JP2011138260A - Mail check device, mail check program, and method of checking mail - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a technique for making a check based on a predetermined transmission policy when transmitting mail indicating erroneous mail transmission and then automatically adjusting the policy using canceled log information. <P>SOLUTION: In a mail check device connected to a client device via a network, mail requesting a check transmitted by a client is detected based on a prescribed check rule; a check request is transmitted to the client when mail requesting a check is detected; a check result including information on the presence or absence of cancellation is acquired from the client and stored in a storage; a cancellation amount or rate is calculated based on the check result, and a check rule is changed according to the cancellation amount or rate. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a mail check technique for automatically adjusting the contents of a policy for checking outgoing mail.

  In an electronic mail system used in an organization such as a company, there is a frequent problem of information leakage due to a destination error or an erroneous attachment of a file at the time of mail transmission.

  Incorrect email transmission can lead to a serious problem of information leakage, and even if information is not leaked, it can lead to a decline in the trust of the company, such as losing customer trust. It has been demanded.

  Conventionally, in order to prevent such erroneous transmission of mail, a filtering technique has been proposed in which a mail transmission policy is set in advance and a mail scheduled to be transmitted is checked based on the policy.

JP 2007-102334 A

  However, in the conventional countermeasures against erroneous email transmission using the above filtering, the person in charge of security performs policy settings and revisions after confirming previous incidents (events) according to the company's basic policy on information security. It was a very complicated task.

  In order to solve the above problems, in the present invention, a mail check device that automatically adjusts a transmission policy using log information whose transmission is canceled after confirmation based on a predetermined transmission policy at the time of mail transmission , Programs, and methods are provided.

  One aspect of the invention is a mail check device connected to a plurality of client devices via a network, and a mail check means for detecting a confirmation mail that is transmitted by a client based on a predetermined check policy, and the confirmation required When a mail is detected, confirmation request means for transmitting a confirmation request to the client, and log information of a confirmation result that is a response to the confirmation request and includes presence / absence of cancellation is acquired from the client and stored in the storage device Log storage means, calculation means for calculating a cancellation amount or rate based on the stored confirmation result, and policy change means for changing the check policy according to the calculated cancellation amount or rate. It relates to a mail check device.

  According to the above aspect of the present invention, the mail check means detects the confirmation mail that the client needs to send based on the predetermined check policy, and the confirmation request means detects the confirmation mail that is sent to the client when the confirmation mail is detected. Send a confirmation request. Thereafter, the storage means obtains the log information of the confirmation result, which is a response to the confirmation request and includes the presence / absence of cancellation, from the client and stores it in the storage device, and the calculation means calculates the cancellation amount or rate based on the stored confirmation result. Is calculated. Then, the policy changing means is configured to change the check policy according to the calculated cancellation amount or rate, whereby the tendency or status of the outgoing mail in units of organizations such as companies can be confirmed. In addition, from these trends and situations, it is possible to provide appropriate feedback to the policy for filtering outgoing mail.

  As described above, according to a predetermined transmission policy, the cancellation amount or rate is calculated based on the information of the cancellation log in which the confirmation result of the outgoing mail by the client is accumulated, and the policy is automatically set according to the cancellation amount or rate. By adopting a configuration in which the change is made automatically, it is possible to easily change the policy according to the tendency and the situation of the outgoing mail in units of an organization such as a company without human intervention.

It is a figure which shows one basic composition of the mail check system which becomes embodiment of this invention. It is a functional block diagram of the mail check apparatus which becomes embodiment of this invention. It is a figure which shows the basic policy table of the transmission mail which becomes embodiment of this invention. It is a figure which shows the example of a confirmation screen of the transmission mail displayed on the client apparatus which becomes embodiment of this invention. It is a figure which shows the log analysis example in the mail check apparatus which becomes embodiment of this invention. It is a figure which shows the policy change rule table which prescribes | regulates the change of the policy which becomes embodiment of this invention. It is a figure which shows the operation | movement flow of the mail check apparatus which becomes embodiment of this invention. It is a figure which shows the provision flow of the separate information to each client at the time of policy delivery which becomes embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 shows a configuration example of a mail check system in which a mail check device 1, a client PC (Personal Computer) 2, and a mail server 3 are connected to each other via a LAN (Local Area Network) 4. The outgoing mail is further sent to the external network 5 via a gateway (not shown).

  Of course, the above-described configuration may be configured such that the mail server 3 incorporates the function of the mail check device 1 and is managed by one server. In addition, by performing all the processing with the client PC 2 alone, it is possible to correspond to realization for personal use.

  The mail check device 1 is based on a predetermined check policy, a mail check unit 11 that detects a confirmation mail that is sent by the client, and a confirmation request unit 12 that sends a confirmation request to the client PC 2 when a confirmation mail is detected. A log storage unit 13 that obtains log information of a confirmation result that is a response to the confirmation request and includes the presence or absence of cancellation from the client and stores the log information in the storage device, and a calculation that calculates a cancellation amount or a rate based on the stored confirmation result And a policy changing unit 15 that changes the check policy according to the calculated cancellation amount or rate.

  According to the present invention, the mail check device 1 collects logs for confirmation of outgoing mail, totals the logs, and calculates a cancellation amount or rate as statistical information, so that the unit of aggregation is only for individuals. In addition, it is possible to check the trend and situation corresponding to each unit by corresponding to the group or business unit, organizational unit, etc. From these trends and situations, it is possible to provide accurate feedback to outgoing mail policies.

  Although not shown, the mail check device 1 is a computer having a CPU (Central Processing Unit) and a memory, and a program for processing each of the processing units is stored from a storage device (for example, the storage device 100) at startup. It is expanded in the memory and executed by the CPU.

  The program is recorded on a portable medium such as a flexible disk (FD), a magneto-optical disk (MO), a memory stick, or a compact disk (CD), and is read by a reading device (not shown) corresponding to each medium. It is good.

  FIG. 2 shows a functional block diagram of the mail check device 1. In conjunction with FIG. 1, each function of the mail check apparatus 1 will be described below.

  The mail check unit 11 detects a confirmation mail requiring according to the current policy already distributed from the mail check device 1 to each client PC 2, and the confirmation requesting unit 12 requests confirmation of the confirmation mail necessary, and the log storage unit 13. However, the cancel log (individual) as the confirmation result accumulated in the storage device 200 on each client PC 2 side is collected at an arbitrary timing, and the collected cancel log is stored in the own storage device 100 for each management unit.

  Next, the calculation unit 14 calculates the cancellation amount or rate for each management unit based on the collected cancellation log, and the policy change unit 15 analyzes the cancellation amount or rate for each management unit, and sets the policy change rule. By applying, the current policy is adjusted as appropriate, a new policy is set, and the new policy is distributed to each client via the LAN 4.

  The policy changed by the policy changing unit 15 needs to be applied to all parties concerned. Therefore, using the RSS (Really Simple Syndication) distribution function described in an XML (Extensible Markup Language) -based structured format, the latest defined policy is compulsorily distributed and applied to each party.

  The RSS distribution realizes a form in which the presence of the latest policy setting is confirmed at the timing when the mail check program is activated when the apparatus is activated, and if there is the latest one, it is automatically updated.

  FIG. 3 shows the data structure of the basic policy table when checking outgoing mail. The basic policy table is composed of a plurality of records including policy items and contents.

  As a policy for confirming transmission, the rules 1-1: “Emails with external addresses are displayed for confirmation” and Rules 1-2: “Mails whose transmission address is only within the company are not displayed for confirmation (through)” are defined. .

  Also, as a warning display policy, the rules 2-1: “Warn when the total number of mail addresses exceeds 20”, Rules 2-2: “In the text, title, and attached file name of mail with external addresses” “Warn when a confidential keyword is included” and “Rule 2-3:“ Mail without title ”” are defined.

  Further, as a blocking policy, the rule 3-1: “Block mail whose number exceeds 200” is defined.

  Such a basic policy is distributed to each client, and is operated for a certain period (for example, 1 to 2 weeks), and an operation log relating to the use state is accumulated during the operation.

  FIG. 4 shows an example of a confirmation screen for the outgoing mail displayed on the client PC 2.

  In this confirmation screen example, the subject, sender, presence / absence of an attached file, and applied operation policy attribute information are displayed as a case of the outgoing mail. In the warning message column, (1) Conflict rules such as “Is there any confidential information in the external mail”, etc. (2) To, Cc, Bcc address types, address names, mails as internal addresses Address, number of items, etc. (3) As an external destination, similarly, a destination type, a destination name, an e-mail address, the number of items, etc. are displayed.

  The confirmation result on this confirmation screen includes the transmission date and time, the transmission destination within the organization, the transmission destination outside the organization, the ID of the checked rule in the confirmation policy, the final check result of the outgoing mail, and the transmission result (OK or OK Or the time spent for the confirmation check process is associated with each mail and recorded in the storage device 200 of each client PC 2 as a log.

  The destinations in the organization are classified and recorded as To, Cc, and Bcc as statistical values. In addition, the number of destinations checked in advance by the white list is also sorted and recorded by distinguishing To, Cc, and Bcc. Is done.

  In addition, destinations outside the organization are similarly sorted by statistically distinguishing To, Cc, and Bcc. In addition, the number of destinations that have been checked in advance using a whitelist is also sorted by distinguishing To, Cc, and Bcc. ing. Further, the number of destinations on the black list regarding the outside of the organization is recorded.

  Further, the final check result of the transmission mail is recorded by distinguishing transmission without cancel: send / send: transmission / through: confirmation.

  The log information accumulated in the client PC 2 is collected by the mail check device 1 that distributes the transmission policy, analyzed based on the collected information, and used for confirming transmission according to a predetermined policy change rule. The policy content will be changed.

  Detailed policy changes are made when the administrator determines the timing and unit (separation) of the change from the pattern.

  As described above, the confirmation of the mail transmission processed by the client PC 2 described above does not depend on the mailer (application) being used, and the confirmation of the destination address of the outgoing mail from any mailer (inside the organization, outside the organization, the domain , Caution, need attention, whitelist, blacklist, etc.), and as a result of this confirmation, the status of whether the transmission was canceled (cancellation, retrieval) or sent, and the rules applied for confirmation ( It is assumed that information such as conflict rules) is accumulated as a log together with date and time information.

  FIG. 5 shows an example of log analysis. In the example, the cancellation rate for the number of transmitted emails is calculated for each time period based on the log information of the confirmation result by the client collected by operating the basic policy shown in FIG. 3 for a certain period.

  As the time zone, the cancellation rate is high at 12:00, 16:00, and 17:00. That is, it can be seen that there are time periods with high cancellation rates such as lunch breaks and before and after leaving the office. In such a time zone, a policy change rule (described later in FIG. 6) is applied so as to strengthen the policy.

  In the present embodiment of FIG. 5, the unit of analysis of the cancellation rate is shown for each time zone of the day. However, the present invention is not limited to this, and may be shown on a time axis such as day of the week, month, or year. Good.

  As described above, the check policy is changed according to the cancellation amount or rate calculated based on the time axis including the time zone of the day, day of the week, month, or year based on the aggregated log information. Become.

  FIG. 6 shows the data structure of a policy change rule table that defines policy changes. The policy change rule table shows the rules of the change policy corresponding to the analysis pattern. The specific contents are as follows.

  Analysis pattern 1: When the number of transmissions decreases and the number of cancellations increases, the regulations are strictly tightened, “Part 1: Turn off the automatic learning function of the white list, Part 2: Alert the transmission of attached files inside and outside the organization” Apply.

  Analysis pattern 2: When there is no change in the number of transmissions and the number of cancellations increases, the regulation is strengthened and “reducing the number of external destinations to be warned (20 → 10)” is applied.

  Analysis pattern 3: When the number of transmissions increases and the number of cancellations increases, regulations are strengthened and “reducing the number of destinations to be warned (20 → 10)” is applied.

  Analysis pattern 4: When the number of transmissions increases and the number of cancellations does not change, the current state is maintained and the policy is not changed.

  Analysis pattern 5: Regardless of the number of transmissions, if the number of cancellations decreases, the restriction is relaxed and “turn on the automatic learning function of the white list” is applied.

  FIG. 7 shows an operation flow of the mail check apparatus 1. First, in step S11, the calculation unit 14 cancels the number of transmitted mails for each incident (event) unit in an organization such as a time zone or a week based on the cancellation log collected from each client device 2. Log statistics processing to calculate the rate.

  Next, in step S12, feature extraction processing is performed to extract event units that are features such as time zones where the cancellation rate varies according to the cancellation rate calculated in the log statistical processing.

  In step S13, the policy change unit 15 refers to the policy change rule table, compares it with the analysis pattern, and determines whether a corresponding change policy exists. If the corresponding analysis pattern exists, the corresponding change policy is applied in step S14. The processing of steps S13 to S14 is repeated until there is no corresponding analysis pattern for all the event units that are the extracted features.

  When the handling of all the feature extracted event units is completed, in step S15, the update policy is delivered to each client as a new policy instead of the current policy.

  In addition, although the aggregation by the mail check apparatus 1 described above can be set in various units, it is also possible for the client side to perform aggregation and to set a policy in accordance with the use status of the individual or the client PC 2 within the client. Is possible.

  As described above, according to the present embodiment, policy setting can be realized uniformly without depending on a person for an incident (event) to be targeted. Further, it is possible to realize a flexible policy response according to the processing status, and to respond from the signs before an incident occurs. Furthermore, it is possible to force the setting of the policy to be changed on the network, and it is possible to always maintain the security level above a certain level.

  FIG. 8 shows a flow of providing individual information to each client at the time of policy distribution. In the present embodiment, guidance and comment information are provided in a pinpoint manner for each user during RSS distribution.

  First, in step S21, the mail check apparatus 1 acquires information such as a tool currently used, a policy version, and a use mailer from the client. Next, for each client, in steps S22, S24, and S26, it is determined whether or not the policy version, tool version, and usage mailer information have been checked. If not checked, in steps S23, S25, and S27, arbitrary provision information corresponding to the policy, the use tool, and the use mailer is selected. The processes in steps S22 to S23, steps S24 to S25, and steps S26 to S27 are repeated for a plurality of clients.

  When all the clients have been checked, the mail checking apparatus 1 organizes information to be provided to the client in step S28, and provides information to each client in step S29.

  As described above, arbitrary information can be provided on the client side in a pinpoint manner based on the policy version, tool version, and usage mailer information. As a result, for example, the client side can receive an arbitrary message according to the usage status at the time of starting the system, and can receive individual system modification and version upgrade guidance information and instructions in a timely manner. It becomes.

  The technical field of mail transmission filter that enables automatic adjustment of policy contents when sending mail for each organization of the enterprise.

1 Mail check device 2 Client PC
3 Mail server 4 Network (LAN)
5 External network 10 Storage device (cancellation log (all members))
DESCRIPTION OF SYMBOLS 11 Mail check part 12 Confirmation request part 13 Log storage part 14 Calculation part 15 Policy change part 20 Storage device (cancellation log (individual))

Claims (7)

A mail check device connected to a plurality of client devices via a network,
Based on a predetermined check policy, an email check means for detecting a confirmation email sent by the client,
A confirmation requesting means for transmitting a confirmation request to the client when the confirmation confirmation mail is detected;
Log storage means for acquiring log information of a confirmation result that is a response to the confirmation request and includes the presence or absence of cancellation from the client and storing the log information in a storage device;
Calculating means for calculating a cancellation amount or rate based on the stored confirmation result;
Policy change means for changing the check policy according to the calculated cancellation amount or rate.   The policy changing means, according to the cancellation amount or rate, stop learning of the white list related to the detection of the confirmation mail required for the check policy, start detecting the attached file, reduce the threshold of the number of destinations related to the detection, The mail check apparatus according to claim 1, wherein at least one of the following is performed.   3. The mail according to claim 1, wherein the calculation unit aggregates log information from the client and performs analysis for each classification determined by the client or a target group to which the client belongs. Check device.   4. The mail according to claim 1, wherein the policy changed by the policy changing unit is distributed to the target client device using an RSS distribution method described in a structured format. Check device.   The check policy analyzes the aggregated log information on a time axis including a time zone, a day of the week, a monthly degree, and a year, and changes according to the cancellation amount or rate calculated with the time axis as a unit. The mail check device according to claim 1, wherein the mail check device is a mail check device. A mail check program processed by a mail check device connected to a plurality of client devices via a network,
On the computer,
An email check step for detecting a confirmation email sent by the client based on a predetermined check policy,
A confirmation requesting step for sending a confirmation request to the client when the confirmation confirmation mail is detected;
A log storage step of acquiring log information of a confirmation result that is a response to the confirmation request and includes cancellation or not, from the client and storing the log information in a storage device;
A calculation step of calculating a cancellation amount or a rate based on the stored confirmation result;
A policy change step of changing the check policy according to the calculated cancellation amount or rate. A mail check method processed by a mail check device connected to a plurality of client devices via a network,
An email check step for detecting a confirmation email sent by the client based on a predetermined check policy,
A confirmation requesting step for sending a confirmation request to the client when the confirmation confirmation mail is detected;
A log storage step of acquiring log information of a confirmation result that is a response to the confirmation request and includes cancellation or not, from the client and storing the log information in a storage device;
A calculation step of calculating a cancellation amount or a rate based on the stored confirmation result;
And a policy change step of changing the check policy according to the calculated cancellation amount or rate.