized user;
The unauthorized browsing extraction unit
A first extraction unit for extracting the policy violation log from the log file;
A second extraction unit for extracting the policy violation log in which the first hash value is not recorded in the post-approval area from the policy violation log extracted by the first extraction unit;
The first hash value of each policy violation log is illegally recorded using the first hash value of each of the policy violation logs in which the first hash value is recorded in a post-approval area. A fraud determination unit that determines whether or not
A third extraction unit for extracting the policy violation log determined to have been illegally recorded by the fraud determination unit;
A fourth extraction unit that extracts the policy violation log extracted by the second extraction unit and the third extraction unit as the policy violation log indicating non-permitted browsing that has not received subsequent authorization of the authority user;
An unauthorized access detection device. The unauthorized access detection device according to any one of claims 1 to 6, further comprising:
An address information holding unit for holding address information of the authorized user;
When the access log on which unauthorized browsing has been performed by the unauthorized browsing detection unit is detected, the address information is sent to the authorized user who is permitted to browse the restricted information that has been browsed unauthorized. Using a notification unit to notify,
An unauthorized access detection device. Obtaining an access log of a server that holds a plurality of restriction information, which should be restricted, and holding it as a log file;
Browsing from the access log based on browsing permission information that associates information that identifies each of the plurality of restriction information and information that identifies an authorized user who is permitted to view each of the restriction information. Detecting the access log in which unauthorized browsing was performed by a user not authorized to
Using the description content of the access log detected as the access log where unauthorized browsing was performed, generating a policy violation log indicating the content of the unauthorized browsing, and recording the log file in the log file;
Receiving post-approval of the unauthorized browsing from the authorized user of the restriction information that has been unauthorized browsing shown in the policy violation log;
In response to acceptance of the post-approval, recording information indicating that the non-permitted viewing has received post-approval in the log file;
An unauthorized access detection program that causes a computer to execute. The unauthorized access detection program according to claim 8,
The step of generating and recording the policy violation log includes:
Generating the policy violation log provided with a post-approval area for recording information indicating acceptance of the post-approval, and recording the log in the log file;
The step of accepting the post-approval includes
Accepting post-approval of unauthorized browsing only from the authorized user who has accessed the server,
The step of recording information indicating that the post-approval has been received,
The first hash value calculated by using the access log that has been approved for the unauthorized browsing shown in the policy violation log and the policy violation log is recorded in the post-approval area of the policy violation log. An unauthorized access detection program that is a step to perform. The unauthorized access detection program according to claim 9,
A second hash value is recorded in each access log and each policy violation log of the log file,
The step of recording information indicating that the post-approval has been received,
It is calculated using the second hash value recorded in the access log that has subsequently approved the unauthorized browsing shown in the policy violation log, and the second hash value recorded in the policy violation log. An unauthorized access detection program which is a step of recording the first hash value in the post-approval area of the policy violation log. The unauthorized access detection program according to any one of claims 8 to 10, further comprising:
Extracting the policy violation log indicating unauthorized browsing that has not received post-approval of the authorized user;
The step of extracting the policy violation log that has not received the post-approval is as follows.
Extracting the policy violation log from the log file;
Extracting the policy violation log in which information indicating that the post-approval has been received is not recorded from the extracted policy violation log;
An unauthorized access detection program. The unauthorized access detection program according to claim 9 or 10, further comprising:
Extracting the policy violation log indicating unauthorized browsing that has not received post-approval of the authorized user;
The step of extracting the policy violation log that has not received the post-approval is as follows.
Extracting the policy violation log from the log file;
Extracting the policy violation log in which the first hash value is not recorded in the post-approval area from the extracted policy violation log;
The first hash value of each policy violation log is illegally recorded using the first hash value of each of the policy violation logs in which the first hash value is recorded in a post-approval area. A step of determining whether or not
Extracting the policy violation log determined to have been recorded in the post-approval area illegally;
The policy violation log in which the first hash value is not recorded in the post-approval area and the policy violation log in which the first hash value is illegally recorded in the post-approval area Extracting as the policy violation log indicating unauthorized browsing that has not been approved;
An unauthorized access detection program. A process of acquiring an access log of a server that holds a plurality of restriction information, which is information that should be restricted, and holding it as a log file;
Browsing from the access log based on browsing permission information that associates information that identifies each of the plurality of restriction information and information that identifies an authorized user who is permitted to view each of the restriction information. Detecting the access log in which unauthorized browsing by a user who is not permitted is performed;
Using the description content of the access log detected as the access log on which unauthorized browsing was performed, generating a policy violation log indicating the content of the unauthorized browsing, and recording the log file in the log file;
Receiving a post-approval of the unauthorized browsing from the authorized user of the restriction information that has been unauthorized browsing shown in the policy violation log;
In response to the acceptance of the post-approval, a step of recording information indicating that the non-permitted viewing has received the post-approval in the log file;
An unauthorized access detection method comprising:

Images