JP7185953B1 - Data management system, data management method, and data management program - Google Patents

Abstract

A technique for encrypting sensitive data (logs, etc.) collected from devices and the like and efficiently utilizing the encrypted data is provided. A data management system according to the present disclosure includes a sensitive data acquisition unit that acquires sensitive data (logs), a key management unit that manages an encryption key, and an encryption unit that encrypts the sensitive data based on the encryption key. and a database for storing sensitive data encrypted by the encryption unit in a database format. Storing sensitive data (logs) in a database format enables efficient utilization. [Selection drawing] Fig. 2

Description

The present disclosure relates to a data management system, data management method, and data management program.

In recent years, in the operation of information processing systems, logs of network devices such as server computers, firewalls, and routers have been collected. A log is data in which information about an event that occurred in a device is recorded in a fixed format in association with date and time. For example, in the case of computers, there are access logs that record accesses, error logs that record errors in information processing, and debug logs that record program operations for the purpose of finding bugs. . With recent improvements in data processing, machine learning, etc., logs such as those described above can be used to investigate the cause of failures, detect security anomalies, predict failures and security anomalies, and perform follow-up investigations and analyses. It is hoped that technology will be developed to accurately perform

As for the collected logs, the logs for each fixed period are compiled into one file, and the file is stored in a local storage device or cloud storage. Logs, which record events that have occurred in devices, need to be encrypted because they contain information that can give clues to unauthorized system access and sensitive data related to security vulnerabilities. For example, Patent Literature 1 discloses an encryption device that encrypts collected log files and stores them in a storage.

In addition, it is desirable to store the collected logs in a database so that the desired information can be easily retrieved. For example, Patent Literature 2 discloses an encrypted database search device that speeds up the encrypted DB search process in a search system that searches encrypted documents stored in the encrypted DB.

Japanese Patent Application Laid-Open No. 2010-128901 JP-A-2005-134990

When logs are compiled into files and encrypted and saved on a file-by-file basis, in order to access the necessary log information, it is necessary to perform searches after decrypting each file. There is a problem that it takes time to utilize

The invention described in Patent Document 1 only encrypts log files and stores them in a storage, but does not store logs in a database. In addition, although the invention described in Patent Document 2 stores encrypted data in a database, the object of encryption is general documents, not logs collected from network devices or the like. In other words, when a failure occurs in a network device, logs are not efficiently used to investigate the cause, or to detect and predict security anomalies.

The present invention has been made in view of such problems, and its object is to provide a technique for encrypting sensitive data collected from devices and the like and efficiently using the encrypted data.

In order to achieve the above object, a data management system according to the present disclosure includes a sensitive data acquisition unit that acquires sensitive data, a key management unit that manages an encryption key, and an encryption key that encrypts sensitive data based on the encryption key. and a database for storing sensitive data encrypted by the encryption unit in a database format.

In order to achieve the above object, a data management method according to the present disclosure provides a data management system in which a sensitive data acquisition unit acquires sensitive data; a key management unit manages an encryption key; An encryption unit encrypts sensitive data based on an encryption key; and a database stores the sensitive data encrypted by the encryption unit in a database format.

In order to achieve the above object, a data management program according to the present disclosure causes a computer to execute the above data management method.

ADVANTAGE OF THE INVENTION According to this invention, the sensitive data collected from the apparatus etc. can be encrypted and utilized efficiently. This makes it possible to store sensitive data such as logs in a form suitable for utilization while ensuring security. In addition, when a network equipment failure occurs, logs can be efficiently used to investigate the cause, or to detect and predict security anomalies.

1 is a diagram showing a configuration of a data management system 1; FIG. 4 is a conceptual diagram of processing according to the first embodiment; FIG. 2 is a functional block diagram showing an example of a functional configuration of a proxy server 2000; FIG. 3 is a functional block diagram showing an example of the functional configuration of a key management server 3000; FIG. 4 is a functional block diagram showing an example of a functional configuration of a database server 4000; FIG. It is the figure which showed an example of the data structure of sensitive data. 4 is a flowchart showing an example of processing according to the first embodiment; 2 is a block diagram showing the hardware configuration of a proxy server 2000; FIG. 3 is a functional block diagram showing an example of a functional configuration of a proxy server 2100; FIG. 3 is a functional block diagram showing an example of a functional configuration of a proxy server 2200; FIG. 2 is a diagram showing the configuration of a data management system 4; FIG. FIG. 10 is a conceptual diagram of processing according to the second embodiment; 3 is a functional block diagram showing an example of a functional configuration of a proxy server 2300; FIG. 4 is a functional block diagram showing an example of the functional configuration of a database server 4100; FIG. 9 is a flowchart showing an example of processing according to the second embodiment; 2 is a diagram showing the configuration of a data management system 5; FIG. FIG. 11 is a conceptual diagram of processing according to the third embodiment; 3 is a functional block diagram showing an example of a functional configuration of a proxy server 2400; FIG. 10 is a flowchart showing an example of processing according to the third embodiment;

Hereinafter, embodiments of the present disclosure will be described with reference to the drawings. In all the drawings for explaining the embodiments, common constituent elements are given the same reference numerals, and repeated explanations are omitted. It should be noted that the following embodiments do not unduly limit the content of the present disclosure described in the claims. Also, not all the components shown in the embodiments are essential components of the present disclosure.

<Embodiment 1>
In this embodiment, the proxy server 2000 acquires sensitive data output from the network devices 1000-1, 1000-2, .

(Configuration of data management system 1)
FIG. 1 is a diagram showing the configuration of a data management system 1 according to this embodiment. A configuration of a data management system 1 according to the first embodiment will be described with reference to FIG.

, 1000-N (N is a natural number), a proxy server 2000, a key management server 3000, and a database server 4000. 1, network devices 1000-1, 1000-2, . . . , 1000-N, proxy server 2000, key management server 3000, and database server 4000 are communicably connected via network NW. The network NW is, for example, a WAN (Wide Area Network), a LAN (Local Area Network), an optical line network, an intranet, etc., but may be composed of any network.

In the following description, network devices 1000-1, 1000-2, .

The network device 1000 transmits logs output by these devices to the proxy server 2000 as sensitive data. The network device 1000 includes network connectable devices such as firewalls, routers, servers, and systems.

A log is data defined in a certain format in which information about an event that has occurred is associated with the date and time. A communication log that records communication with other devices, an access log that records access, an error log that records errors in information processing, and a record of program operations for the purpose of finding bugs. There is a debug log etc. That is, the log is data that is continuously output from the device, and when accumulated, the amount of data becomes enormous with the passage of time.

The proxy server 2000 acquires the log as sensitive data from the network device 1000, and performs preprocessing as necessary to make it suitable for storage in the database (described later) and storage (described later) of the database server 4000. FIG. Next, the proxy server 2000 acquires the encryption key from the key management server 3000, encrypts the sensitive data (log), and saves it in the database of the database server 4000. FIG.

The key management server 3000 manages encryption keys for encrypting sensitive data. Key management server 3000 transmits to proxy server 2000 an encryption key that proxy server 2000 uses to encrypt sensitive data. Note that the key management server 3000 may be configured to be included in the proxy server 2000 . That is, the proxy server 2000 may have a function of managing encryption keys.

The database server 4000 has a hierarchical database, a network database, a relational database, a NoSQL (Not Only SQL) database, NewSQL, and other database-type storage areas as storage areas. This specification may simply refer to this as a "database". In addition, the database server 4000 has a file system as a storage area for storing files with contents conforming to a certain format, such as CSV (Comma Separated Value) files and XML files. This specification may simply refer to this as "storage."

Database server 4000 stores sensitive data encrypted by proxy server 2000 in a database. In addition, among the data stored in the database for a certain period of time, the database server 4000 retains in the database sensitive data indicating an abnormality in a network device and sensitive data recorded before or after the relevant sensitive data in the database. of encrypted sensitive data from the database. At this time, the database server 4000 converts the encrypted sensitive data stored in the database into a file and stores it in the storage.

That is, all encrypted sensitive data are filed and stored in the storage of the database server 4000, so that a complete log file can be aggregated.

As described above, in the data management system 1, the database server 4000 stores sensitive data in databases and storages. For efficient use of data, it is desirable to store all data in a database with high-speed data access. Storing data in a database is difficult. Also, most of the logs are normal data, and the need for analysis for detecting anomalies is low. Therefore, the data management system 1 according to the present embodiment leaves in the database only sensitive data that satisfies a predetermined condition and is useful for data utilization. And by storing all sensitive data in storage, it is possible to maximize the use of data while solving economic problems.

The functional configuration and processing of each server constituting the data management system 1 described above will be described below. Note that the functional blocks and processing blocks representing each functional configuration may be implemented by one or more devices, computer processors, or distributed groups of computer processors. For example, the functions performed by the proxy server 2000, the key management server 3000, and the database server 4000 may be realized by one device.

FIG. 2 is a conceptual diagram of processing according to the first embodiment. An outline of processing in the data management system 1 will be described with reference to FIG. In FIG. 2, solid-line arrows indicate the flow of processing, and broken-line arrows indicate the flow of data.

The data management system 1 according to the first embodiment stores sensitive data, which are logs of network devices, in a database. After a certain period of time has passed, the sensitive data other than the sensitive data indicating the abnormality and the sensitive data recorded before and after the relevant sensitive data are deleted from the database. Also, the predetermined sensitive data stored in the database, including the deleted sensitive data, is filed and stored in the storage.

(1) Sensitive Data Acquisition Step The network device 1000 transmits a log to the proxy server 2000, and the proxy server 2000 acquires from the network device 1000 sensitive data, which is a log related to the network device.

(2) Preprocessing Step After acquiring the sensitive data, the proxy server 2000 performs preprocessing as necessary. For example, as preprocessing as described later, the proxy server 2000 formats the sensitive data so as to correspond to the attribute items and attribute values previously determined by the system operator or the like.

Specifically, as preprocessing, the proxy server 2000 may parse the syntax of the acquired sensitive data to format the sensitive data. The log transmitted by the network device 1000 includes, for example, information (attribute values corresponding to attribute items) such as when (time), who (which device), what application, and what operation was performed. The proxy server 2000 analyzes the device name, date of occurrence (year/month/day), time of occurrence (time), location (IP address), application name, user ID, user name, operation details, etc. included in the sensitive data. Then, after associating each value as an attribute value corresponding to the attribute item, the format of the sensitive data may be arranged. In addition, the proxy server 2000 may preprocess the acquired sensitive data for each log, or preprocess a plurality of logs collectively. You can Further, as preprocessing, the proxy server 2000 may determine in which database the sensitive data is to be stored if there are multiple databases of the database server.

Also, the proxy server 2000, for example, in the (above) description of the date of occurrence, "2021/1/1", "2021.1.1", "2021-1-1", and "January 1, 2021" Although they all have the same meaning, they are written differently, so normalization may be performed to unify the expression method for attribute values with the same content.

An existing algorithm or the like may be used for the preprocessing as described above. It should be noted that it is not necessary for all devices to create logs in the same format, and the format may differ depending on the device. Also, the preprocessing described above is not an essential component of the proxy server 2000, and may be performed in another device.

(3) Encryption step The proxy server 2000 encrypts sensitive data using a predetermined encryption method. The predetermined encryption method is, for example, a homomorphic encryption method, a searchable encryption method such as an order preserving encryption method (OPE method: Order Preserving Encryption) or an ORE method (Order Revealing Encryption), AES (Advanced Encryption Standard), DES (Data Encryption Standard), SHA (Secure Hash Algorithm), MD5 (Message Digest Algorithm 5), and the like. Which encryption method is to be used for encryption may be set in advance by the system operator or the like according to the attribute value of the sensitive data.

The proxy server 2000 acquires a key for encrypting sensitive data from the key management server 3000 and encrypts it. The proxy server 2000 may perform preprocessing on the sensitive data, and then encrypt each attribute value of the attribute item of one log (in units of cells when a plurality of logs are viewed as a table). Although the unit of encryption is not limited to the cell unit, it is desirable to encrypt each attribute value of the attribute item of one log in order to enable searching while encrypted.

Sensitive data encrypted in proxy server 2000 is sent to database server 4000 . The database server 4000 then stores the encrypted sensitive data in the database.

(4) File Generation Step After a predetermined period of time has elapsed, the database server 4000 converts the sensitive data into a file in an encrypted state and stores it in the storage. “After a predetermined period of time” may be set as appropriate, for example, after 3 hours, after 1 day, after 2 months, etc., based on the storage capacity of the database server, the volume of logs generated from the system, and the like. Also, the starting time point of the calculation of the period is, for example, the time point when the sensitive data starts to be stored in the database, but the system operator or the like may set it as appropriate.

(5) Deletion step The database server 4000 deletes sensitive data that satisfies a predetermined condition from the database after a predetermined period of time has elapsed.

“After a predetermined period of time” may be set as appropriate, for example, after 3 hours, after 1 day, after 2 months, etc., based on the storage capacity of the database server, the volume of logs generated from the system, and the like. Also, the starting time of the calculation of the period is, for example, the time when the sensitive data starts to be stored in the database or after the file generation is completed, but the system operator or the like may set it as appropriate.

Sensitive data that satisfies a "predetermined condition" may be set as appropriate, for example, "normal logs", "data excluding logs indicating anomalies", and "data excluding logs indicating equipment failures and security anomalies". A log indicating an anomaly is, for example, a log containing errors and/or warnings. Normally, logs indicating errors are clearly indicated as "Error", and logs indicating warnings are clearly indicated as "Warning", so the log may include these characters or flags. Further, a certain threshold may be set, and a log indicating a value equal to or higher than the threshold or a log indicating a value equal to or lower than the threshold may be regarded as an abnormality log. Normal logs refer to logs other than logs indicating anomalies.

Since most of the logs are data indicating that the state of the device is normal, log information indicating an abnormality is important for understanding the state of the device or analyzing the log. Therefore, it is desirable that the database server 4000, for example, leave logs indicating anomalies in a database that can be searched efficiently. In order to analyze logs and predict future anomalies, the database server 4000 desirably leaves logs before and after the log indicating an anomaly in the database in addition to the log indicating the anomaly. "Logs before and after" may be, for example, logs that are recorded temporally before and after (continuously) the log indicating the abnormality, or within a certain period of time before and after the log indicating the abnormality. It may be a log recorded (intermittently) on In other words, the "predetermined condition" is data to be deleted from the database, and may be, for example, something other than a log indicating an abnormality and its peripheral logs. Further, a predetermined condition may be appropriately set according to the network device 1000 .

The concept of processing in the first embodiment has been described above with reference to FIG. Stored. All sensitive data is then stored in storage as files. In general, it is possible to retrieve information from a database at high speed. Therefore, the data management system 1 of Embodiment 1 enables high-speed retrieval of sensitive data important for system management from the database. Become. Note that the data to be stored in the storage may not be all sensitive data stored in the database, but may be sensitive data that satisfies a predetermined condition and is deleted from the database.

(Functional configuration of proxy server 2000)
FIG. 3 is a functional block diagram showing an example of the functional configuration of the proxy server 2000. As shown in FIG. An example of the functional configuration of the proxy server 2000 will be described with reference to FIG.

Proxy server 2000 includes communication unit 2010 , storage unit 2020 , and control unit 2030 .

The communication unit 2010 has a communication interface circuit for the proxy server 2000 to communicate with servers, devices, etc. via the network NW according to a predetermined communication protocol. The predetermined communication protocol is TCP/IP (Transmission Control Protocol/Internet Protocol) or the like. The communication unit 2010 sends the received data to the control unit 2030, and also sends the data received from the control unit 2030 to the server, the device, etc. via the network NW. Data may be exchanged with functional blocks other than the control unit 2030 .

The communication unit 2010 acquires sensitive data from the network device 1000 . Also, the communication unit 2010 transmits the encrypted sensitive data to the database server 4000 .

The storage unit 2020 includes memory devices such as RAM (Random Access Memory) and ROM (Read Only Memory), fixed disk devices such as hard disks, or portable storage devices such as flexible disks and optical disks. Further, the storage unit 2020 stores computer programs, encryption programs, keys, etc. used for various processes of the proxy server 2000 . The computer program may be installed in the storage unit 2020 from a computer-readable portable recording medium using a known setup program or the like. Portable recording media include, for example, CD-ROMs (Compact Disc Read Only Memory) and DVD-ROMs (Digital Versatile Disc Read Only Memory). The computer program may be installed from a predetermined server or the like.

The control unit 2030 is a processor such as a CPU (Central Processing Unit) that controls each function of the proxy server 2000 and operates based on a program stored in the storage unit 2020 in advance. A DSP (digital signal processor) or the like may be used as the control unit 2030 . Further, as the control unit 2030, a control circuit such as LSI (large scale integration), ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array), or the like may be used.

Also, the control unit 2030 has functions as a sensitive data acquisition unit 2031 and an encryption unit 2032 .

The sensitive data acquisition unit 2031 acquires sensitive data, which is a log, from the network device 1000 via the communication unit 2010 . Then, the preprocessing as described above is performed on the sensitive data in a preprocessing unit (not shown).

The encryption unit 2032 acquires an encryption key from the key management server 3000 via the communication unit 2010 and encrypts sensitive data. The encryption unit 2032 uses, for example, a homomorphic encryption method, an order preserving encryption method (OPE method: Order Preserving Encryption), an ORE method (Order Revealing Encryption), or the like, according to the format of sensitive data (numbers, character strings, etc.). Encryption is performed using a cryptosystem such as searchable encryption, AES (Advanced Encryption Standard), DES (Data Encryption Standard), SHA (Secure Hash Algorithm), MD5 (Message Digest algorithm 5).

(Functional configuration of key management server 3000)
FIG. 4 is a functional block diagram showing an example of the functional configuration of the key management server 3000. As shown in FIG. An example of the functional configuration of the key management server 3000 will be described with reference to FIG.

The key management server 3000 includes a communication section 3010 , a storage section 3020 and a control section 3030 .

The communication unit 3010 has a communication interface circuit for the key management server 3000 to communicate with servers, devices, etc. via the network NW according to a predetermined communication protocol. The predetermined communication protocol is TCP/IP (Transmission Control Protocol/Internet Protocol) or the like. The communication unit 3010 sends the received data to the control unit 3030, and also sends the data received from the control unit 3030 to the server, the device, etc. via the network NW. Data may be exchanged with a functional block other than the control unit 3030 of .

Communication unit 3010 receives an inquiry from proxy server 2000 and transmits corresponding key data to proxy server 2000 .

The storage unit 3020 includes memory devices such as RAM (Random Access Memory) and ROM (Read Only Memory), fixed disk devices such as hard disks, portable storage devices such as flexible disks and optical disks, and the like. Storage unit 3020 stores computer programs, encryption programs, keys, and the like used for various processes of proxy server 3000 . The computer program may be installed in the storage unit 3020 from a computer-readable portable recording medium using a known setup program or the like. Portable recording media include, for example, CD-ROMs (Compact Disc Read Only Memory) and DVD-ROMs (Digital Versatile Disc Read Only Memory). The computer program may be installed from a predetermined server or the like.

Storage unit 3020 stores key data for encrypting or decrypting sensitive data in proxy server 2000 .

The control unit 3030 is a processor such as a CPU (Central Processing Unit) that controls each function of the key management server 3000 and operates based on a program stored in advance in the storage unit 3020 . Note that a DSP (digital signal processor) or the like may be used as the control unit 3030 . Also, as the control unit 3030, a control circuit such as LSI (large scale integration), ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array), or the like may be used.

Also, the control unit 3030 has a function as a key management unit 3031 .

Key management unit 3031 transmits key data to proxy server 2000 via communication unit 3010 .

The key management unit 3031 manages encryption keys and decryption keys. The key management unit 3031 may generate a key according to the encryption method requested by the encryption unit 2032 of the proxy server 2000, for example. If the encryption method is, for example, a homomorphic encryption method (Paillier method) that allows addition and subtraction in the encrypted state (additive), a set of public key (encryption key) and private key (decryption key) is generated. .

In addition, the encryption method is an order preserving encryption method (OPE method) in which the size relationship of the ciphertext matches the size relationship of the corresponding plaintext, and a searchable encryption method that can determine whether the plaintext matches in the encrypted state. method, a common key is generated. As described above, the encryption key and the decryption key may be different keys such as a set of a public key and a private key, or may be the same key such as a common key. Note that the key generation algorithm is a well-known technique, so the explanation is omitted.

The key management unit 3031 causes the storage unit 3020, for example, to store the generated keys and parameters for key generation. The key management unit 3031 manages the generated key in association with which data (attribute item (column), etc.) is used for encryption among the encryption method and the sensitive data.

(Functional configuration of database server 4000)

FIG. 5 is a functional block diagram showing an example of the functional configuration of the database server 4000. As shown in FIG. An example of the functional configuration of the database server 4000 will be described with reference to FIG.

Database server 4000 includes communication unit 4010 , storage unit 4020 , and control unit 4030 .

The communication unit 4010 has a communication interface circuit for the database server 4000 to communicate with servers, devices, etc. via the network NW according to a predetermined communication protocol. The predetermined communication protocol is TCP/IP (Transmission Control Protocol/Internet Protocol) or the like. The communication unit 4010 sends the received data to the control unit 4030, and also sends the data received from the control unit 4030 to a server, a device, etc. via the network NW. Data may be exchanged with functional blocks other than the control unit 4030 .

The communication unit 4010 acquires encrypted sensitive data from the proxy server 2000 .

The storage unit 4020 includes memory devices such as RAM (Random Access Memory) and ROM (Read Only Memory), fixed disk devices such as hard disks, or portable storage devices such as flexible disks and optical disks. The storage unit 4020 stores computer programs, encryption programs, keys, and the like used for various processes of the database server 4000 . The computer program may be installed in the storage unit 4020 from a computer-readable portable recording medium using a known setup program or the like. Portable recording media include, for example, CD-ROMs (Compact Disc Read Only Memory) and DVD-ROMs (Digital Versatile Disc Read Only Memory). The computer program may be installed from a predetermined server or the like.

The storage unit 4020 also functions as a database 4021 and a storage 4022 .

Database 4021 stores encrypted sensitive data obtained from proxy server 2000 . For example, encrypted sensitive data obtained from a proxy server during a predetermined period of time, logs indicating anomalies among sensitive data obtained before the predetermined period of time, and sensitive data of logs before and after the relevant log in terms of time and memorize. The sensitive data stored in the database 4021 that satisfies a predetermined condition is deleted from the database 4021 after a predetermined period of time has elapsed.

Storage 4022 stores data generated as a file format for the encrypted sensitive data obtained from proxy server 2000 .

The control unit 4030 is a processor such as a CPU (Central Processing Unit) that controls each function of the database server 4000 and operates based on a program stored in the storage unit 4020 in advance. Note that a DSP (digital signal processor) or the like may be used as the control unit 4030 . Also, as the control unit 4030, a control circuit such as LSI (large scale integration), ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array), or the like may be used.

Also, the control unit 4030 has functions as a file generation unit 4031 and a deletion unit 4032 .

File generation unit 4031 generates a file for sensitive data stored in database 4021 . Then, the file generation unit 4031 stores the sensitive data in the storage 4022 .

Deletion unit 4032 deletes sensitive data that satisfies a predetermined condition from database 4021 after a predetermined period of time has elapsed.

"After a predetermined period of time" is, as described above, for example, after 3 hours, after 1 day, after 2 months, etc. can be set.

Sensitive data that satisfies the "predetermined condition" may be appropriately set, for example, data excluding normal logs, logs indicating anomalies, and data excluding logs indicating device failures and security anomalies, as described above. However, in sensitive data, since logs indicating failures and anomalies have important meaning, logs other than logs indicating failures and anomalies and logs before and after them in terms of time are stored in the database as sensitive data that meet predetermined conditions. This should be the data to be deleted.

FIG. 6 is a diagram showing an example of the data structure of sensitive data. Hereinafter, with reference to FIG. 6, the data structure of the sensitive data and the sensitive data satisfying the "predetermined condition" will be described.

As shown in FIG. 6, the sensitive data of this embodiment is a log output by a network device, and includes "device" (device name), "IP address" (location (IP address)), "date" (occurrence date (year, month, day)), "time" (time of occurrence (time)), "application" (application name), "user ID" (user ID), "user" (user name), "event" (event ( Log content)), and attribute values (character strings or numerical values) of attribute items (columns) such as "flags" (flags indicating errors, warnings, etc.). Further, the sensitive data may include an identifier (“log ID” in FIG. 6) that uniquely identifies the log as an attribute item. Identifiers may be numbers, strings, or combinations thereof. Although predetermined attribute items are shown in FIG. 6 for simplification of explanation, in addition to these, attribute items (not shown) may be included in the sensitive data.

FIG. 6 shows an example of sensitive data. In an actual system, sensitive data output from a certain device for a certain period of time are collectively sent to a proxy server. The example of FIG. 6 shows examples of the devices "Router", "PC01", and "MAIL", but much of the sensitive data is normal data that does not indicate anomalies. Then, on the "Router" device, the network connection was interrupted at the time of "10:01:30", the warning was recorded as "warning", and the connection to the destination address was made at the time of "10:01:31". is not possible, and "error" is stored. Then, at the time of "10:02:00", the error is resolved, and a log indicating normal connection is stored. In this way, a log of warnings and errors is stored for a certain period of time due to an abnormality in the system, but the error will be resolved when a reset or restart is performed by the automatic system recovery processing, and the system will return to normal thereafter. log is stored.

In the device of "PC01" in FIG. 6, an error is stored from the time of "10:00:11". For example, if an unauthorized login is attempted, a user authentication error, etc. will be stored continuously. .

In the "MAIL" device in FIG. 6, an error is stored at the time of "10:01:30", but it is also assumed that a single error is stored, such as when user authentication simply fails.

Proxy server 2000 acquires sensitive data such as that shown in FIG. 6 from network device 1000 and encrypts it in units of cells, and database server 4000 stores the encrypted sensitive data in a database. Then, in the database server 4000, after a certain period of time has elapsed, the sensitive data is stored in the storage as a file, and the sensitive data that satisfies a predetermined condition is deleted from the database. Sensitive data that satisfies a predetermined condition is, for example, sensitive data indicating abnormalities such as errors and warnings, and sensitive data other than data stored before and after that, but other conditions may be determined.

In FIG. 6, the "log IDs" of data indicating anomalies are 10000201 to 10000203, 10001071 to 10001075, and 10002301. Therefore, for example, if the system operator or the like sets in advance to leave 5 data before and after the data indicating an abnormality in the order of "log ID" as the data to be left in the database, the deletion unit 4032 of the database server 4000 writes 10000196 Leave the data up to ~10000208, 10001066~10001080, 10002296~10002306 in the database, and delete the other data. In addition, the file generation unit 4031 converts all sensitive data (sensitive data of 10000001 to 10002400 in the example of FIG. 6) into files and stores them in the storage.

7 is a flowchart illustrating an example of processing according to the first embodiment; FIG. With reference to FIG. 7, proxy server 2000 acquires a log output from network device 1000 as sensitive data, encrypts it and stores it in the database of database server 4000, and after a certain period of time has elapsed, sends predetermined data to database server 4000. A description will be given of the flow of deleting sensitive data that satisfies a predetermined condition from the database after storing it as a file in the storage.

In step S<b>101 , the proxy server 2000 acquires sensitive data, which is a network device log, from the network device 1000 .

In step S102, proxy server 2000 encrypts sensitive data. At this time, an encryption key for encrypting the sensitive data is acquired from the key management server 3000, and the sensitive data is encrypted using the obtained encryption key.

In step S103, the proxy server 2000 transmits the encrypted sensitive data to the database server 4000, and the database server 4000 stores the sensitive data acquired from the proxy server 2000 in the database.

In step S104, the database server 4000 generates a file in which the sensitive data stored in the database is in a predetermined file format after a predetermined period of time, and stores the file in the storage. In step S104, the sensitive data is filed in an encrypted state.

In step S105, the database server 4000 deletes sensitive data that satisfies a predetermined condition from the database after a predetermined period of time has elapsed. After execution of step S105, the processing in the data management system 1 may be temporarily terminated, or the processing of acquiring the sensitive data and storing it in the database and storage may be continued.

(Hardware configuration diagram)
FIG. 8 is a block diagram showing the hardware configuration of the proxy server 2000. As shown in FIG. Proxy server 2000 is implemented in computer 9001 . A computer 9001 includes a CPU 9002 , a main memory device 9003 , an auxiliary memory device 9004 and an interface 9005 .

The operation of each component of proxy server 2000 is stored in auxiliary storage device 9004 in the form of a program. The CPU 9002 reads out the program from the auxiliary storage device 9004, develops it in the main storage device 9003, and executes the above processing according to the program. Also, the CPU 9002 secures a storage area in the main storage device 9003 according to the program. Specifically, the program is a program that causes the computer 9001 to perform data processing.

Note that the auxiliary storage device 9004 is an example of a non-temporary tangible medium. Other examples of non-transitory tangible media include magnetic disks, magneto-optical disks, CD-ROMs, DVD-ROMs, semiconductor memories, etc. that are connected via the interface 9005 . Further, when this program is distributed to the computer 9001 via a network, the computer 9001 receiving the distribution may develop the program in the main storage device 9003 and execute the processing.

Also, the program may be for realizing part of the functions described above. Furthermore, the program may be a so-called difference file (difference program) that implements the above-described functions in combination with another program already stored in the auxiliary storage device 9004 . Note that the hardware configuration shown in FIG. 8 may be configured similarly to the key management server 3000 and the database server 4000 . Like the proxy server 2000 described above, the operation of each component in these devices is realized by the CPU according to the program stored in the auxiliary storage device.

(Explanation of effect)
As described above, the data management system according to this embodiment encrypts the log output by the network device using a predetermined encryption method and stores it in the database. After a predetermined period of time has elapsed, sensitive data satisfying a predetermined condition, for example, sensitive data other than sensitive data of logs such as error logs that report anomalies in the network device 1000 and peripheral logs are deleted from the database. In addition, all sensitive data including the sensitive data to be deleted from the database are filed and stored in the storage.

The data management system 1 according to this embodiment stores logs in a database format, thereby enabling high-speed searches. In addition, storing data in a database format is often costly, but only sensitive data related to logs that notify anomalies such as error logs and peripheral logs are stored in the database, and other data is filed for storage. , it is possible to search sensitive data that is highly necessary for system management at high speed while suppressing costs.

Furthermore, since the data management system 1 manages the encrypted database, information can be shared by a plurality of persons.

<Modification 1 of Embodiment 1>
The data management system 2 according to Modification 1 is different in that a proxy server 2100 is provided instead of the proxy server 2000 of the data management system 1 according to the first embodiment.

, 1000-N, the proxy server 2100 acquires, encrypts, and stores in the database and storage. The proxy server 2100 also has a function of performing machine learning using logs indicating anomalies such as errors and predicting anomalies from the logs of the network devices 1000-1, 1000-2, . . . , 1000-N.

The data management system 2 according to Modification 1 has the same configuration as the data management system 1 according to Embodiment 1 except that the proxy server 2000 (see FIG. 1) replaces the proxy server 2100 . Therefore, the description of the same parts as in the first embodiment will be omitted below.

(Functional configuration of proxy server 2100)
FIG. 9 is a functional block diagram showing an example of the functional configuration of the proxy server 2100. As shown in FIG. An example of the functional configuration of the proxy server 2100 will be described with reference to FIG.

Proxy server 2100 includes communication unit 2010 , storage unit 2020 , and control unit 2130 , and communication unit 2010 and storage unit 2020 have the same configuration as proxy server 2100 .

The control unit 2130 has functions as a sensitive data acquisition unit 2031 , an encryption unit 2032 and a learning unit 2133 . Note that the sensitive data acquisition unit 2031 and the encryption unit 2032 have the same configuration as that of the proxy server 2000 .

The learning unit 2133 uses, as training data, sensitive data stored in the database, such as sensitive data indicating an abnormality and sensitive data in a certain range before and after the error, from the log output by the network device 1000. Generates a model for machine learning to predict anomalies from the logs output by . The learning unit 2133 may store the generated model in the storage unit 2020, or may store it in an external storage device (not shown).

The learning unit 2133 may relearn and update the machine learning model for predicting anomalies each time the sensitive data in the database 2021 is updated. Also, the machine learning model may be re-learned and updated when a certain amount of sensitive data is collected or when a certain amount of time has passed. As for the machine learning method and model, known methods such as neural network, SVN (Support Vector Machine), decision tree learning, and Bayesian network may be used.

The learning unit 2133 may build a learning model from the sensitive data of a certain person and use it for anomaly prediction from the sensitive data of the person. It may be constructed and used for anomaly prediction from the sensitive data of those multiple persons.

The learning unit 2133 may also predict an abnormality from the log output by the network device 1000 . That is, using a machine learning model that has already been created by learning, the sensitive data, which is the log output by the network device 1000, is input. Based on this, it may be predicted whether an abnormality may occur in the near future.

(Explanation of effect)
As described above, the data management system according to Modification 1 has, in addition to the data management system according to Embodiment 1, a learning function for machine-learning device abnormalities from logs.

Such a learning function enables the proxy server to foresee anomaly before the network equipment notifies of the anomaly. Furthermore, in this modified example, since the sensitive data is managed in a database format, the information can be processed in real time, and since it is encrypted, the data can be shared by a plurality of people. Therefore, when there is a sign that a famous server has been attacked by a hacker, it is possible for other business operators to quickly grasp the fact and take countermeasures. Also, by predicting an abnormality in a network device in advance, it becomes possible to restart the network device in advance or switch to an alternative device, thereby preventing system failure.

<Modification 2 of Embodiment 1>
The data management system 3 according to Modification 2 is different in that it includes a proxy server 2200 instead of the proxy server 2000 of the data management system 1 according to the first embodiment.

, 1000-N, the proxy server 2200 acquires, encrypts, and stores in the database and storage. The proxy server 2200 also includes a reception unit that receives queries for search processing on sensitive data (logs), and a search unit that executes search processing on databases or storages according to the contents of the queries.

The configuration of the data management system 3 according to Modification 2 is similar to that of the data management system 1 according to the first embodiment, except that the proxy server 2000 replaces the proxy server 2200 . Therefore, the description of the same parts as in the first embodiment will be omitted below.

(Functional configuration of proxy server 2200)
FIG. 10 is a functional block diagram showing an example of the functional configuration of the proxy server 2200. As shown in FIG. An example of the functional configuration of the proxy server 2200 will be described with reference to FIG.

Proxy server 2200 includes communication unit 2010 , storage unit 2020 , and control unit 2230 . Communication unit 2010 and storage unit 2020 are the same as those of proxy server 2000 .

The control unit 2230 has functions as a sensitive data acquisition unit 2031 , an encryption unit 2032 , a reception unit 2234 and a search unit 2235 . Note that the sensitive data acquisition unit 2031 and the encryption unit 2032 have the same configuration as that of the proxy server 2000 .

The receiving unit 2234 receives a query for search processing for searching for a specific log from logs output by the network device 1000 . For example, to retrieve logs for a particular device, or retrieve logs for a particular error, obtain a query to perform such retrieval.

The search unit 2235 uses the query acquired by the reception unit 2234 to search the log corresponding to the query from the database 4021 and executes search processing. For example, when performing a search, the search unit 2235 uses the query and the encryption key obtained from the key management server 3000 to search the sensitive data stored in the database 4021 without decrypting it, but keeping it encrypted. The search unit 2235, for example, encrypts the query with the same encryption key and encryption method as the sensitive data (log) to be searched, and obtains search results based on the encrypted query. This encrypts the query, so you can hide what you're searching for. Also, avoid decrypting sensitive data on the system and build a robust system for security. Note that the method used for the search processing is not limited to the method described above, and an existing method may be used. Also, the proxy server 2200 decrypts the search result using the encryption key used to encrypt the query, and transmits the decrypted search result to the user terminal or the like that sent the query via a secure communication channel.

Further, if the search unit 2235 searches the database 4021 and finds no data that satisfies the search condition, the search unit 2235 may decrypt the file stored in the storage 4022 in a secure environment and execute search processing. good. Since the file stored in the storage 4022 is searched only when the search target does not exist in the database 4021, the search efficiency can be improved.

(Explanation of effect)
As described above, the data management system according to Modification 2 has, in addition to the data management system according to Embodiment 1, the function of receiving queries and performing search/aggregation of sensitive data.

With such a search function, it is possible to search and aggregate sensitive data corresponding to a query while encrypting sensitive data without decrypting it. By searching for specific sensitive data, it is possible to grasp the state of network equipment, investigate the cause of system failure, predict anomaly alerts, and determine whether to update the firmware or restart. It is possible to improve the convenience of system management such as quick determination of such as.

<Embodiment 2>
In this embodiment, the proxy server 2000 acquires the sensitive data output by the network device 1000, encrypts the sensitive data, and stores it in the database and storage. This embodiment is the same as the first embodiment in that the sensitive data stored in the storage is in a file format. This differs from the first embodiment in that files containing data are encrypted. In addition, since the sensitive data is decrypted once, it is desirable from the viewpoint of security that the file is generated not by the database server but by the proxy server.

(Configuration of data management system 1)
FIG. 11 is a diagram showing the configuration of the data management system 4 according to this embodiment. The configuration of the data management system 4 according to the second embodiment will be described with reference to FIG.

, 1000-N (N is a natural number), a proxy server 2300, a key management server 3000, and a database server 4100. The proxy server 2300 and database server 4100 different from the first embodiment will be described below.

The proxy server 2300 acquires sensitive data stored in the database 4021 for a predetermined period of time after a predetermined period of time has elapsed, converts it into a file, and stores it in the storage. At this time, the proxy server 2300 does not generate a file with the encrypted sensitive data still encrypted, but decrypts the sensitive data once and then acquires the encryption key from the key management server 3000 again. This differs from the first embodiment in that files storing sensitive data are encrypted.

Database server 4100 stores sensitive data encrypted by proxy server 2300 in a database. After a predetermined period of time has elapsed, the database server 4100 converts the sensitive data stored during the predetermined period into a file format using the proxy server 2300, and stores the data in the file format in the storage 4122 (not shown in FIG. 11, see FIG. 14). ). In addition, the subtlety data that satisfies a predetermined condition (the subtlety data other than the anomaly-indicating subtlety data and the subtlety data that precedes and follows it temporally) is deleted.

The functional configuration and processing of each server, etc., constituting the data management system 4 described above will be described below. Note that the functional blocks and processing blocks representing each functional configuration may be implemented by one or more devices, computer processors, or distributed groups of computer processors. For example, the functions performed by the proxy server 2300, the key management server 3000, and the database server 4100 may be realized by one device.

FIG. 12 is a conceptual diagram of processing according to the second embodiment. An outline of processing in the data management system 4 will be described with reference to FIG. In FIG. 12, solid-line arrows indicate the flow of processing, and broken-line arrows indicate the flow of data.

Embodiment 2 stores sensitive data, which is an encrypted log file of a communication device, in a database, deletes data that satisfies a predetermined condition after a certain period of time has elapsed, converts the sensitive data into a file, and stores the file in storage. At this time, the sensitive data is decrypted once to form a file, and the encryption key is used again to generate the encrypted file, which is different from the first embodiment.

In FIG. 12, (1) the sensitive data acquisition step, (2) the preprocessing step, and (3) the encryption step are the same as the processing in the first embodiment, so the description is omitted.

(4) File generation step The database server 4100 stores the sensitive data in an encrypted file format in the storage. The proxy server 2300 obtains an encryption key (a decryption key for decrypting sensitive data) from the key management server 3000, decrypts the sensitive data obtained from the database, and generates a file. Then, an encryption key for encrypting the file is obtained from the key management server 3000, and the file is encrypted using the encryption key. At this time, it is desirable to use different encryption keys for the encryption key for file encryption and the encryption key used for storing in the database. Further, while the first embodiment stores encrypted sensitive data in a file, the second embodiment differs in that the file itself is encrypted with respect to the file composed of the decrypted sensitive data. Proxy server 2300 stores the encrypted file in storage.

(5) Deletion step Since it is the same as the first embodiment, the description is omitted.

(Functional configuration of key management server 3000)
Since the configuration is the same as that of the key management server 3000 of the first embodiment, the description is omitted. If the proxy server 2300 uses an encryption key different from the encryption key used to store the sensitive data in the database when converting the sensitive data into a file, in addition to the key management server 3000 of the first embodiment, the file Manage keys when generating.

(Functional configuration of proxy server 2300)
FIG. 13 is a functional block diagram showing an example of the functional configuration of the proxy server 2300. As shown in FIG. An example of the functional configuration of the proxy server 2300 will be described with reference to FIG.

The control unit 2330 has functions as a sensitive data acquisition unit 2031 , an encryption unit 2032 , and a file generation unit 2336 .

A sensitive data acquisition unit 2031 and an encryption unit 2032 are the same as in the first embodiment.

The file generator 2336 acquires an encryption key (decryption key for decrypting the sensitive data) from the key management server 3000 for the sensitive data stored in the database 4021, and once decrypts the sensitive data. After decrypting the sensitive data and forming a file, the file generation unit 2336 acquires the encryption key again from the key management server 3000, encrypts the file itself, and stores the encrypted file in the storage 4122. do. Note that the order of obtaining the encryption key for encrypting the file is not limited to the above. An encryption key for decrypting sensitive data and an encryption key for encrypting a file may be obtained from the key management server 3000 at any timing, and it is desirable that both encryption keys are different.

(Functional configuration of database server 4100)

FIG. 14 is a functional block diagram showing an example of the functional configuration of the database server 4100. As shown in FIG. An example of the functional configuration of the database server 4100 will be described with reference to FIG.

Database server 4100 includes communication unit 4010 , storage unit 4120 , and control unit 4130 . Communication unit 4010 is similar to database server 4000 .

The storage unit 4120 also functions as a database 4021 and a storage 4122 .

Storage 4122 stores data generated in file format by proxy server 2300 . The data generated in this file format is generated by decrypting the sensitive data once in the proxy server 2300, generating a file, and then obtaining an encryption key from the key management server 3000 to encrypt the file. data. Therefore, the storage 4122 stores encrypted files.

The control unit 4130 is a processor such as a CPU (Central Processing Unit) that controls each function of the database server 4100 and operates based on a program stored in the storage unit 4120 in advance. A DSP (digital signal processor) or the like may be used as the control unit 4130 . Also, as the control unit 4130, a control circuit such as LSI (large scale integration), ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array), or the like may be used.

Also, the control unit 4130 has a function as a deletion unit 4132 .

The deletion unit 4132 deletes sensitive data that satisfies a predetermined condition from the database 4021 after a predetermined period of time has elapsed. It has the same function as the first embodiment.

FIG. 15 is a flowchart illustrating an example of processing according to the second embodiment. Referring to FIG. 15, proxy server 2000 acquires a log output from network device 1000 as sensitive data, encrypts it, stores it in the database of database server 4100, and after a certain period of time has passed, sends predetermined data to database server 4100. The flow of storing as a file in the storage of is explained.

In step S<b>101 , the proxy server 2300 acquires sensitive data, which is the network device log, from the network device 1000 .

In step S102, proxy server 2300 encrypts the sensitive data. At this time, an encryption key for encrypting the sensitive data is acquired from the key management server 3000, and the sensitive data is encrypted using the obtained encryption key.

In step S103, the proxy server 2300 transmits the encrypted sensitive data to the database server 4100, and the database server 4100 stores the sensitive data acquired from the proxy server 2300 in the database.

In step S204, the proxy server 2300 once decrypts all sensitive data stored in the database 4021 after a predetermined period of time has elapsed. Then, the decrypted sensitive data is configured as a file, and the file itself is encrypted to generate the encrypted file. Database server 4100 stores the encrypted file in storage.

In step S105, the database server 4100 deletes sensitive data that satisfies a predetermined condition from the database after a predetermined period of time has elapsed.

<Modification of Embodiment 2>
The data management system 4 according to the second embodiment may be provided with a learning unit to learn the logs as in the first modification of the first embodiment, or may be used for searching as in the second modification of the first embodiment. You can search the logs by getting a query for

(Explanation of effect)
As described above, the data management system according to the present embodiment encrypts log data output from network devices using a predetermined encryption method and stores the encrypted data in a database. After a predetermined period of time has elapsed, data that satisfies a predetermined condition, for example, data other than the sensitive data of logs such as an error log that informs the network device 1000 of anomalies and peripheral logs are deleted, and the sensitive data is filed and stored in the storage. Remember. At this time, the sensitive data is decrypted once, and the file itself including the sensitive data is encrypted and stored in the storage.

The data management system according to this embodiment is similar to the first embodiment in that it enables high-speed searches by storing logs in a database format. In addition, by encrypting the file itself, it becomes possible to decrypt all the sensitive data in the file with one decryption of the file. Sensitive data can be easily decrypted compared to the first embodiment in which all sensitive data in a file cannot be decrypted unless all sensitive data is decrypted. This provides an advantage over the first embodiment in that it is suitable for using and searching data in the decoding area.

<Embodiment 3>
In this embodiment, the proxy server 2400 acquires sensitive data output from the network device 1000, encrypts it, and stores it in the database and storage. The proxy server 2400 differs from the first and second embodiments in that the encrypted sensitive data is stored in the database, and in parallel, a file is generated from the obtained sensitive data and stored in the storage.

(Configuration of data management system 5)
FIG. 16 is a diagram showing the configuration of the data management system 5 according to this embodiment. The configuration of the data management system 5 according to the third embodiment will be described with reference to FIG. 16 .

, 1000-N (N is a natural number), a proxy server 2400, a key management server 3000, and a database server 4100. 16, network devices 1000-1, 1000-2, . A specific example of the network NW is the same as in the first embodiment.

Points that are particularly different from the first embodiment will be described below. The proxy server 2400 acquires the log from the network device 1000 as sensitive data, performs preprocessing as necessary to make it suitable for storage in the database and storage of the database server 4100, encrypts the sensitive data, and then encrypts the sensitive data to the database server. 4100 database. At the same time, proxy server 2400 generates a file of encrypted sensitive data, or generates a file storing sensitive data before encryption, encrypts it, and stores it in the storage of database server 4100.

The database server 4100 according to the third embodiment stores sensitive data encrypted by the proxy server 2400 in a database. At the same time, a file storing sensitive data encrypted by the proxy server 2400 or an encrypted file storing sensitive data before encryption is stored in the storage. That is, the database server 4100 according to the third embodiment has functions similar to those of the first and second embodiments in that encrypted sensitive data is stored in the database and files are stored in the storage. The difference is that the files are also stored in the storage in parallel with the storage.

The functional configuration and processing of each server, etc., constituting the data management system 5 described above will be described below. Note that the functional blocks and processing blocks representing each functional configuration may be implemented by one or more devices, computer processors, or distributed groups of computer processors. For example, the functions performed by the proxy server 2400, the key management server 3000, and the database server 4100 may be realized by one device.

FIG. 17 is a conceptual diagram of processing according to the third embodiment. An outline of processing in the data management system 5 will be described with reference to FIG. In FIG. 17, solid-line arrows indicate the flow of processing, and broken-line arrows indicate the flow of data.

In the third embodiment, the proxy server 2400 encrypts the sensitive data, which is the log of the communication device, and stores it in the database. After converting the previous sensitive data into a file format, the encrypted file is stored in the storage. The database server 4100 differs from Embodiment 1 or Embodiment 2 in that it stores sensitive data in a database and also stores files in storage in parallel.

(1) Sensitive data acquisition step, (2) preprocessing step (not shown in FIG. 17), and (3) encryption step are the same as the processing in the first embodiment, so description thereof will be omitted.

(4) File generation step The proxy server 2400 stores the encrypted sensitive data in a file format in the storage, or encrypts the file storing the non-encrypted sensitive data, and stores the encrypted file in the storage. memorize to At this time, the sensitive data is stored in the database, and a file storing the sensitive data is stored in the storage in parallel. In Embodiments 1 and 2, the sensitive data is stored in the storage in a file format after the lapse of a predetermined period of time. They are different in terms of memorization.

(5) Deletion step Since it is the same as the first embodiment, the description is omitted.

(Functional configuration of proxy server 2400)
FIG. 18 is a functional block diagram showing an example of the functional configuration of the proxy server 2400. As shown in FIG. An example of the functional configuration of the proxy server 2400 will be described with reference to FIG.

The control unit 2430 has functions as a sensitive data acquisition unit 2031 , an encryption unit 2032 , and a file generation unit 2436 .

A sensitive data acquisition unit 2031 and an encryption unit 2032 are the same as in the first embodiment.

The file generation unit 2436 encrypts the sensitive data by the encryption unit 2032 and stores the encrypted sensitive data in a file to generate a file, or stores unencrypted sensitive data in a file. Generates a file in which the file itself is encrypted and stores it in storage. This embodiment differs from Embodiment 1 or 2 in that the sensitive data is stored in the database and also stored in the storage in a file format at the same time.

(Functional configuration of key management server 3000)
Since the configuration is the same as that of the key management server 3000 of the first embodiment, the description is omitted. When the proxy server 2300 encrypts a file and uses an encryption key different from the encryption key used for storing in the database, the file is generated in addition to the key management server 3000 of the first embodiment. manage keys when

(Functional configuration of database server 4100)

The functional configuration of the database server 4100 is the same as the database server 4100 (see FIG. 14) in the second embodiment.

The storage unit 4120 has functions as a database 4021 and a storage 4122 .

The storage 4122 stores data obtained by encrypting a file storing encrypted sensitive data or a file storing non-encrypted sensitive data.

The control unit 4130 has a function as a deletion unit 4132 .

The deletion unit 4132 deletes sensitive data that satisfies a predetermined condition from the database 4021 after a predetermined period of time has elapsed. It has the same function as the first embodiment.

19 is a flowchart illustrating an example of processing according to the third embodiment; FIG. Referring to FIG. 19, proxy server 2400 acquires the log output from network device 1000 as sensitive data, encrypts it, and stores it in the database of database server 4100. At the same time, sensitive data in file format is stored in the storage. I will explain the flow.

In step S<b>101 , the proxy server 2400 acquires sensitive data, which is the network device log, from the network device 1000 .

In step S102, proxy server 2400 encrypts the sensitive data. At this time, an encryption key for encrypting the sensitive data is acquired from the key management server 3000, and the sensitive data is encrypted using the obtained encryption key.

In step S103, the proxy server 2400 transmits the encrypted sensitive data to the database server 4100, and the database server 4100 stores the sensitive data acquired from the proxy server 2400 in the database.

In step S204, the proxy server 2400 creates a sensitive data file. At this time, the file may be generated by storing the encrypted sensitive data in a file, or by storing the unencrypted sensitive data in a file and then encrypting the file. good too.

In step S<b>205 , proxy server 2400 stores the sensitive data file in the storage of database server 4100 .

In step S106, the database server 4100 deletes sensitive data that satisfies a predetermined condition from the database after a predetermined period of time has elapsed.

<Modification of Embodiment 3>
The data management system 5 in Embodiment 3 may be provided with a learning unit to learn the log as in Modification 1 of Embodiment 1, or may acquire a search query as in Modification 2. , you may search the logs.

(Explanation of effect)
As described above, the data management system according to this embodiment encrypts the log output by the network device using a predetermined encryption method and stores it in the database. In addition to storing in the database, the information is also stored in a file format in the storage. The file format stored in the storage may consist of a file that stores encrypted sensitive data, or may be an encrypted file that constitutes non-encrypted sensitive data. Further, after a predetermined period of time has passed, sensitive data satisfying a predetermined condition, for example, sensitive data other than sensitive data of logs notifying an abnormality of the network device 1000 such as an error log and peripheral logs are deleted from the database.

The data management system according to this embodiment is similar to the first embodiment in that it enables high-speed searches by storing logs in a database format. In addition, by storing the sensitive data in the database and also in the storage in a file format at the same time, all the logs are always stored in the storage, and it is possible to have a configuration that is resistant to failures in the database server. In addition, since the sensitive data can be stored in the storage in a file format without decoding the sensitive data stored in the database, the sensitive data can be efficiently stored in the storage.

In Embodiments 1 to 3 and their modifications, the capacity that can be stored in the database 4021 is large, and there is no problem in storing all sensitive data in the database 4021 from a technical and economic point of view. In this case, the sensitive data may not be deleted from the database 4021 . Further, in this case, since the sensitive data are all stored in the database, it is not necessary to store the sensitive data in a file format in the storage.

In the above-described embodiment, the log is described as data output from the device, but it is not limited to the output from the device, and may be data related to actions such as the access history to the employee's device. . By utilizing such data, it is possible to predict the possibility of information leaks from unauthorized behavior of employees.

The above embodiment can be implemented in various other forms, and various omissions, replacements, and modifications can be made without departing from the scope of the invention. These embodiments and their modifications are intended to be included in the invention described in the claims and their equivalents as well as included in the scope and gist of the invention.

1, 2, 3, 4, 5 data management system, 2031 sensitive data acquisition unit, 2032 encryption unit, 2133 learning unit, 2234 reception unit, 2235 search unit, 2336, 2436 file generation unit, 3031 key management unit, 4021 database , 4022, 4122 storage, 4031 file generation unit, 4032, 4132 deletion unit, 9001 computer.

Claims (8)

A data management system comprising a key management server, a proxy server, a database, and a storage,
The key management server manages encryption keys,
The proxy server
a sensitive data acquisition unit that acquires sensitive data including attribute values corresponding to attribute items ;
an encryption unit that encrypts the sensitive data for each attribute value based on the encryption key;
a file generation unit for generating a file in a predetermined file format for the sensitive data in the proxy server, which is acquired by the sensitive data acquisition unit;
a receiving unit that receives queries for search processing regarding the attribute values of the sensitive data;
a search unit that executes the search process ,
The database stores the sensitive data encrypted by the encryption unit in a database format,
the storage stores the file generated by the file generation unit ;
Based on the query received by the receiving unit, the search unit executes the search processing on the database while the sensitive data is still encrypted, and the sensitive data that satisfies the conditions of the query is not found in the database. , executing the search process for the storage according to
Data management system. 2. The data management system according to claim 1, wherein said predetermined file format includes a format in which said sensitive data is filed in an encrypted state. 3. The data management system according to claim 1, wherein said predetermined file format includes a format obtained by encrypting a file of said sensitive data. The file generating unit generates a file in the predetermined file format for the sensitive data acquired in a predetermined period by the sensitive data acquiring unit,
Claims 1 to 3, wherein the process of storing the sensitive data encrypted by the encryption unit in the database and the process of storing the file generated by the file generation unit in the storage are performed in parallel. 4. The data management system according to any one of 3. 5. The data management system according to claim 4, further comprising a deletion unit that deletes from said database sensitive data that satisfies a predetermined condition among sensitive data stored in said database. 6. The data management system according to any one of claims 1 to 5 , further comprising a learning unit that performs machine learning based on sensitive data stored in said database. In a data management system comprising a key management server, a proxy server, a database, and a storage,
the key management server managing encryption keys;
the proxy server acquiring sensitive data including attribute values corresponding to attribute items ;
the proxy server encrypting the sensitive data for each attribute value based on the encryption key;
a step in which the proxy server generates a file in a predetermined file format for the acquired sensitive data in the proxy server;
a step in which the proxy server receives a query for search processing regarding the attribute value of the sensitive data;
the proxy server executing the search process;
the database storing the sensitive data encrypted in the encrypting step in a database format;
the storage storing the generated file;
with
In the step of executing the search process,
Based on the received query, the proxy server performs the search processing on the database while encrypting the sensitive data, and responds to the fact that the database does not contain sensitive data that satisfies the conditions of the query. , the data management method, wherein the search processing is executed on the storage . A data management program for causing a computer to execute the data management method according to claim 7 .

Images