JP2019028788A - Secret word specifying apparatus, secret word specifying method, and secret word specifying program - Google Patents

Abstract

To improve accuracy in extraction of storage destination of secret information.SOLUTION: A secret word specifying apparatus has a counting unit for counting the number of times of appearance of each of words consisting of a file path character string including any one or more of pre-registered character strings among file path character strings of each of files which a directory stored in a storage apparatus stores, and a specifying unit for, if the number of times of appearance of each of the words satisfies a predetermined condition, specifying each of the words as a word relating to secret information.SELECTED DRAWING: Figure 3

Description

  The present invention relates to a confidential word specifying device, a confidential word specifying method, and a confidential word specifying program.

  In an in-house shared file server, not only a file that can be freely operated by a plurality of users but also a file that stores confidential information with severe restrictions on access (hereinafter referred to as a “confidential file”) is managed. There is. For example, a directory (hereinafter, referred to as “secret directory”) is created for each type of confidential information, and each confidential file is stored in a directory corresponding to the type of confidential information stored in each confidential file.

JP 2009-116680 A JP 2002-334061 A JP 2013-137740 A JP 2007-148946 A JP 2013-191188 A JP 2010-250502 A JP 2012-068833 A JP 2013-191188 A

  Since there is a possibility that access to a confidential file is an unauthorized file access, if the access to the confidential file can be automatically detected based on the access log recorded for each file access, the unauthorized file access can be detected. Can be expected to improve efficiency.

  However, since the confidential information handled in the company may differ depending on the department, it is difficult to identify which of the many directories in the file server is the confidential directory.

  Patent Document 7 proposes to determine a confidential label based on content included in document information. However, since there are various forms of the confidential label included in the file, it is considered that the confidential label cannot be determined. It is done.

  Accordingly, in one aspect, an object of the present invention is to improve the extraction accuracy of a storage destination of confidential information.

In one aspect, the confidential word specifying device includes a file path character string including one or more pre-registered character strings among the file path character strings of each file stored in the directory stored in the storage device. A counting unit for counting the number of appearances of each word constituting
And a specifying unit that specifies each word as a word related to confidential information when the number of appearances of each word satisfies a predetermined condition.

  As one aspect, it is possible to improve the extraction accuracy of the storage destination of confidential information.

It is a figure which shows the system configuration example in 1st Embodiment. It is a figure which shows the hardware structural example of the analyzer 10 in 1st Embodiment. It is a figure which shows the function structural example of the analyzer 10 in 1st Embodiment. It is a figure for demonstrating the outline | summary of the function of the co-occurrence analysis part. It is a flowchart for demonstrating an example of the process sequence for the production | generation of a learning list, and determination of a confidential directory. It is a figure which shows an example of a directory list. It is a figure which shows an example of an initial list. It is a figure for demonstrating an example of the matrix of the analysis result of co-occurrence. It is a figure which shows an example of a learning list. It is a flowchart for demonstrating an example of the process sequence of the extraction process of unauthorized access. It is a figure which shows an example of an access log. It is a figure which shows the function structural example of the analyzer 10 in 2nd Embodiment. It is a figure for demonstrating the production | generation of a cross tabulation table. It is a figure for demonstrating specification of a continuation event. It is a flowchart for demonstrating an example of the process sequence of the production | generation process of a cross tabulation table. It is a figure which shows the structural example of a cross tabulation table. It is a flowchart for demonstrating an example of the process sequence of the specific process of a continuation event. 3 is a diagram illustrating a configuration example of a continuation event storage unit 19. FIG. It is a flowchart for demonstrating an example of the process sequence of the classification process of an access log.

  Hereinafter, a first embodiment will be described based on the drawings. FIG. 1 is a diagram illustrating an example of a system configuration in the first embodiment. In FIG. 1, one or more user terminals 30 such as user terminals 30a, 30b, and 30c (hereinafter referred to as “user terminals 30” when not distinguished from each other) are a LAN (Local Area Network) or an intranet in a certain company. Connected to the file server 20 via the network. Further, the analysis apparatus 10 is also connected to the file server 20 via a network. In the present embodiment, the company is referred to as “company A”.

  In the company A, the file server 20 is one or more computers (storage devices) in which, for example, files shared by a plurality of employees, files managed in an organization in the company A, and the like are stored. A file refers to a file storing electronic data.

  Each user terminal 30 is a terminal that is an access source for a file stored in the file server 20. For example, a PC (Personal Computer), a smartphone, a tablet terminal, or the like may be used as the user terminal 30. The access from the user terminal 30 is periodically or repetitively performed by an access generated at an arbitrary timing by the user operation of the user terminal 30 (hereinafter referred to as “user access”) or a program installed in the user terminal 30. There are mechanical accesses that occur (hereinafter referred to as “machine access”). Examples of machine access include access for periodic backup of files and access by a file search function. For example, an access having the following characteristics is assumed as an example of a machine access. The generation timing is regular (several times a day, once a half day, etc.) and short time (1 minute, 10 minutes, etc.). The number of accesses to one file is one time. For access that occurs in a short time, the access source IP address is the same. However, there is a possibility that the access source IP address is different at each occurrence timing, such as when a different IP address is assigned to the user terminal 30 every day.

  On the other hand, as an example of user access, there is access for browsing and editing files. Note that examples of unauthorized user access include file browsing by impersonation and access for falsification of a file.

  The analysis device 10 is one or more computers that support detection of unauthorized access to a file based on a log (hereinafter referred to as “access log”) recorded for each access to the file in the file server 20. In the present embodiment, the analysis apparatus 10 determines a directory (hereinafter referred to as “confidential directory”) for storing a confidential file from a path character string of a file storing confidential information (hereinafter referred to as “confidential file”). A process for extracting a keyword for identification is performed. The analysis apparatus 10 further specifies a confidential directory based on the keyword, and extracts an access log related to file access under the confidential directory from an access log group related to past file access.

  FIG. 2 is a diagram illustrating a hardware configuration example of the analysis apparatus 10 according to the first embodiment. The analysis apparatus 10 in FIG. 2 includes a drive device 100, an auxiliary storage device 102, a memory device 103, a CPU 104, an interface device 105, and the like that are mutually connected by a bus B.

  A program for realizing processing in the analysis apparatus 10 is provided by the recording medium 101. When the recording medium 101 on which the program is recorded is set in the drive device 100, the program is installed from the recording medium 101 to the auxiliary storage device 102 via the drive device 100. However, the program need not be installed from the recording medium 101 and may be downloaded from another computer via a network. The auxiliary storage device 102 stores the installed program and also stores necessary files and data.

  The memory device 103 reads the program from the auxiliary storage device 102 and stores it when there is an instruction to start the program. The CPU 104 executes a function related to the analysis device 10 according to a program stored in the memory device 103. The interface device 105 is used as an interface for connecting to a network.

  An example of the recording medium 101 is a portable recording medium such as a CD-ROM, a DVD disk, or a USB memory. An example of the auxiliary storage device 102 is an HDD (Hard Disk Drive) or a flash memory. Both the recording medium 101 and the auxiliary storage device 102 correspond to computer-readable recording media.

  FIG. 3 is a diagram illustrating a functional configuration example of the analysis apparatus 10 according to the first embodiment. In FIG. 3, the analysis apparatus 10 includes a co-occurrence analysis unit 11 and an unauthorized access extraction unit 12. Each of these units is realized by processing executed by the CPU 104 by one or more programs installed in the analysis apparatus 10. The analysis apparatus 10 also uses a confidential word storage unit 13, a confidential directory list storage unit 14, an unauthorized access candidate storage unit 15, and the like. Each of these storage units can be realized using, for example, a storage device that can be connected to the auxiliary storage device 102 or the analysis device 10 via a network.

  The secret word storage unit 13 stores an initial list in an initial state. The initial list is a list of secret words (confidential words) set in advance among character strings such as words (hereinafter referred to as “confidential words”) that are highly likely to be related to the confidential information. The secret word storage unit 13 also stores a learning list. The learning list is a list of secret words that have been learned (estimated) as secret words from the file path character string of each file stored in the file server 20.

  The co-occurrence analysis unit 11 extracts, for each directory of the file server 20, a word that appears along with the confidential word included in the initial list from the file path character string of each file stored in the directory. The number of occurrences of the word is counted (counted). When the number of appearances of the word satisfies a predetermined condition (for example, when the number of words is large and the number of appearances of each word is large), the word is added to the learning list as a learned confidential word. Is done.

  The co-occurrence analysis unit 11 determines (extracts) a directory that satisfies the predetermined condition as a “confidential directory”.

  FIG. 4 is a diagram for explaining the outline of the function of the co-occurrence analysis unit 11. In FIG. 4, a directory structure in the file server 20 is illustrated in a rectangle indicating the file server 20. In the directory structure, there are a “other company information (secret) directory”, an “external material” directory, and a “other company product introduction” directory under the “Y project” directory. The files shown in FIG. 4 are stored under each of these directories.

  Further, FIG. 4 shows that the secret words constituting the initial list are “secret” and “other company”.

  In such a situation, the co-occurrence analysis unit 11 causes the words constituting the file path character strings of the three files stored in the “Y project / other company information (secret)” directory as shown in the matrix M1. Count the number of co-occurrence with each confidential word. For example, in the matrix M1, the number of co-occurrence of “secret” and “information” is 4. This is twice for "Y project / other company information (secret) / company A transaction information.xls", once for "Y project / other company information (secret) / B company ordering budget.xls", "Y project / other company information. This is because one occurrence of co-occurrence occurs in “Information (secret) / Company C intellectual property material.xls”, and the total of these is four times.

  For the “Y project / external document” directory, the number of co-occurrence is counted as shown in the matrix M2, and for the “Y project / other company product introduction” directory, the number of co-occurrence is counted as shown in the matrix M3. The

  The co-occurrence analysis unit 11 determines the confidential directory based on the count results of the matrices M1, T2, and T3. The example of FIG. 4 shows an example in which the “Y project / other company information (secret)” directory is determined as a confidential directory. In this case, the list of each word constituting the column in the matrix M1 is stored in the confidential word storage unit 13 in association with the directory as a learning list for the “Y project / other company information (secret)” directory. That is, the learning list is generated for each directory that is determined to be a confidential directory.

  The unauthorized access extraction unit 12 selects an access log corresponding to access to a file belonging to the confidential directory from access logs recorded for each access to each file stored in the file server 20 as candidates for unauthorized access. And the extracted access log is stored in the unauthorized access candidate storage unit 15.

  Hereinafter, a processing procedure executed by the analysis apparatus 10 will be described. FIG. 5 is a flowchart for explaining an example of a processing procedure for generating a learning list and determining a confidential directory.

  In step S101, the co-occurrence analysis unit 11 stores a list of directory path character strings (path names) stored in (formed in) the file server 20 (hereinafter referred to as “directory list”) as a file. Obtain from the server 20.

  FIG. 6 is a diagram illustrating an example of a directory list. As shown in (1) of FIG. 6, the directory list is a list of directory path character strings. (1) in FIG. 6 corresponds to a directory list corresponding to the directory structure as shown in (2) in FIG. The directory list does not include the file path string. In (2), the fact that the file is indicated by a broken line represents this. In (1), the # column is an identifier given to each path character string for convenience. Further, the directory list may include path character strings of all directories in the file server 20, for example, include path character strings of some directories selected as analysis targets by an analyst or the like. Also good.

  Subsequently, the co-occurrence analysis unit 11 acquires one path character string in the directory list as a processing target (S102). The directory related to the path character string is hereinafter referred to as “target directory”. Note that path character strings that have already been processed in step S104 and subsequent steps are excluded from acquisition targets.

  When the path character string cannot be acquired (that is, when processing is performed for all the path character strings included in the directory list) (No in S103), the processing procedure of FIG. 5 ends. If the path character string can be acquired (Yes in S103), the co-occurrence analysis unit 11 acquires a list of file path character strings (file path names) of the files stored under the target directory from the file server 20. (S104). When the list is not acquired (that is, when a file is not stored under the target directory) (No in S105), the process returns to step S102.

  When the list is acquired (Yes in S105), the co-occurrence analysis unit 11 has already generated a learning list corresponding to the target directory (hereinafter referred to as “target learning list”) (corresponding to the target directory). Whether or not the learning list to be stored is stored in the confidential word storage unit 13) (S106). As described above, the learning list is generated for each directory, and is stored in the confidential word storage unit 13 in association with identification information (for example, a path character string) of each directory, for example.

  When the target learning list is not stored in the confidential word storage unit 13 (No in S106), the co-occurrence analysis unit 11 reads a list of confidential words from the initial list (S107). Therefore, when step S108 is first executed for the target directory, the secret word is read from the initial list.

  FIG. 7 is a diagram illustrating an example of the initial list. As shown in FIG. 7, the initial list is a list of character strings set in advance as character strings (words) that are highly likely to be related to confidential information.

  On the other hand, when the target learning list is stored in the confidential word storage unit 13 (Yes in S106), the co-occurrence analysis unit 11 reads a list of confidential words from the target learning list.

  Hereinafter, the list of confidential words read in step S107 or S108 is referred to as “target confidential word list”.

  Subsequently, the co-occurrence analysis unit 11 acquires one unprocessed file path character string as a processing target from the list of file path character strings acquired in step S104 (S109). “Unprocessed” means that the processing is not performed for step S110 and subsequent steps. The obtained file path character string is hereinafter referred to as “target file path character string”.

  Subsequently, the co-occurrence analysis unit 11 decomposes the target file path character string into words using morphological analysis or the like (S110). Subsequently, the co-occurrence analysis unit 11 determines that there is a confidential word that matches one of the words decomposed from the target file path character string among the confidential words included in the target confidential word list (that is, the target file). If the path character string includes the confidential word), each word other than the word that matches the confidential word in the word group constituting the target file path character string (that is, the confidential word The number of occurrences (co-occurrence number) of (co-occurrence words) is counted (specified), and the count result is stored in, for example, the memory device 103 (S111).

  Subsequently, the co-occurrence analysis unit 11 determines whether all file path character strings included in the list of file path character strings have been processed (S112). When there is an unprocessed file path character string (No in S112), Step S109 and subsequent steps are repeated.

  When all the file path character strings have been processed (Yes in S112), the co-occurrence analysis unit 11 determines that the confidential word that matches any word in Step S111 (the confidential word included in any file path character string) ) As a row, a co-occurrence word with one of the confidential words as a column, and the total number of co-occurrence times of the confidential word in each row with the co-occurrence word in each column (ie, co-occurrence counted by file path string) A matrix (hereinafter referred to as “target matrix”) whose elements are the sum of the number of times is generated (S113).

  FIG. 8 is a diagram for explaining an example of a co-occurrence analysis result matrix. The matrix shown at the top in FIG. 8 corresponds to the matrix M1 in FIG. FIG. 8 shows that a matrix indicating the co-occurrence analysis result is generated for each directory, and a plurality of matrices shown in FIG. 8 are generated by executing step S113 once. It doesn't mean that.

  Subsequently, the co-occurrence analysis unit 11 calculates the density of the target matrix (S114). The density may be calculated by, for example, the following formula or may be calculated based on another formula.

  Subsequently, the co-occurrence analysis unit 11 determines whether or not the density is equal to or higher than a preset threshold value (S115). That is, in the present embodiment, whether or not the density is equal to or higher than a threshold is an example of whether or not the number of appearances of each word satisfies a predetermined condition.

  If the density is less than the threshold (No in S115), the process returns to step S102. If the density is equal to or higher than the threshold (Yes in S115), the co-occurrence analysis unit 11 stores the path character string of the target directory in the confidential directory list storage unit 14 (S116). That is, the target directory is determined (estimated) as a confidential directory.

  Subsequently, the co-occurrence analysis unit 11 stores the word that is a co-occurrence word of any confidential word (that is, the word constituting the column of the target matrix generated in step S113) in the confidential word storage unit 13. It adds to the learning list for the stored target directory (S117), and repeats step S102 and subsequent steps. However, when the learning list for the target directory has not been generated, the co-occurrence analysis unit 11 includes a word that is a co-occurrence word of any confidential word and each confidential word included in the initial list. A learning list is generated, and the learning list is stored in the confidential word storage unit 13 in association with the identification information of the target directory.

  FIG. 9 is a diagram illustrating an example of a learning list. In the learning list shown in FIG. 9, each word constituting the column of the matrix in FIG. 8 is added as a confidential word to the initial list shown in FIG.

  Note that the processing procedure of FIG. 5 may be executed at a plurality of timings, such as periodically. By doing so, each learning list can be updated as new files or directories are added.

  FIG. 10 is a flowchart for explaining an example of the processing procedure of unauthorized access extraction processing.

  In step S <b> 201, the unauthorized access extraction unit 12 acquires one of the path character strings of the confidential directory stored in the confidential directory list storage unit 14. The acquired path string is hereinafter referred to as “target path string”.

  Subsequently, the unauthorized access extraction unit 12 acquires, from the file server 20, for example, one row of access logs in an access log within a certain period (S 202).

  FIG. 11 is a diagram illustrating an example of an access log. As shown in FIG. 11, the access log includes values of items such as an access source IP, an access time, an access destination path, and an operation for each access to any file. The access source IP is an IP address of the access source user terminal 30 or the like. The access time is information indicating the access time such as the date and time when the access occurred. The access destination path is a path character string of a file to be accessed. The operation is information indicating the type of operation performed on the file to be accessed. For example, Read (reference), Write (write), Delete (deletion), Read-failure (reference failure), Write-failure (write failure), Delete-failure (deletion failure), and the like may be recorded as operations.

  In step S202, one line of the access log group as shown in FIG. 11 is acquired. The acquired access log is hereinafter referred to as “target log”.

  Subsequently, the unauthorized access extraction unit 12 determines whether or not the target path character string is included in the access destination path of the target log (S203). When the target path character string is included in the access destination path of the target log (Yes in S203), the unauthorized access extraction unit 12 stores the target log in the unauthorized access candidate storage unit 15 (S204). That is, the access related to the target log is determined as a candidate for unauthorized access.

  On the other hand, when the target path character string is not included in the access destination path of the target log (No in S203), the unauthorized access extraction unit 12 determines whether all access logs within a certain period have been acquired. (S205) When there is an access log that has not been acquired (No in S205), Step S202 and subsequent steps are repeated. When all access logs have been acquired (Yes in S205), the unauthorized access extraction unit 12 determines whether all path character strings stored in the confidential directory list storage unit 14 have been acquired (S206). . If there is a path character string that has not been acquired (No in S206), Step S201 and subsequent steps are repeated. When all the path character strings have been acquired (Yes in S206), the processing procedure in FIG. 10 ends.

  In step S203, it may be determined whether the target path character string matches the access destination path of the target log.

  As described above, according to the first embodiment, based on the confidential word set as the initial value, a new confidential word is learned (extracted) from the file path character string of each file of the file server 20, Based on these secret words, secret directories can be identified or inferred. Therefore, according to the second embodiment, it is possible to improve the extraction accuracy of the storage destination of confidential information.

  Also, the secret word is learned for each directory. Therefore, even when the confidential word varies depending on the directory, such as when the confidential information handled by the company A is different depending on the department, the confidential word can be appropriately specified.

  Further, by extracting an access log indicating access to a file stored in the confidential directory, an analyst or the like can narrow down an access log to be analyzed, and can improve analysis work efficiency.

  Next, a second embodiment will be described. In the second embodiment, differences from the first embodiment will be described. In the second embodiment, points that are not particularly mentioned may be the same as those in the first embodiment.

  Access to the file stored in the file server 20 includes machine access in addition to user access.

  If the confidential directory is not subject to machine access, the machine access to the confidential directory is likely to be unauthorized access such as file scanning by malware. In this case, if the access log to be processed in the unauthorized access extraction process by the unauthorized access extraction unit 12 is limited to the access log related to machine access, it can be expected to improve the processing efficiency of the extraction process. For this purpose, it is necessary to be able to automatically detect machine access to files under the confidential directory.

  Therefore, in the second embodiment, an example in which the analyzer 10 can automatically detect machine access will be described.

  FIG. 12 is a diagram illustrating a functional configuration example of the analysis apparatus 10 according to the second embodiment. In FIG. 12, the same parts as those of FIG. In FIG. 12, the analysis apparatus 10 divides the access log group into an access log with a high possibility of machine access (hereinafter referred to as “machine access candidate log”) and an access log with a high possibility of user access (hereinafter referred to as “user”). In addition, a cross tabulation table generation unit 16, a continuation event identification unit 17, an access log classification unit 18, and the like are included. Each of these units is realized by processing executed by the CPU 104 by one or more programs installed in the analysis apparatus 10. The analysis apparatus 10 further uses the continuation event storage unit 19. The continuation event storage unit 19 can be realized by using, for example, a storage device that can be connected to the auxiliary storage device 102 or the analysis device 10 via a network.

  For example, the cross tabulation table generation unit 16 generates a cross tabulation table for each period of a predetermined cycle (for example, one day) for access logs recorded in a predetermined period such as the past week. The cross tabulation table is a table in which an ordered set (time series set) of access destination file path character strings per unit time (for example, 30 minutes) is classified by access source.

  FIG. 13 is a diagram for explaining generation of a cross tabulation table. FIG. 13 shows an example in which an access log group for one week is divided every day, and a cross tabulation table is generated for each day's access log group. The lower table in FIG. 13 shows a cross tabulation table. The rows of the cross tabulation table are distinguished for each access source, and the columns are distinguished for each unit time. An ellipse in any cell of the cross tabulation table indicates an ordered set extracted with respect to the access source and unit time related to the cell. Therefore, in FIG. 13, an example in which ordered sets s1 and s2 are extracted from the access log groups for each day from the first day to the seventh day, and an ordered set s3 is further extracted from the access log groups on and after the third day. It is shown. In addition, the same code | symbol is attached | subjected to the ordered set with the same content.

  The continuation event specifying unit 17 compares the ordered sets of the respective cross tabulation tables (each day), so that the ordered set that appears continuously (repeatedly) on each day (that is, appears in a daily cycle). Specified ordered set). A set of ordered sets continuing on each day is hereinafter referred to as a “continuation event”. The continuation event specifying result is stored in the continuation event storage unit 19.

  FIG. 14 is a diagram for explaining identification of a continuation event. In FIG. 14, ordered sets having the same contents are connected by lines. Here, the ordered sets s1 and s2 appear on each day of one week. Therefore, the ordered sets s1 and s2 are specified as continuation events.

  The access log classification unit 18 classifies each access log into a machine access candidate log or a user access candidate log based on the continuation event stored in the continuation event storage unit 19.

  Hereinafter, a processing procedure executed by the analysis apparatus 10 will be described. FIG. 15 is a flowchart for explaining an example of the processing procedure of the cross tabulation table generation processing.

  In step S301, the cross tabulation table generation unit 16 acquires the setting of the analysis target period. The analysis target period is a period for specifying an access log to be analyzed, and is specified by, for example, a start date and an end date of the period. One week in FIG. 13 corresponds to the analysis target period. The analysis target period may be set in advance or may be input by the user at the timing of step S301.

  Subsequently, the cross tabulation table generation unit 16 acquires the setting of a period (hereinafter referred to as “generation period”) as a generation unit of the cross tabulation table (S302). One day in FIG. 13 corresponds to the generation period. The generation period may be set in advance or may be input by the user at the timing of step S302. Note that the generation period may be set based on a cycle in which machine access occurs. For example, if the machine access is scheduled to occur every two days, the generation period may be set to two days.

  Subsequently, the cross tabulation table generation unit 16 substitutes 1 for the variable i (S303). In FIG. 15, a variable i is a variable for storing the order of generation periods to be processed.

  Subsequently, the cross tabulation table generation unit 16 reads the access log group (FIG. 11) for the i-th generation period from the file server 20 (S304).

  In step S304, an access log group whose access time is included in the i-th generation period (hereinafter referred to as “target access log group”) is read.

  Subsequently, the cross tabulation table generation unit 16 specifies the type of access source IP and the type of unit time of each access log included in the target access log group, and generates an empty cross tabulation table (S305). ). Hereinafter, the generated cross tabulation table is referred to as “target cross tabulation table”. Specifying the type of unit time means specifying a unit time including an access time of one or more access logs among a plurality of unit times dividing the i-th generation period. The generated cross tabulation table uses the specified type of access source IP address as a row and the specified type of unit time as a column.

  Subsequently, the cross tabulation table generation unit 16 generates an ordered set of access destination paths for each unit time for each access source IP for the target access log group (S306). When a plurality of access destination paths are included in one ordered set, the plurality of access destination paths are arranged in ascending order of access times (that is, in time series).

  Subsequently, the cross tabulation table generation unit 16 registers each generated ordered set in a cell corresponding to the access source IP and unit time of each ordered set in the target cross tabulation table (S307). Subsequently, the cross tabulation table generation unit 16 stores the target cross tabulation table in the memory device 103 or the auxiliary storage device 102 (S308).

  FIG. 16 is a diagram illustrating a configuration example of a cross tabulation table. As shown in FIG. 16, in the cross tabulation table, an ordered set of access destinations for each unit time is registered for each access source IP. The cross tabulation table shown in FIG. 16 is a cross tabulation table based on the access log group for the generation period for one day on April 1.

  Subsequently, the cross tabulation table generation unit 16 determines whether all access logs in the target analysis period have been read (S309). When there is an access log that has not been read yet (No in S309), the cross tabulation table generation unit 16 adds 1 to i (S310), and repeats Step S304 and subsequent steps. When all the access logs have been read (Yes in S309), the cross tabulation table generation unit 16 ends the processing procedure of FIG.

  By executing the processing procedure of FIG. 15, a cross tabulation table is generated for each generation period included in the target analysis period.

  FIG. 17 is a flowchart for explaining an example of the processing procedure of the continuation event specifying process.

  In step S401, the continuation event specifying unit 17 substitutes 1 for a variable i. In FIG. 17, a variable i is a variable for storing the order of the cross tabulation table to be processed (attention). The order of the cross tabulation table follows the context of the generation period of the cross tabulation table. That is, the cross tabulation table whose generation period is relatively earlier is the previous in the order.

  Subsequently, the continuation event specifying unit 17 determines whether or not the value of i is equal to or less than the number N of the cross tabulation tables generated for the target analysis period (S402). When the value of i is N or less (Yes in S402), the continuation event specifying unit 17 extracts one unprocessed ordered set from the i-th cross tabulation table (S403). Here, “unprocessed” means that steps S404 to S407 are not processed. Hereinafter, the ordered set extracted in step S403 is referred to as “target ordered set”.

  Subsequently, the continuation event specifying unit 17 compares the target ordered set with the ordered set of each group (S404). The group here means a group formed by classifying each ordered set based on the identity of the ordered set (arrangement order of access destination paths) in step S406 or S407 described later. Does not exist at the start of processing. Therefore, if at least i = 1 and the target ordered set is the first extracted ordered set, there is no group to which the ordered set that matches the target ordered set belongs.

  When there is no group to which the ordered set that matches the target ordered set belongs (No in S405), the continuation event specifying unit 17 generates a new group and includes the target ordered set in the group (S406). On the other hand, when there is a group to which the ordered set that matches the target ordered set belongs (Yes in S405), the continuation event specifying unit 17 includes the target ordered set in the group (S407).

  When steps S403 to S408 are executed for all ordered sets included in the i-th cross tabulation table (Yes in S408), the continuation event specifying unit 17 adds 1 to the variable i (S409), S402 and subsequent steps are repeated. When the value of the variable i exceeds the number N of the cross tabulation table (No in S402), the process proceeds to step S410. At this time, each ordered set of each cross tabulation table is classified into a plurality of groups.

  In step S410, the continuation event specifying unit 17 determines whether there is a group to which the ordered set extracted from all the cross tabulation tables belongs. That is, it is determined whether or not there is a group to which the ordered set that appears on each day (each generation cycle) belongs.

  When there are one or more corresponding groups (Yes in S410), the continuation event specifying unit 17 stores the ordered set belonging to each group in the continuation event storage unit 19 (S411). That is, the ordered set of each group is specified as a continuation event. This is because the ordered set of each group appears periodically continuously.

  FIG. 18 is a diagram illustrating a configuration example of the continuation event storage unit 19. As illustrated in FIG. 18, the continuation event storage unit 19 stores a continuation event ID, an ordered set, a corresponding portion in the cross tabulation table, and the like for each continuation event.

  The continuation event ID is identification information assigned for each continuation event. The ordered set is an ordered set identified as a continuation event. The corresponding part in the cross tabulation table is information indicating a part where the ordered set appears in the cross tabulation table. In FIG. 18, the corresponding part in the cross tabulation table includes items such as a generation period, an access source IP, and a unit time. The generation period is a generation period of the cross tabulation table in which the ordered set appears. The access source IP is an item for specifying a row including the ordered set in the cross tabulation table. The unit time is an item for specifying a column including the ordered set in the cross tabulation table.

  In the comparison of the ordered sets in step S404, the comparison result as “match” may be output not only in the case of complete match but also in the case of similarity. That is, not only completely matched ordered sets but also similar ordered sets may be classified into the same group. For example, the compared ordered sets may be determined to be similar when the access destination paths of a predetermined ratio or more of the access destination paths included in the ordered set match. In this case, it may be required to be similar to all ordered sets in the group, or may be required to be similar to any M or more ordered sets.

  In step S410, for example, it may be determined whether or not there is a group to which an ordered set extracted from a cross tabulation table having a predetermined ratio or more with respect to all the cross tabulation tables belongs. Alternatively, the presence / absence of a group to which an ordered set appearing in the cross tabulation table at substantially constant intervals may be determined. For example, an ordered set whose appearance interval is 2, such as first, third, and fifth, corresponds to an ordered set that appears in the cross tabulation table at a substantially constant interval.

  FIG. 19 is a flowchart for explaining an example of the processing procedure of the access log classification processing.

  In step S501, the access log classification unit 18 reads all continuation events stored in the continuation event storage unit 19. Subsequently, the access log classification unit 18 reads one access log whose access time is included in the analysis target period from the file server 20 (S502). Hereinafter, the read access log is referred to as “target log”.

  Subsequently, the access log classification unit 18 determines whether or not there is a continuation event in which the target period and unit time include the access time of the target log and the access source IP matches the access source IP of the target log (S503). That is, it is determined whether or not the target log is an access log that constitutes one of the continuation events.

  If there is a corresponding continuation event (Yes in S503), the access log classification unit 18 classifies the target log as a machine access candidate log (S504). If there is no corresponding continuation event (No in S503), the access log classification unit 18 classifies the target log as a user access candidate log (S505). Note that the access log classified as the machine access candidate log and the access log classified as the user access candidate log may be stored in different folders in the auxiliary storage device 102 of the analyzer 10, for example.

  Steps S501 to S505 are executed for all access logs within the analysis target period (S506).

  As described above, according to the second embodiment, the access log group can be classified into a user access candidate log and a machine access candidate log. Therefore, for example, when it is desired to detect unauthorized access for machine access, processing efficiency can be improved by limiting the access log acquired in step S202 of FIG. 10 to the machine access candidate log.

  Further, in the second embodiment, in order to focus on whether or not a similar ordered set continues to appear as to whether or not it is machine access, access that does not occur regularly (that is, periodicity or repetition) The access log related to (access without sex) can be excluded from the machine access candidate log.

  Further, in the second embodiment, attention is paid to the order in which accesses occur, and therefore machine accesses whose access times are not strictly constant can be determined to be machine accesses.

  In each of the above embodiments, the analysis device 10 is an example of a confidential word specifying device. The co-occurrence analysis unit 11 is an example of a counting unit and a specifying unit. The unauthorized access extraction unit 12 is an example of an extraction unit.

  Although the embodiments of the present invention have been described in detail above, the present invention is not limited to such specific embodiments, and various modifications can be made within the scope of the gist of the present invention described in the claims. Deformation / change is possible.

Regarding the above description, the following items are further disclosed.
(Appendix 1)
Counts the number of occurrences of each word constituting a file path character string including one or more of pre-registered character strings among the file path character strings of each file stored in the directory stored in the storage device A counting unit;
A specifying unit that specifies each word as a word related to confidential information when the number of appearances of each word satisfies a predetermined condition;
A secret word identification device characterized by comprising:
(Appendix 2)
The specifying unit specifies the directory as a directory for storing files including confidential information when the number of appearances of each word satisfies a predetermined condition.
The confidential word identification device according to supplementary note 1, wherein:
(Appendix 3)
An extraction unit for extracting a log indicating access to a file stored in the directory specified by the specifying unit from logs recorded for each access to the file stored in the storage device;
The classified word identification device according to supplementary note 2, characterized by comprising:
(Appendix 4)
The counting unit includes, for each directory stored in the storage device, one of at least one character string registered in advance as a keyword related to confidential information among the file path character strings of each file stored in the directory. Count the number of occurrences of each word that makes up the file path string,
The specifying unit specifies each word as a word related to confidential information when the number of appearances of each word related to the directory satisfies a predetermined condition for each directory.
4. The classified word identification device according to any one of supplementary notes 1 to 3, wherein:
(Appendix 5)
Counts the number of occurrences of each word constituting a file path character string including one or more of pre-registered character strings among the file path character strings of each file stored in the directory stored in the storage device Processing,
A process of specifying each word as a word related to confidential information when the number of occurrences of each word satisfies a predetermined condition;
A secret word specifying method, wherein the computer executes
(Appendix 6)
The specifying process specifies the directory as a directory for storing files including confidential information when the number of appearances of each word satisfies a predetermined condition.
The method for identifying confidential words according to supplementary note 5, characterized in that:
(Appendix 7)
A process of extracting a log indicating access to a file stored in the directory specified in the specified process from logs recorded for each access to the file stored in the storage device;
The secret word identification method according to appendix 6, wherein the computer executes
(Appendix 8)
For each directory stored in the storage device, the counting process is performed by calculating one of one or more character strings registered in advance as keywords related to confidential information, from among the file path character strings of each file stored in the directory. Count the number of occurrences of each word that comprises the file path string
The specifying process specifies each word as a word related to confidential information when the number of appearances of each word related to the directory satisfies a predetermined condition for each directory.
8. The classified word specifying method according to any one of appendices 5 to 7, wherein:
(Appendix 9)
Counts the number of occurrences of each word constituting a file path character string including one or more of pre-registered character strings among the file path character strings of each file stored in the directory stored in the storage device Processing,
A process of specifying each word as a word related to confidential information when the number of occurrences of each word satisfies a predetermined condition;
A secret word identification program characterized by causing a computer to execute
(Appendix 10)
The specifying process specifies the directory as a directory for storing files including confidential information when the number of appearances of each word satisfies a predetermined condition.
The confidential word identification program according to supplementary note 9, characterized in that:
(Appendix 11)
A process of extracting a log indicating access to a file stored in the directory specified in the specified process from logs recorded for each access to the file stored in the storage device;
The secret word specifying program according to appendix 10, wherein the computer is executed.
(Appendix 12)
For each directory stored in the storage device, the counting process is performed by calculating one of one or more character strings registered in advance as keywords related to confidential information, from among the file path character strings of each file stored in the directory. Count the number of occurrences of each word that comprises the file path string
The specifying process specifies each word as a word related to confidential information when the number of appearances of each word related to the directory satisfies a predetermined condition for each directory.
The confidential word specifying program according to any one of appendices 9 to 11, characterized in that:

DESCRIPTION OF SYMBOLS 10 Analysis apparatus 11 Co-occurrence analysis part 12 Unauthorized access extraction part 13 Confidential word memory | storage part 14 Confidential directory list memory | storage part 15 Unauthorized access candidate memory | storage part 16 Cross tabulation table generation part 17 Continuation event specification part 18 Access log classification | category part 19 Continuation event Storage unit 20 File server 30 User terminal 100 Drive device 101 Recording medium 102 Auxiliary storage device 103 Memory device 104 CPU
105 Interface device B bus

Claims (6)

Counts the number of occurrences of each word constituting a file path character string including one or more of pre-registered character strings among the file path character strings of each file stored in the directory stored in the storage device A counting unit;
A specifying unit that specifies each word as a word related to confidential information when the number of appearances of each word satisfies a predetermined condition;
A secret word identification device characterized by comprising: The specifying unit specifies the directory as a directory for storing files including confidential information when the number of appearances of each word satisfies a predetermined condition.
The confidential word specifying device according to claim 1. An extraction unit for extracting a log indicating access to a file stored in the directory specified by the specifying unit from logs recorded for each access to the file stored in the storage device;
The classified word identifying device according to claim 2, further comprising: For each directory stored in the storage device, the counting unit selects one of one or more character strings registered in advance as keywords related to confidential information, among file path character strings of each file stored in the directory. Count the number of occurrences of each word that comprises the file path string
The specifying unit specifies each word as a word related to confidential information when the number of appearances of each word related to the directory satisfies a predetermined condition for each directory.
The confidential word specifying device according to any one of claims 1 to 3. Counts the number of occurrences of each word constituting a file path character string including one or more of pre-registered character strings among the file path character strings of each file stored in the directory stored in the storage device Processing,
A process of specifying each word as a word related to confidential information when the number of occurrences of each word satisfies a predetermined condition;
A secret word specifying method, wherein the computer executes Counts the number of occurrences of each word constituting a file path character string including one or more of pre-registered character strings among the file path character strings of each file stored in the directory stored in the storage device Processing,
A process of specifying each word as a word related to confidential information when the number of occurrences of each word satisfies a predetermined condition;
A secret word identification program characterized by causing a computer to execute

Images