JP5913275B2 - Information protection terminal, information protection method, information protection terminal program - Google Patents

Description

  The present invention relates to an information protection terminal, an information protection method, and an information protection terminal program that appropriately restrict access from an application to a file containing personal information.

  In recent years, various services are provided to users by connecting a mobile terminal connected to a public network to a Web server or the like. In particular, with the advent of smartphones (high-function mobile phones), it has become possible to perform advanced services that have been provided for personal computers with mobile phones.

  On the other hand, when using various services, personal information is input to a terminal, and communication and payment are performed on the web using the information. While registration of personal information increases convenience, it can be said that it bears the risk of storing important information on the terminal.

  In response to such a problem, a personal information protection method that can prevent transmission of personal information unintended by the user when accessing the web is disclosed.

  According to Patent Document 1, when the mobile phone device 10 selects a transition from a website being browsed to another website associated therewith, the identifier determination unit 31 performs a transition to another website. It is determined with reference to the parameter DB 24 whether or not the URL of the transition source website to be added includes information that is transmitted without the user's recognition and may identify an individual. When the result of the determination is affirmative, the first creation unit 32 creates, as reference source information, information obtained by deleting the personal information from the URL. A configuration is disclosed in which the transition means 34 adds the reference source information, designates the URL of the transition destination website, and issues an access request.

JP 2008-71262 A

  However, the method described in Patent Document 1 has a configuration that keeps in mind the transition of a web browser that performs HTTP communication, and if there is unauthorized access by virus software, or if a user mistakenly accesses file sharing software, When a personal information file is included in the sharing range, there is a problem that not all programs connected to the web are covered.

  Therefore, the inventor of the present invention stores each file containing personal information in association with an application that properly handles it, and when other applications attempt to access a file containing personal information, We focused on preventing access to personal information that the user did not expect by blocking.

  In addition, the inventor of the present invention pays attention to the fact that applications such as address books and mail software and files storing personal information used in them are highly common if the platform is the same, and information protection is applied to common patterns. We focused on the fact that it is possible to efficiently set the protection without bothering the user by storing it in the server and inquiring each terminal.

  In view of these problems, the present invention specifies each file containing personal information and an application that permits access to the file, and when detecting access from the application to a file containing personal information, If it is not a permitted application, an object is to provide an information protection terminal, an information protection method, and an information protection terminal program that appropriately protect personal information by blocking the access.

  The present invention provides the following solutions.

The invention according to the first feature is an information protection terminal that is communicably connected to an information protection server and monitors access to a file containing personal information in real time,
File information inquiry means for transmitting platform information to the information protection server and inquiring the information protection server for information necessary for specifying a file including the personal information;
Application information inquiry means for sending platform information to the information protection server and inquiring the information protection server for information necessary for specifying an accessible application for the file containing the specified personal information;
Of the files stored in the information protection terminal, personal information file specifying means for specifying a file containing the personal information,
Permitted application specifying means for specifying an accessible application for each of the files including the specified personal information,
File access detection means for detecting access from an application to a file containing the specified personal information;
If the detected access is not an access from the accessible application, file access blocking means for blocking the access;
An information protection terminal is provided.

According to the first aspect of the invention, the information protection terminal that is communicably connected to the information protection server and monitors access to a file containing personal information in real time transmits platform information to the information protection server, Inquiring the information protection server for information necessary for specifying the file including the personal information, transmitting platform information to the information protection server, and specifying an accessible application for the file including the specified personal information The information protection server is inquired of the information protection server, the file containing the personal information is identified from among the files stored in the information protection terminal, and each of the files containing the identified personal information is accessible. To the file containing the specified personal information. That detects an access from the application, the sensed access, if not an access from the accessible application, to block the access.

The invention according to the first feature is in the category of information protection terminals, but the information protection method and the program for information protection terminals have the same actions and effects.
The invention according to the second feature is an information protection terminal which is the invention according to the first feature,
An information protection terminal characterized in that the platform information includes any or all of an operating system, terminal model information, and a communication contract carrier.
According to the second aspect of the invention, the information protection terminal according to the first aspect of the invention includes any one or all of an operating system, terminal model information, and a communication contract carrier in the platform information.

The invention according to the third feature is an information protection terminal which is the invention according to the first or second feature,
With respect to the access subject to the blocking, an exception handling instruction accepting unit that accepts an input as to whether or not to allow access exceptionally from the user,
An information protection terminal is provided in which, when an input for permitting access exceptionally is received, the access is not blocked.

According to the invention according to the third feature, the invention according to the first or second feature accepts an input as to whether or not to allow access exceptionally from the user regarding the access subject to the blocking. When an input for permitting access is received exceptionally, the access is not blocked.

The invention according to the fourth feature is an information protection terminal which is the invention according to any one of the first to third features,
A personal information handling application specifying means for specifying an application that handles personal information among applications operated on the information protection terminal,
In the specification of the file containing the personal information, the file created by the application that handles the specified personal information is specified as the file containing the personal information,
An information protection terminal is provided that identifies an application that created the file as an accessible application for the file including the personal information.

According to the invention of the fourth aspect, information protection terminal from the first is an invention according to a third one of the features of the application that is running on the information protection terminal, managing personal information In identifying the file including the personal information, the file created by the application that handles the identified personal information is identified as the file including the personal information, and the file including the personal information is identified. Identify the application that created the as an accessible application.

An invention according to a fifth aspect is an information protection method executed by an information protection terminal that is connected to an information protection server so as to be communicable and monitors access to a file containing personal information in real time
Transmitting platform information to the information protection server, and inquiring the information protection server for information necessary for specifying a file including the personal information;
Transmitting platform information to the information protection server, and inquiring the information protection server for information necessary to identify an accessible application for the file containing the identified personal information;
Of the files stored in the information protection terminal, identifying a file containing the personal information;
Identifying an accessible application for each of the files containing the identified personal information;
Detecting an access from an application to a file including the specified personal information;
If the detected access is not an access from the accessible application, blocking the access; and
An information protection method is provided.

An invention according to a sixth aspect is an information protection terminal that is connected to an information protection server so as to be communicable and monitors access to a file containing personal information in real time
Transmitting platform information to the information protection server, and inquiring the information protection server for information necessary for specifying a file including the personal information;
Transmitting platform information to the information protection server, and inquiring the information protection server for information necessary for specifying an accessible application for the file including the specified personal information;
Identifying a file containing the personal information among files stored in the information protection terminal;
Identifying an accessible application for each of the files containing the identified personal information;
Detecting an access from an application to a file including the specified personal information;
If the detected access is not an access from the accessible application, blocking the access;
An information protection terminal program characterized by causing

  According to the present invention, in view of these problems, each file including personal information and an application that permits access to the file are identified, and when access from the application to a file including personal information is detected, If it is not an authorized application, it is possible to provide an information protection terminal, an information protection method, and an information protection terminal program that appropriately protect personal information by blocking the access.

FIG. 1 is a schematic diagram for explaining an outline of the information protection system 1. FIG. 2 is an overall configuration diagram of the information protection system 1. FIG. 3 is a functional block diagram of the information protection terminal 10 and the information protection server 200. FIG. 4 is a flowchart showing information protection processing executed by the information protection terminal 10 and the information protection server 200. FIG. 5 is a flowchart showing personal information file / application specifying processing executed by the information protection terminal 10 and the information protection server 200. FIG. 6 is an example of a screen for accepting an exception handling instruction for access from an unauthorized application in the information protection terminal 10. FIG. 7 is an example of a personal information file pattern table in the personal information file pattern database 250.

  Hereinafter, the best mode for carrying out the present invention will be described with reference to the drawings. This is merely an example, and the technical scope of the present invention is not limited to this.

[Outline of Information Protection System 1]
FIG. 1 is a schematic diagram for explaining an outline of an information protection system 1 which is a preferred embodiment of the present invention. The information protection system 1 includes an information protection terminal 10, an information protection server 200, and a public network 3 (Internet network, third generation, fourth generation communication network, etc.).

  First, the information protection terminal 10 specifies a file containing personal information to be protected and an application that permits access to the file. Therefore, an inquiry is made to the information protection server 200 (step S01), and the file and application patterns are received according to the platform information such as the operating system and model information of the information protection terminal 10 (step S02).

  Then, the information protection terminal 10 specifies a file including personal information and an application that permits access to the file according to the received information or information newly received from the user. Thereafter, it is constantly monitored whether there is an access to the file containing the personal information from the application, and the access is detected (step S03).

  For example, the address book application provided in the terminal is permitted to access the address book data (step S04), and the newly installed mail application is also permitted to access the transmission / reception history file created by the mail application. (Step S05). However, if an application not included in the permission list attempts to access a file containing personal information, the application is blocked (step S06).

  Here, personal information refers not only to so-called legal personal information, but also to all information that is not desirable to be known to others even if an individual cannot be identified. Specifically, in addition to the name and address, mail transmission / reception history and contents, photographs taken, posting on an anonymous bulletin board, etc. may be treated as personal information. Therefore, the file including the personal information may be specified by receiving an input of a file recognized as the personal information by the user.

  The above is the outline of the information protection system 1.

[System configuration of information protection system 1]
FIG. 2 is a system configuration diagram of the information protection system 1 which is a preferred embodiment of the present invention. Here, the information protection terminal 10 is communicably connected to the information protection server 200 via the public line network 3.

  The information protection terminal 10 may be a general information device or electronic device having the functions described below. The information protection terminal 10 is, for example, a mobile phone, a smartphone, a television, a computer, a telephone, a netbook terminal, a slate terminal, an electronic book terminal, an electronic dictionary terminal, a portable music player, a portable content playback / recording player, etc. It may be a general information appliance.

  The information protection server 200 may be a general server having functions to be described later.

[Description of each function]
FIG. 3 is a diagram illustrating the functional blocks of the information protection terminal 10 and the information protection server 200 and the relationship between the functions.

  The information protection terminal 10 includes a CPU (Central Processing Unit), a RAM (Random Access Memory), a ROM (Read Only Memory), and the like as the control unit 11, and the communication unit 12 includes, for example, WiFi (compliant with IEEE 802.11). A wireless fidelity device or a wireless device that conforms to the IMT-2000 standard, such as a third generation mobile communication system, may be included (may be a wired LAN connection).

  In addition, the information protection terminal 10 includes a data storage unit such as a hard disk, a semiconductor memory, a recording medium, or a memory card as the storage unit 13 that stores data and files. Furthermore, the information protection terminal 10 includes a display unit configured to output and display data and images controlled by the control unit, a speaker that reproduces sound, and the like as the input / output unit 13. It has a touch panel, keyboard, mouse, etc. that accept input.

  In the information protection terminal 10, the control unit 11 reads a predetermined program, thereby realizing a file information inquiry module 15 and an application information inquiry module 16 in cooperation with the communication unit 12. In the information protection terminal 10, the control unit 11 reads a predetermined program, so that the personal information file identification module 17, the permitted application identification module 18, the personal information handling application cooperates with the communication unit 12 and the storage unit 13. A specific module 19, a file access detection module 20, and a file access blocking module 21 are realized. In the information protection terminal 10, the control unit 11 reads a predetermined program, thereby realizing an exception handling instruction receiving module 22 and a specific information receiving module 23 in cooperation with the input / output unit 14.

  Similarly, the information protection server 200 includes a CPU, a RAM, a ROM, and the like as the control unit 201, and an IMT such as a WiFi-compatible device compliant with IEEE 802.11 or a third-generation mobile communication system as the communication unit 202. -A wireless device or the like conforming to the 2000 standard is provided (may be a wired LAN connection). The information protection server 200 includes a data storage unit such as a hard disk, a semiconductor memory, a recording medium, or a memory card as the storage unit 203 for storing data and files. The storage unit 203 stores a personal information file pattern database 250.

  In the information protection server 200, the control unit 201 reads a predetermined program, thereby realizing a file information transmission module 204 and an application information transmission module 205 in cooperation with the communication unit 202. In the information protection server 200, the control unit 201 reads a predetermined program, thereby realizing the information reading module 206 in cooperation with the storage unit 203.

[Information protection processing]
FIG. 4 is a flowchart of information protection processing executed by the information protection terminal 10 and the information protection server 200. The processing performed by the module of each device described above will be described together with this processing.

  First, the information protection terminal 10 and the information protection server 200 execute a personal information file / application specifying process in order to specify a file including personal information and an application permitted to access the file (step S11).

[Personal information file / application specific processing]
FIG. 5 is a flowchart of the personal information file / application specifying process executed by the information protection terminal 10 and the information protection server 200. The processing performed by the module of each device described above will be described together with this processing.

  First, the file information inquiry module 15 and the application information inquiry module 16 of the information protection terminal 10 inquire the information protection server 200 about a file or application pattern including common personal information based on the platform (step S21). The file information transmission module 204 and the application information transmission module 205 of the information protection server 200 receive the inquiry (step S22).

  Similarly, the information protection terminal 10 transmits platform information such as an operating system, terminal model information, and communication contract carrier to the information protection server 200 (step S23), and the information protection server 200 receives this (step S24). ). Platform information here refers to information that can find the commonality of the location and type of files containing personal information.

  Next, the information extraction module 206 of the information protection server 200 extracts information corresponding to the platform from the received platform information from the personal information file pattern database 250 (step S25).

  FIG. 7 is an example of a personal information file pattern table in the personal information file pattern database 250. In the personal information file pattern table, an operating system, a terminal name, a file pattern, and an application pattern are displayed, and a file name pattern of a file including personal information and an application name pattern that permits access are registered in advance.

  In FIG. 7, an asterisk “*” indicates an arbitrary character string, and a character string starting from the dollar “$” indicates an environment variable set for each terminal. Using these file patterns, it is possible to specify a file containing personal information and an application that permits access. The condition is not limited to the file pattern, but may be provided by meta information registered as a property of the program, that is, a developer name or a file name.

  The file information transmission module 204 and the application information transmission module 205 transmit the extracted file pattern, and the file information inquiry module 15 and the application information inquiry module 16 of the information protection terminal 10 receive them.

  Subsequently, the specific information receiving module 23 of the information protection terminal 10 receives information related to the specification from the user (step S28). This is necessary to specify a file containing personal information or an application that permits access, depending on the user-specific environment, regardless of the platform.

  For example, a file or application may be specified actively. Alternatively, the personal information handling application identification module 19 may identify an application as an application that handles personal information, and may identify a file generated by the application during installation or execution as a document including personal information. . In this case, the application that generated the file is specified as an application that can access the file.

  Finally, the personal information file specifying module 17 of the information protection terminal 10 specifies a file including personal information using the above information (step S29). Further, the permitted application identification module 18 of the information protection terminal 10 identifies an application for which access is permitted for each file including the identified personal information (step S30). The above is the procedure of the personal information file / application specifying process.

  Returning to the information protection processing, the file access detection module 20 of the information protection terminal 10 detects access from the application to the file including the specified personal information (step S12). Although file access includes reading and writing, both accesses may be handled without distinction, or may be distinguished according to conditions inputted by the user.

  Next, the file access blocking module 21 of the information protection terminal 10 determines whether the application that has detected the access is permitted to access the file (step S13). If access is permitted (step S13: "YES"), access is performed as usual, and monitoring is continued until the next access is detected. On the other hand, if the application is not permitted to be accessed (step S13: “NO”), the following processing is subsequently performed to block access.

  When blocking access, the exception handling instruction receiving module 22 of the information protection terminal 10 may receive an instruction input as to whether to permit access exceptionally (step S14). If an access permission instruction is received (step S15: "YES"), access is exceptionally permitted and monitoring is continued. On the other hand, if an access permission instruction is not accepted (step S15: “NO”), personal information is protected by blocking access to the file (step S16).

  FIG. 6 is an example of a screen for accepting an exception handling instruction for access from an unauthorized application in the information protection terminal 10. In the warning message 61, the information 62 of the application that attempted to access and the information 63 of the file including the accessed personal information are specified, and the access should be normally blocked. Accepts input from the user.

  In FIG. 6, by depressing the permission button 64, access is permitted without being exceptionally blocked. On the other hand, when the permission button 64 is not pressed, such as when the blocking button 65 is depressed, access is blocked as usual. As a result, not all access is uniformly blocked, but only access as necessary is permitted, and it is possible to respond flexibly.

  The above is the procedure of the information protection process.

  The means and functions described above are realized by a computer (including a CPU, an information processing apparatus, and various terminals) reading and executing a predetermined program. The program is provided in a form recorded on a computer-readable recording medium such as a flexible disk, CD (CD-ROM, etc.), DVD (DVD-ROM, DVD-RAM, etc.), for example. In this case, the computer reads the program from the recording medium, transfers it to the internal storage device or the external storage device, stores it, and executes it. The program may be recorded in advance in a storage device (recording medium) such as a magnetic disk, an optical disk, or a magneto-optical disk, and provided from the storage device to a computer via a communication line.

  As mentioned above, although embodiment of this invention was described, this invention is not limited to these embodiment mentioned above. The effects described in the embodiments of the present invention are only the most preferable effects resulting from the present invention, and the effects of the present invention are limited to those described in the embodiments of the present invention. is not.

  1 Information Protection System, 3 Public Line Network, 10 Information Protection Terminal, 200 Information Protection Server, 250 Personal Information File Pattern Table

Claims (6)

An information protection terminal that is communicably connected to an information protection server and monitors access to a file containing personal information in real time,
File information inquiry means for transmitting platform information to the information protection server and inquiring the information protection server for information necessary for specifying a file including the personal information;
Application information inquiry means for sending platform information to the information protection server and inquiring the information protection server for information necessary for specifying an accessible application for the file containing the specified personal information;
Of the files stored in the information protection terminal, personal information file specifying means for specifying a file containing the personal information,
Permitted application specifying means for specifying an accessible application for each of the files including the specified personal information,
File access detection means for detecting access from an application to a file containing the specified personal information;
If the detected access is not an access from the accessible application, file access blocking means for blocking the access;
An information protection terminal comprising: The information protection terminal according to claim 1,
An information protection terminal characterized in that the platform information includes any or all of an operating system, terminal model information, and a communication contract carrier. The information protection terminal according to claim 1 or 2 ,
With respect to the access subject to the blocking, an exception handling instruction accepting unit that accepts an input as to whether or not to allow access exceptionally from the user,
An information protection terminal characterized in that, when an input for permitting access is exceptionally received, the access is not blocked. The information protection terminal according to any one of claims 1 to 3 ,
A personal information handling application specifying means for specifying an application that handles personal information among applications operated on the information protection terminal,
In the specification of the file containing the personal information, the file created by the application that handles the specified personal information is specified as the file containing the personal information,
An information protection terminal characterized by identifying an application that created the file as an accessible application for the file containing the personal information. An information protection method executed by an information protection terminal connected in real time to an information protection server and monitoring access to a file containing personal information in real time,
Transmitting platform information to the information protection server, and inquiring the information protection server for information necessary for specifying a file including the personal information;
Transmitting platform information to the information protection server, and inquiring the information protection server for information necessary to identify an accessible application for the file containing the identified personal information;
Of the files stored in the information protection terminal, identifying a file containing the personal information;
Identifying an accessible application for each of the files containing the identified personal information;
Detecting an access from an application to a file including the specified personal information;
If the detected access is not an access from the accessible application, blocking the access; and
An information protection method comprising: To an information protection terminal that is connected to an information protection server so as to be able to communicate and monitor access to files containing personal information in real time.
Transmitting platform information to the information protection server, and inquiring the information protection server for information necessary for specifying a file including the personal information;
Transmitting platform information to the information protection server, and inquiring the information protection server for information necessary for specifying an accessible application for the file including the specified personal information;
Identifying a file containing the personal information among files stored in the information protection terminal;
Identifying an accessible application for each of the files containing the identified personal information;
Detecting an access from an application to a file including the specified personal information;
If the detected access is not an access from the accessible application, blocking the access;
An information protection terminal program characterized in that