JP2014191426A - Information processor for executing countermeasure for fraudulent action, fraudulent action countermeasure method, and program therefor - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve the problem that improvement of a security policy cannot be easily executed.SOLUTION: An information processor includes policy acquisition means for acquiring a policy including a plurality of determination rules from a system to be monitored on the basis of the type of an event being an action using an information processing system to be monitored, and determination rule detection means for detecting a determination rule corresponding to the entity of the event on the basis of the policy and an interpretation rule for regulating an interpretation method of the policy, and outputting the determination rule.

Description

  The present invention relates to an information processing apparatus that executes countermeasures against fraud against information systems, a fraud countermeasure method, and a program therefor.

  Various related techniques are known for detecting unauthorized access to an information system by an operator having access authority (an operator including a person, a computer, and other devices, hereinafter referred to as an access authority).

  Patent document 1 discloses a fraud detection system. The fraud detection system of Patent Literature 1 includes a history storage unit, an audit information disclosure unit, and a fraud detection unit. The history storage unit stores operation history information of the monitored apparatus. The audit information disclosure unit discloses audit information including information indicating that an audit for detecting fraud is performed. The fraud detection unit detects unauthorized operations based on pre-disclosure operation history information that is operation history information before the time when audit information is disclosed and post-disclosure operation history information that is operation history information after the time when audit information is disclosed. Detect actions. In other words, the fraud detection system analyzes fraudulent behavior changes before and after notification of the audit execution plan, and detects fraud. With the above-described configuration, the cheating detection system can detect cheating performed by an operation that cannot be distinguished from a normal operation.

WO2012 / 153746

  However, the technique described in the above-described patent technical document has a problem that improvement of the security policy (hereinafter simply referred to as policy) cannot be easily performed.

  The reason is that the fraud detection system described in Patent Document 1 cannot clearly indicate which part of the policy has a problem.

  The objective of this invention is providing the information processing apparatus which can solve the problem mentioned above, the fraud countermeasure countermeasure method, and the program for it.

  An information processing apparatus according to the present invention includes a policy acquisition unit that acquires a policy including a plurality of determination rules from a monitored system, based on a type of event that is an act of using the monitored information processing system, the policy, Determination rule detecting means for detecting and outputting the determination rule corresponding to the entity of the event based on an interpretation rule that defines a policy interpretation method.

  The fraud countermeasure countermeasure method of the present invention obtains a policy including a plurality of determination rules from a monitored system based on the type of event that is an action using the monitored information processing system, and interprets the policy and the policy The determination rule corresponding to the entity of the event is detected and output based on an interpretation rule that defines a method.

  The program according to the present invention includes a process for acquiring a policy including a plurality of determination rules from a monitored system based on a type of event that is an act of using the monitored information processing system, the policy, and a method for interpreting the policy And a process for detecting and outputting the determination rule corresponding to the substance of the event based on the interpretation rule that defines the event.

  The present invention has an effect that the policy can be easily improved.

FIG. 1 is a block diagram illustrating the configuration of the anti-tamper device according to the first embodiment. FIG. 2 is a block diagram illustrating a hardware configuration of a computer that implements the anti-tamper device according to the first embodiment. FIG. 3 is a block diagram illustrating a configuration of an information processing system including a fraud countermeasure device according to the first embodiment. FIG. 4 is a diagram illustrating an example of cheating related information in the first embodiment. FIG. 5 is a diagram illustrating an example of a policy according to the first embodiment. FIG. 6 is a diagram illustrating an example of a policy forcing means list in the first embodiment. FIG. 7 is a diagram illustrating an example of interpretation rules in the first embodiment. FIG. 8 is a flowchart showing the operation of the fraud countermeasure device in the first embodiment. FIG. 9 is a block diagram illustrating a configuration of the anti-tamper device according to the second embodiment. FIG. 10 is a diagram illustrating an example of fraud related information in the second embodiment. FIG. 11 is a diagram illustrating an example of a strict policy in the second embodiment. FIG. 12 is a flowchart showing the operation of the fraud countermeasure device in the second embodiment. FIG. 13 is a diagram illustrating an example of numerical values corresponding to the determination conditions in the second embodiment.

  Embodiments for carrying out the present invention will be described in detail with reference to the drawings. In each embodiment described in each drawing and specification, the same reference numerals are given to the same components, and the description thereof is omitted as appropriate.

<<<< first embodiment >>>>
FIG. 1 is a block diagram showing a configuration of a fraud countermeasure device (also referred to as an information processing device) 100 according to the first embodiment of the present invention.

  As shown in FIG. 1, the fraud countermeasure device 100 according to the present embodiment includes a policy acquisition unit 110 and a determination rule detection unit 120.

  The constituent elements shown in FIG. 1 may be constituent elements in hardware units or constituent elements divided into functional units of the computer apparatus. Here, the components shown in FIG. 1 will be described as components divided into functional units of the computer apparatus.

  FIG. 2 is a block diagram illustrating a hardware configuration of a computer 700 that implements the fraud countermeasure device 100 according to the present embodiment.

  As illustrated in FIG. 2, the computer 700 includes a CPU (Central Processing Unit) 701, a storage unit 702, a storage device 703, an input unit 704, an output unit 705, and a communication unit 706. Furthermore, the computer 700 includes a recording medium (or storage medium) 707 supplied from the outside. The recording medium 707 may be a non-volatile recording medium that stores information non-temporarily.

  The CPU 701 controls the overall operation of the computer 700 by operating an operating system (not shown). The CPU 701 reads a program and data from a recording medium 707 mounted on the storage device 703, for example, and writes the read program and data to the storage unit 702. Here, the program is, for example, a program that causes the computer 700 to execute an operation of a flowchart shown in FIG.

  The CPU 701 executes various processes as the policy acquisition unit 110 and the determination rule detection unit 120 illustrated in FIG. 1 according to the read program and based on the read data.

  Note that the CPU 701 may download a program and data to the storage unit 702 from an external computer (not shown) connected to a communication network (not shown).

  The storage unit 702 stores programs and data. The storage unit 702 may store fraudulent act related information 810, a policy 820, a policy forcing means list 830, and an interpretation rule 840, which will be described later.

  The storage device 703 is, for example, an optical disk, a flexible disk, a magnetic optical disk, an external hard disk, and a semiconductor memory, and includes a recording medium 707. The storage device 703 (recording medium 707) stores the program in a computer-readable manner. The storage device 703 may store data. The storage device 703 may store fraudulent behavior related information 810, a policy 820, a policy forcing means list 830, and an interpretation rule 840, which will be described later.

  The input unit 704 is realized by, for example, a mouse, a keyboard, a built-in key button, and the like, and is used for an input operation. The input unit 704 is not limited to a mouse, a keyboard, and a built-in key button, and may be a touch panel, an accelerometer, a gyro sensor, a camera, or the like.

  The output unit 705 is realized by a display, for example, and is used for confirming the output.

  The communication unit 706 implements an interface with the monitored system 102 and the fraud detection device 103. The communication unit 706 is included as a part of the policy acquisition unit 110.

  As described above, the functional unit block of the anti-tamper device 100 shown in FIG. 1 is realized by the computer 700 having the hardware configuration shown in FIG. However, the means for realizing each unit included in the computer 700 is not limited to the above. In other words, the computer 700 may be realized by one physically coupled device, or may be realized by two or more physically separated devices connected by wire or wirelessly and by a plurality of these devices. .

  A recording medium 707 in which the above-described program code is recorded may be supplied to the computer 700, and the CPU 701 may read and execute the program code stored in the recording medium 707. Alternatively, the CPU 701 may store the code of the program stored in the recording medium 707 in the storage unit 702, the storage device 703, or both. That is, the present embodiment includes an embodiment of a recording medium 707 that stores a program (software) executed by the computer 700 (CPU 701) temporarily or non-temporarily.

  This completes the description of each hardware component of the computer 700 that implements the fraud countermeasure device 100 according to this embodiment.

  FIG. 3 is a block diagram illustrating a configuration of the information processing system 101 including the fraud countermeasure device 100 according to the present embodiment.

  As illustrated in FIG. 3, the information processing system 101 includes a fraud countermeasure device 100, a monitored system 102, and a fraud detector 103.

=== Fraud Detection Device 103 ===
The cheating detector 103 monitors the monitored system 102 and detects the occurrence of cheating (unauthorized event) or the act (event) suspected of cheating (both are also called suspicious acts). . Furthermore, the fraud detection device 103 generates fraud related information 810 including information on the event and transmits the information to the fraud countermeasure device 100.

=== Fraud Countermeasure Device 100 ===
The cheating countermeasure device 100 receives the cheating related information 810. Next, the fraud countermeasure device 100 acquires the policy 820 from the monitored system 102 based on the event type included in the fraud related information 810. The event is an act of using the monitored system 102. The policy 820 includes a plurality of determination rules.

  Next, based on the policy 820 and the interpretation rule that defines the interpretation method of the policy 820, the fraud countermeasure device 100 detects and outputs the determination rule corresponding to the entity of the event.

=== Fraud Related Information 810 ===
FIG. 4 is a diagram illustrating an example of the fraudulent act related information 810. As shown in FIG. 4, the fraudulent act related information 810 includes an event type 812 and an event entity 813.

  The event type 812 indicates the type of the event. For example, the type includes mail transmission, mail reception, and web browsing.

  The event entity 813 is the entity of the event. For example, the entity is an identifier of a mail transmission source and an identifier of a mail destination when the type is mail transmission and reception.

=== Policy 820 ===
FIG. 5 is a diagram illustrating an example of the policy 820. As shown in FIG. 5, the policy 820 includes an event entity 823 and a determination condition 824.

  The definition of the event entity 823 is equivalent to the definition of the event entity 813 shown in FIG.

  The determination condition 824 indicates the processing contents of the corresponding event entity 823 (for example, “permitted” or “prohibited”) and the conditions for executing the processing (for example, “detail log acquisition”, “always”, etc.). .

  Next, returning to FIG. 1, each component of the fraud countermeasure device 100 will be described in detail.

=== Policy Acquisition Unit 110 ===
Based on the event type 812 included in the fraudulent activity related information 810, the policy acquisition unit 110 detects a policy forcing unit (not shown) that controls the security for the event type 812, and determines the policy 820 from the detected policy forcing unit. get. Here, the policy forcing means is either a component (not shown) included in the monitored system 102 or a means (not shown) included in the component.

  For example, the policy acquisition unit 110 reads the policy forcing means list from the storage unit 702 or the storage device 703. Next, the policy acquisition unit 110 determines a policy forcing means (policy forcing means identifier described later) corresponding to the event type 812 based on the policy forcing means list. Then, the policy acquisition unit 110 accesses the policy forcing unit of the monitored system 102 and acquires the policy 802.

  FIG. 6 is a diagram illustrating an example of the policy forcing means list 830. As shown in FIG. 6, the policy forcing means list 830 includes a set of an event type 832 and a policy forcing means identifier 834.

  The definition of the event type 832 is equivalent to the definition of the event type 812.

  The policy enforcement means identifier 834 is an identifier that identifies the policy enforcement means.

=== Determination Rule Detection Unit 120 ===
The determination rule detection unit 120 detects and outputs a determination rule 821 corresponding to the event entity 813 included in the cheating related information 810.

  For example, the determination rule detection unit 120 emulates policy enforcement means corresponding to the event entity 813 and detects a determination rule 821 corresponding to the event type 812. Here, the determination rule detection unit 120 emulates the policy forcing unit based on the policy 820 acquired by the policy acquisition unit 110 and the interpretation rule that defines the interpretation method of the acquired policy 820. This interpretation rule includes information on a search condition and a search method for detecting a determination rule, which is a measure for improving the policy 820.

  FIG. 7 is a diagram illustrating an example of interpretation rules. As shown in FIG. 7, the interpretation rule 840 includes an event type 842, an event entity format 843, a determination rule format 844, a search condition 845, and a search method 846.

  The definition of the event type 842 is equivalent to the definition of the event type 812.

  The event entity format 843 indicates the data format of the event entity 813 input to the policy enforcement means.

  The determination rule format 844 indicates the data format of the determination rule 821 included in the policy 820.

  The search condition 845 indicates a condition used when searching the determination rule 821 corresponding to the event entity 813. For example, the condition indicates a rule for applying the event entity 813 whose format is defined by the event entity format 843 to the determination rule 821 whose format is defined by the determination rule format 844.

  A search method 846 indicates a search method executed when the determination rule detection unit 120 searches for the determination rule 821 corresponding to the event entity 813.

  Specifically, when the event type 842 is “mail transmission”, the event entity format 843 indicates that the event entity 813 is a mail transmission source and a mail destination, “transmission source: A, destination: B”. Is. The determination rule format 844 is “transmission source: A, destination: B, determination condition” indicating that the determination rule 821 is the event entity 823 and the determination condition 824. The search condition 845 indicates that the transmission source identifier and the destination identifier indicated by the event entity 813 correspond to the transmission source identifier and the destination identifier of the event entity 823 of the determination rule 821. , Y = B ”. The search method 846 is “FIRST MATCH” indicating that the policy 820 is searched in order and the first matching rule 821 is detected.

  For example, when the event type 842 is “web browsing”, the event entity format 843 is “request source: A, access destination: B” indicating that the event entity 813 is the request source and the access destination of the web page. is there. The determination rule format 844 is “request source: X, access destination: Y, determination condition” indicating that the determination rule 821 is the event entity 823 and the determination condition 824. The search condition 845 indicates that the request source identifier and the access destination identifier indicated by the event entity 813 correspond to the request source identifier and the access destination identifier of the event entity 823 of the determination rule 821. = A, Y = B ". The search method 846 is “NARROWEST RANGE” indicating that the determination rule 821 having the narrowest access destination range is detected.

  This completes the description of each component of the functional unit of the anti-fraud device 100.

  Next, the operation of the present embodiment will be described in detail with reference to FIGS.

  FIG. 8 is a flowchart showing the operation of the present embodiment. Note that the processing according to this flowchart may be executed based on the program control by the CPU 701 described above. Further, the step name of the process is described by a symbol as in S601.

  The policy acquisition unit 110 receives fraud related information 810 from the fraud detection device 103 (step S601). For example, the policy acquisition unit 110 receives the fraud related information 810 via the communication unit 706. The policy acquisition unit 110 may acquire the fraudulent behavior related information 810 input by the operator via the input unit 704 shown in FIG. The policy acquisition unit 110 may acquire the fraud related information 810 recorded on the recording medium 707 via the storage device 703.

  Next, the determination rule detection unit 120 detects the policy forcing means identifier 834 corresponding to the event type 812 based on the policy forcing means list 830, and further acquires the policy 820 based on the policy forcing means identifier 834 ( Step S602). For example, the policy forcing means list 830 may be stored in advance in the storage unit 702 or the storage device 703 shown in FIG. Further, the determination rule detection unit 120 may acquire the policy forcing means list 830 input by the operator via the input unit 704 shown in FIG. Further, the determination rule detection unit 120 may receive the policy enforcement means list 830 from a device (not shown) via the communication unit 706. Further, the determination rule detection unit 120 may acquire the policy forcing means list 830 recorded in the recording medium 707 via the storage device 703.

  Next, the determination rule detection unit 120 detects a determination rule 821 corresponding to the event entity 813 based on the policy 820, the event entity 813, and the interpretation rule 840 (step S603). For example, the interpretation rule 840 referred to in the detection may be stored in advance in the storage unit 702 or the storage device 703 illustrated in FIG. Further, the determination rule detection unit 120 may acquire the interpretation rule 840 input by the operator via the input unit 704 illustrated in FIG. Further, the determination rule detection unit 120 may receive the interpretation rule 840 from a device (not shown) via the communication unit 706. Further, the determination rule detection unit 120 may acquire the interpretation rule 840 recorded in the recording medium 707 via the storage device 703.

  Next, the determination rule detection unit 120 outputs the determination rule 821, the event type 812, and the policy enforcement unit identifier 834 corresponding to the event type 812 detected in step S603 (step S604). For example, the determination rule detection unit 120 may output them to the operator via the output unit 705 shown in FIG. Further, the determination rule detection unit 120 may output them to a device (not shown) via the communication unit 706 shown in FIG. Further, the determination rule detection unit 120 may record them on the recording medium 707 via the storage device 703.

  Note that a means (not shown) of the fraud countermeasure device 100 may output the event type 812 and the policy forcing means identifier 834 corresponding to the event type 812 in association with the determination rule 821 detected in step S603. .

  The above is the description of the operation of the present embodiment.

  The first effect of the present embodiment described above is that the policy can be easily improved.

  The reason is that the determination rule detection unit 120 detects the determination rule 821 corresponding to the event entity 813 based on the policy 820 and the fraud related information 810 acquired from the policy acquisition unit 110, and outputs the detection result. It is because it tried to do.

  For example, the administrator of the information processing system 101 detects a policy enforcement means that requires a policy improvement measure for a suspicious action, and determines which policy decision rule 821 should be improved for the policy enforcement means. By referring to the detection result output from the fraud countermeasure device 100 as described above, it can be easily known.

<<< Second Embodiment >>>
Next, a second embodiment of the present invention will be described in detail with reference to the drawings. Hereinafter, the description overlapping with the above description is omitted as long as the description of the present embodiment is not obscured.

  FIG. 9 is a block diagram showing a configuration of a fraud countermeasure device 200 according to the second embodiment of the present invention.

  Referring to FIG. 9, the fraud countermeasure device 200 according to the present embodiment further includes a policy generation unit 230 as compared with the fraud countermeasure device 100 according to the first embodiment.

  9 may be included in the information processing system 101 illustrated in FIG. 3 instead of the fraud countermeasure device 100 illustrated in FIG.

=== Policy Generation Unit 230 ===
The policy generation unit 230 generates a strict policy corresponding to the determination rule 821 detected by the determination rule detection unit 120 based on the strictness index 864 included in the fraud related information 860 as shown in FIG. ,Output.

  For example, the policy generation unit 230 transmits a policy update instruction including a strict policy to the corresponding policy forcing unit via the communication unit 706. The corresponding policy forcing unit holds the policy 820 acquired by the policy acquisition unit 110. Further, the policy forcing unit changes the policy held by itself based on the strict policy 829 included in the received policy update instruction.

  The policy generation unit 230 may output a strict policy 829 or policy update instruction to the administrator of the information processing system 101 via the output unit 705 illustrated in FIG. In this case, the administrator may change the policy of the corresponding stricting means of the information processing system 101 with reference to the strict policy 829 or the policy update instruction.

  The policy generation unit 230 may output a strict policy 829 or a policy update instruction to a device (not shown) via the communication unit 706 shown in FIG. The policy generation unit 230 may record the strict policy 829 or the policy update instruction on the recording medium 707 via the storage device 703.

=== Fraud Related Information 860 ===
FIG. 10 is a diagram illustrating an example of the fraudulent act related information 860. As illustrated in FIG. 10, the fraudulent activity related information 860 further includes a strictness index 864 compared to the fraudulent activity related information 810.

  For example, the strictness index 864 is an index indicating the degree of strictness when the determination rule 821 corresponding to the event entity 813 is stricter. The strictness index 864 is a probability calculated using, for example, machine learning (such as a neural network or Bayesian estimation). In other words, the strictness index 864 is a probability that the content shown in the event entity 813 is an illegal act.

  The strictness index 864 may be an arbitrary index that indicates the degree of strictness. For example, the strictness index 864 may be a numerical value of a person attribute (previous history, department, etc.) corresponding to the event entity 813. Further, the strictness index 864 may be the importance level of data handled in the event. For example, the strictness index 864 may be a numerical value of the degree of unnaturalness of the event. Alternatively, the strictness index 864 may be a value calculated by arbitrarily combining the above-described probability, digitized person attribute, importance of data, and digitized event unnaturalness.

=== Strict policy 829 ===
FIG. 11 is a diagram illustrating an example of the strict policy 829. As shown in FIG. 11, the structure of the strict policy 829 is equivalent to the policy 820.

  A strict policy 829 illustrated in FIG. 11 illustrates an example in which the determination condition 824 of the determination rule 821 in the policy 820 is tightened to “permitted by self-approval”. In the determination rule 821 in the policy 820, the event entity 823 is “transmission source: CL902 destination: CL911”, and the determination condition 824 is “permitted for detailed log acquisition”.

  FIG. 11 shows an example of a strict policy 829 including only the determination rule 821 corresponding to the strict determination condition 824. The strict policy 829 may include determination rules 821 corresponding to all the determination rules 821 included in the policy 820.

  Next, the operation of the present embodiment will be described in detail with reference to the drawings.

  FIG. 12 is a flowchart showing the operation of the present embodiment. Note that the processing according to this flowchart may be executed based on the program control by the CPU 701 described above. Further, the step name of the process is described by a symbol as in S601.

  Steps S601 to S604 are equivalent to steps S601 to S604 shown in FIG.

  Next, the policy generation unit 230 generates and outputs a strict policy 829 based on the determination rule 821 detected in step S604 and the strictness index 864 (step S605).

  The policy generation unit 230 obtains the determination condition 824 of the strict policy 829 as follows. For example, when the strictness index 864 is a probability, the policy generation unit 230 calculates a value obtained by multiplying the numerical value corresponding to the determination condition 824 of the policy 820 by the strictness index 864. Next, the policy generation unit 230 obtains a determination condition 824 corresponding to the calculated value as the determination condition 824 of the strict policy 829.

  For example, it is assumed that the determination condition 824 and the corresponding numerical value are defined as shown in FIG.

Referring to FIG. 13, when the determination condition 824 of the policy 820 is “permitted for detailed log acquisition”, the corresponding numerical value is “0.8”. Also, referring to FIG. 10, the strictness index 864 is “0.5”. In this case, the policy generation unit 230 calculates 0.8 × 0.5 = 0.64. Next, the policy generation unit 230 obtains “permitted by self-approval” corresponding to 0.64 (nearest) as the determination condition 824 of the strict policy 829. The policy generation unit 230 may obtain a determination condition 824 corresponding to the closest numerical value as a determination condition 824 of the strict policy 829 among values smaller than the calculated value.

  For example, when the strictness index 864 is a numerical value indicating the degree (for example, digitized event unnaturalness), the policy generation unit 230 determines the strictness index from the numerical value corresponding to the determination condition 824 of the policy 820. A value obtained by subtracting 864 may be calculated. Thereafter, the policy generation unit 230 obtains the determination condition 824 of the strict policy 829 in the same manner as when the strict index 864 is a probability.

  Next, a modification of this embodiment will be described.

  The policy generation unit 230 includes information on a range to which the strict policy 829 is applied in the policy change instruction. The range information to be applied is, for example, “determination rule 821 including the same destination identifier”. That is, the applicable range is all mails sent to a certain destination. In this case, the execution of the event can be prevented for all persons. The information of the range to be applied is “all determination rules 821 regarding the person who executed the event”. In other words, the applicable range is all mails that are transmitted from the person who executed the event. In this case, it is possible to prevent a person who has performed an illegal act from executing another illegal activity.

  The first effect of the present embodiment described above is that the policy can be improved more easily in addition to the effect of the first embodiment.

  This is because the policy generation unit 230 generates and outputs a strict policy 829 in which the determination condition 824 of the extracted determination rule 821 is strict.

  That is, if the administrator of the information processing system 101 detects a policy forcing means that requires a policy improvement measure against a suspicious action, and how to improve which decision rule 821 of the policy for the policy forcing means. Whether or not it is good can be easily known by referring to the detection result output from the fraud countermeasure device 200 as described above.

  The second effect of the present embodiment described above is that the number of man-hours for the manager can be reduced.

  This is because the policy generation unit 230 transmits a policy change instruction including the strict policy 829 to the corresponding policy forcing unit.

  The third effect of the present embodiment described above is that policy improvement can be executed more powerfully.

  The reason is that the policy generation unit 230 includes information on a range to which the strict policy 829 is applied in the policy change instruction.

  The fourth effect of the present embodiment described above is that it is possible to prevent an increase in communication load between the fraud countermeasure device 200 and the monitored system 102.

  This is because the policy generation unit 230 generates the strict policy 829 including only the determination rule 821 corresponding to the strict determination condition 824.

  Each component described in each of the above embodiments does not necessarily have to be individually independent. For example, each component may be realized as a module with a plurality of components. In addition, each component may be realized by a plurality of modules. Each component may be configured such that a certain component is a part of another component. Each component may be configured such that a part of a certain component overlaps a part of another component.

  In the embodiments described above, each component and a module that realizes each component may be realized as hardware as necessary. Moreover, each component and the module which implement | achieves each component may be implement | achieved by a computer and a program. Each component and a module that realizes each component may be realized by mixing hardware modules, computers, and programs.

  The program is provided by being recorded in a non-volatile computer-readable recording medium such as a magnetic disk or a semiconductor memory, and is read by the computer when the computer is started up. The read program causes the computer to function as a component in each of the above-described embodiments by controlling the operation of the computer.

  Further, in each of the embodiments described above, a plurality of operations are described in order in the form of a flowchart, but the described order does not limit the order in which the plurality of operations are executed. For this reason, when each embodiment is implemented, the order of the plurality of operations can be changed within a range that does not hinder the contents.

  Furthermore, in each embodiment described above, a plurality of operations are not limited to being executed at different timings. For example, another operation may occur during the execution of a certain operation, or the execution timing of a certain operation and another operation may partially or entirely overlap.

  Furthermore, in each of the embodiments described above, a certain operation is described as a trigger for another operation, but the description does not limit all relationships between the certain operation and the other operations. For this reason, when each embodiment is implemented, the relationship between the plurality of operations can be changed within a range that does not hinder the contents. The specific description of each operation of each component does not limit each operation of each component. For this reason, each specific operation | movement of each component may be changed in the range which does not cause trouble with respect to a functional, performance, and other characteristic in implementing each embodiment.

  As mentioned above, although this invention was demonstrated with reference to each embodiment and an Example, this invention is not limited to the said embodiment and Example. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.

DESCRIPTION OF SYMBOLS 100 Fraud countermeasure apparatus 101 Information processing system 102 Monitored system 103 Fraud detection apparatus 110 Policy acquisition part 120 Determination rule detection part 230 Policy generation part 700 Computer 701 CPU
702 Storage unit 703 Storage device 704 Input unit 705 Output unit 706 Communication unit 707 Recording medium 810 Fraud related information 812 Event type 813 Event entity 820 Policy 821 Determination rule 823 Event entity 824 Determination condition 829 Strict policy 830 Policy enforcement means list 832 Event type 834 Policy enforcement means identifier 840 Interpretation rules 842 Event type 843 Event entity format 844 Judgment rule format 845 Search condition 846 Search method 860 Fraud related information 864 Strictness indicator

Claims (11)

Policy acquisition means for acquiring a policy including a plurality of determination rules from the monitored system based on the type of event that is an act of using the monitored information processing system;
An information processing apparatus comprising: a determination rule detection unit that detects and outputs the determination rule corresponding to the entity of the event based on the policy and an interpretation rule that defines an interpretation method of the policy. Based on a strict index indicating an index for changing the detected determination rule, including a policy generation means for generating and outputting a strict policy corresponding to the detected determination rule,
The information processing apparatus according to claim 1. The information processing apparatus according to claim 2, wherein the policy generation unit transmits a policy update instruction including the strict policy to the monitored information processing system. The information processing apparatus according to claim 3, wherein the policy update instruction includes information indicating a range to which the strict policy is applied. The strictness index is the probability that the event is fraudulent, the digitized attribute of the person corresponding to the entity, the importance of the data handled in the event, the digitized unnaturalness of the event, or 5. The value according to claim 2, wherein the probability is a value calculated by arbitrarily combining the digitized attribute, the importance, and the digitized unnaturalness. 6. Information processing device. The determination rule detection means detects the determination rule corresponding to the entity by emulating policy enforcement means that uses the policy based on the event entity information indicating the entity and the interpretation rule. The information processing apparatus according to any one of claims 1 to 5, wherein the information processing apparatus is characterized in that: It further includes fraud detection means for generating and outputting fraud information including at least the event type and the entity of the event,
The information processing apparatus according to any one of claims 1 to 6. Based on the type of event that is an act of using the monitored information processing system, obtain a policy including a plurality of determination rules from the monitored system,
A fraud countermeasure countermeasure method that detects and outputs the determination rule corresponding to the entity of the event based on the policy and an interpretation rule that defines an interpretation method of the policy. The fraud countermeasure countermeasure method according to claim 7, wherein a strict policy corresponding to the detected determination rule is generated and output based on a strict index indicating an index for changing the detected determination rule. Based on the type of event that is an act of using the monitored information processing system, a process for obtaining a policy including a plurality of determination rules from the monitored system;
A program for causing a computer to execute processing for detecting and outputting the determination rule corresponding to the substance of the event based on the policy and an interpretation rule that defines an interpretation method of the policy. The computer executes a process of generating and outputting a strict policy corresponding to the detected determination rule based on a strict index indicating an index for changing the detected determination rule. Program.

Images