GB2363237A - Integrated security system - Google Patents

Integrated security system Download PDF

Info

Publication number
GB2363237A
GB2363237A GB0014110A GB0014110A GB2363237A GB 2363237 A GB2363237 A GB 2363237A GB 0014110 A GB0014110 A GB 0014110A GB 0014110 A GB0014110 A GB 0014110A GB 2363237 A GB2363237 A GB 2363237A
Authority
GB
United Kingdom
Prior art keywords
log
computer
entry
collated
facilities
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0014110A
Other versions
GB0014110D0 (en
Inventor
Simon Robert Wiseman
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qinetiq Ltd
UK Secretary of State for Defence
Original Assignee
Qinetiq Ltd
UK Secretary of State for Defence
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qinetiq Ltd, UK Secretary of State for Defence filed Critical Qinetiq Ltd
Priority to GB0014110A priority Critical patent/GB2363237A/en
Publication of GB0014110D0 publication Critical patent/GB0014110D0/en
Priority to PCT/GB2001/002521 priority patent/WO2001097177A1/en
Publication of GB2363237A publication Critical patent/GB2363237A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/27Individual registration on entry or exit involving the use of a pass with central registration
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Debugging And Monitoring (AREA)

Abstract

An integrated security system 10 includes at least two sets of access-controlled facilities, each set having at least one individual facility, such as a door 18 or computer 20, and means for generating a record of entry and exit events for individual facilities within that set, the system also having means for collating the records to produce at least one time-ordered log 36 of entry and exit events which is analysed to detect unauthorised use of the facilities.

Description

2363237 INTEGRATED SECURITY SYSTEM The invention relates to an integrated
security system.
5 Physical access controls, for example electronic door locks, are frequently employed to improve security for buildings and other environments. For example, use of a door having an electronic door lock may be restricted by requiring a user to pass a swipe card through a detector located near the door and to provide a personal identification number (PIN). Also, use of computer workstations within a building or other 10 environment is often restricted to authorised users by means of passwords. Typically, a password unique to a particular user must be entered at a computer workstation before that workstation may be used. These two types of access control, i.e. physical access control and computer access control, are commonly used within businesses and other organisations to improve security. However, electronic door locks are prone 15 to failure as a result of the practice commonly known as "tailgating", in which a door is opened legitimately by an authorised user, and an intruderfollows the authorised user through the door before it closes. Furthermore, because physical access controls and computer access controls are implemented independently, and may even be administered by different departments within an organisation, the detection of 20 instances of actual or potential security breaches is inefficient. For example, suppose an authorised user is noted by a computer access control system as having logged-on to a computer workstation, using a password 'X', in a room having a physical access control system, but the physical access control system has generated no record corresponding to the user having password X entering the room. This may correspond 25 to the user having password X tailgating into the room (possibly in violation of a security procedure), or it may correspond to another authorised user entering the room and logging-on to a computer workstation using the password X, i.e. a password that is not his own (again possibly in violation of a security procedure.) Alternatively it may correspond to an intruder entering the room by tailgating and loggingon to a computer 30 workstation using the password X which has been stolen or disclosed in a breach of security. Thus, although there may have been a breach of security or a violation of security procedure, no alarm is raised because of separate management of physical access controls and computer access controls.
35 It is an object of the invention to provide an alternative security system.
The present invention provides an integrated security system comprising at least two sets of access-controlled facilities, each set having at least one individual facility, and means for generating, for a given set, a record of entry and exit events for individual facilities within that set, wherein the system further comprises means for collating the 5 records to produce at least one collated time-ordered log of entry and exit events and analysing means for analysing the at least one collated time-ordered log to detect unauthorised use of the access-controlled facilities or potential for such use.
The invention provides the advantage that certain instances of unauthorised use of 10 access-controlled facilities may be detected, such instances being undetectable by separate analysis of records of access events from each set of facilities. In particular, incidences of "tailgating" may be detected. This practice may therefore be discouraged without the need for more expensive physical access controls, such as special turnstiles that physically constrain entry to a secure area to one person at a 15 time.
In another aspect, the invention provides a method of detecting actual or potential instances of unauthorised use of access-controlled facilities including the steps of (i) recording entry and exit events relating to the facilities; 20 (ii) generating at least one collated time-ordered log of the entry and exit events; (iii) analysing the at least one collated time-ordered log to detect logical inconsistencies therein.
In order that the invention may be more fully understood, embodiments thereof will now be described, by way of example only, with reference to the accompanying drawings in which:
Figure 1 shows a schematic representation of an integrated security system of 30 invention; Figure 2 is a flow chart representing operation of log daemon softwarewhich is run on the Figure 1 system; Figure 3 is a flow chart representing operation of log collation software which is run on the Figure 1 system; Figure 4 is a flow chart representing operation of log analysis software which is run on 5 the Figure 1 system; Figure 5 shows illustrates a secure link between parts of the Figure 1 system; and Figure 6 shows a schematic representation of an alternative integrated security system 10 of the invention.
Referring to Figure 1, there is shown a schematic representation of an integrated security system of the invention, indicated generally by 10. The system 10 is an integrated security system for a building (not shown. ) The building has one or more 15 controlled rooms to which entry is restricted by means of controlled doors 18. A user of the building wishing to gain entry to such a controlled room must provide valid identification, for example a swipe card and a personal identification number (PIN). One or more of the controlled rooms have access-controlled computer workstations 20 and a user must log on to a workstation using a password unique to that user in order 20 to use it. In addition to the controlled doors 18 and the access- controlled computer workstations 20, the integrated security system 10 further comprises a door control computer 12, a server computer 14 and an audit computer 16. The door control computer 10 receives data from the controlled doors 18 corresponding to instances of use of the doors. The server computer 14 receives data from the access-controlled 25 computer workstations 20 corresponding to log-on and log-off events. The door control computer 10 runs door control software 22 which allows a door to be opened when a user presents valid identification, for example a swipe card and PIN, and establishes the identity of the user. The door control software 22 stores a record of entry and exit events in a log file 24 corresponding to users entering and leaving 30 controlled rooms. Each entry event recorded in the log file 24 comprises an entry time and a user identifier, for example, the user's PIN. Door control software such as 22 is commercially available.
The server computer 14 runs user identification software 28 which records log-on and 35 log-off events in a log file 30. Each log-on or log-off event recorded in the log file 30 4 comprises data to indicate whether the event is a logging-on or a logging-off, and a user identifier, for example the user's name. A log-on event may be regarded as entry to a computer workstation, and a log-off event may be regarded as exit from a computer workstation. User identification software such as 28 is commercially 5 available, typically as part of an operating system. The door control computer 12 and the server computer 14 run log daemon software applications 26, 32 which extract information from the log files 24, 30 and periodically send it tothe audit computer 16 over computer links 15.
10 Referring to Figure 2, there is shown a flow diagram representing operation of the log daemon software applications 26, 32. The applications 26, 32 have six principal steps, 40 to 45. These software applications may be easily written by those skilled in the art of computer programming and each operates as follows. A log file is opened (step 41), a batch of data entries corresponding to data gathered by the door control software 22 15 or user identification software 28 (as the case may be) is read and formatted into a message (step 42), a connection is made to the audit computer 16 (step 43) and the message is sent (step 44). Data entries corresponding to the batch of data are then erased from the log file (step 45). An initial step (40) provides a time delay if steps 41 or 43 cannot be executed immediately, for example if data is being written to the log 20 file at the same time. Another batch of data entries is read from the log file after a specified time period.
The audit computer 16 runs log collation software 34 and log analysis software 38. Referring to Figure 3, there is shown a flow diagram representing operation of the log 25 collation software 34, which creates a collated time-ordered log file 36 into which data from log files 24 and 30 are entered in the time-order in which they are generated. The log collation software 34 has four principal steps 46 to 49 and operates as follows. A message created and sent by log daemon software 26, 32 is received by the audit computer 16 (step 46.) The collated log file 36 is opened (step 47) and a data entry 30 within the message is added to it in chronological order. Other data entries in the message are dealt with likewise. In the event that the collated log file 36 cannot be opened immediately, for example if it is in use by the log analysis software 38, a delay in execution is provided (step 48) before another attempt is made to open the collated log file 36. The audit computer 16 also maintains a status file 37 which holds data regarding users' current physical and log-on locations and which is updated during execution of the log analysis software 38.
Referring to Figure 4, there is shown a flow diagram representing operation of the log 5 analysis software 38, which examines data held in the collated log file 36 and modifies the status file 37. The log analysis software 38 has steps 50 to 65 and operates as follows. The status file 37 is first initialised (step 50), i.e. initial information regarding users' physical and logon locations is stored in the status file 37. The collated log file 36 is opened (step 51), an entry in the collated log file 36 is read (step 53), and it is 10 established whether the entry corresponds to a log-on event, a log-off event or a door entry event (steps 55, 56 and 57). If the collated log file 36 cannot be opened immediately, for example if data is being written to it at the same time,a delay is introduced (step 52) before another attempt to open it is made. If all entries in the collated log file 36 have been processed, the log analysis software 38 ceases 15 execution of steps 55 - 65 (step 54) until further data is entered in the collated log file 36.
If the entry corresponds to a user logging on to a computer workstation (a log-on event) the log analysis software 38 establishes whether a password used in the 20 corresponding logging-on event has previously been used to log-on at a computer workstation which is still active, i.e. still logged-on (step 58). If this is the case, an alarm signal is generated (step 65). If not, the room containing the computer workstation at which the user is logged on is noted by updating the status file(step 62), and from previous entries in the collated log file 36, itis established whether or not that 25 user is physically in the room containing that workstation (step 63). If the user is not physically in that room, an alarm signal is generated (step 65) and the log analysis software reads the next entry in the collated log file 36 (step 53). Otherwise the next entry in the collated log file 36 is read without first raising an alarm.
30 If the entry corresponds to a user logging-off a computer workstation, the fact that the user has logged out is noted by updating the status file 37 (step 59), and the next entry in the collated log file 36 is read (step 53).
If the entry corresponds to a user physically leaving a first room and entering a second 35 room, it is established whether or not that user is currently recorded in the status file 37 6 as being in the first room (step 60). If this is not the case, an alarm signal is generated (step 61) as this indicates that the use has tailgated into the first room. The new location of the user is noted (step 64) in any case, i.e. the status file 37 is updated to reflect the user's new location whether or not an alarm is raised. The next entry in the 5 collated log file 36 is then read (step 53).
The log analysis software 38 continues to examine entries in the collated log file 36 until all such entries have been examined, and then waits until further data is provided to the collated log file 36.
The integrated security system 10 therefore generates alarm signals in three circumstances:
(i) when a password is used to log-on to a workstation when another workstation is already logged-on with that password; 15 (ii) when a user is not physically in a room containing a workstation which has been activated by a logging-on event in which that user's password was used; and (iii) when a user is not noted in the status file 37 as being physically in a room when a record of that user leaving that room is generated.
20 Referring now to Figure 5, there is shown an alternative computer link for connecting the door control computer 12 to the audit computer 16. Data is passed from the door control computer 12 to the audit computer 16 via a fibre optic cable 11. There is no link in the reverse direction so that it is not possible for information regarding security generated by the audit computer 16 to be passed back to the door control computer 25 12. The fibre optic cable 11 is therefore a one-way data link. A similar link may also be provided between the server computer 14 and the audit computer 16 so that security information generated by the audit computer 16 cannot be passed back to the server computer 14 or computer workstations 20. If one-way links are used both between the door control computer 12 and the audit computer 16 and also between 30 the server computer 14 and the audit computer 16, data cannot pass between the door control computer 12 and the server computer 14, providing additional security. Such one-way data links are of value where the door control computer and/or the server computer 16 are operated by entities that are not trusted to handle security information generated by the audit computer 16.
- 7 Referring now to Figure 6, there is shown an alternative integrated security system of the invention indicated generally by 100. The system 100 comprises a door control computer 112, a server computer 114, an intermediate log computer 113, an application log computer 117, a first audit computer 116A and a second audit computer 5 11 6B. The door control computer 112 has a log file 124 and runs door control and log daemon software applications 122, 126 respectively. The server computer 114 has a log file 130 and runs user identification and log daemon software applications 128, 132 respectively. The first and second audit computers 11 6A, 11 6B have collated log files 136A, 136B and status files 137A, 137B and run log collation software 134A, 134B and 10 log analysis software 138A, 138B. The intermediate log computer 113 has a collated log file 119 and runs log collation and log daemon software 123, 127. The application log computer 117 has a log file 121 and runs log daemon software 129.
The system 100 operates as follows. Data entries in the log files 124, 130 are passed over links 115A, 115B to the intermediate log computer 113 in the manner described 15 previously. The intermediate log computer 113 collates data entries from thelog files 124, 130 and stores them in the collated log file 119. Data entries in the collated log file 119 are provided by the log daemon software 127 to the first and second audit computers 116A, 116B over links 115C, 115D. The application log computer 117 stores log entries in a log file 121 which correspond to instances of use of software 20 applications available on the computer workstations 20. For example, instances of a user operating e-mail and database software applications may be recorded in the log file 121. Data entries stored in the log file 121 are provided by the log daemon software 129 to the second audit computer 116B over a link 115E. The first audit computer 11 6A runs log analysis software 138A on entries in the collated log file 136A 25 to search for inconsistencies in data entries originating from the door control computer 112 and the server computer 114. Updated information regarding users' current physical and log-on locations is maintained in the status file 137A. Data provided over links 11 5D, 11 5E are collated by the second audit computer 11 6B and stored in the collated log file 136B. Log analysis software 138B analyses entries in thecollated log 30 file 136B to search for inconsistencies in data entries arising from the door control computer 112, the server computer 114 and the application log computer 117.
Updated information regarding users' current physical and log-on locations, and their use of software applications available on computer workstations such as 120, is maintained in the status file 137B.
The first audit computer 136A examines data entries arising from the log files 124 and 130, and the second audit computer 136B examines data entries arising from the log files 124, 130 and 121. The system 100 therefore facilitates the raising of alarms on the basis of examination of different sets of information. Furthermore,the bandwidth 5 requirement of the system 100 is less than would be the case if the door control, server and application log computers 112, 114, 117 were each connected to a single audit computer.
9

Claims (3)

1. An integrated security system comprising at least two sets of accesscontrolled facilities, each set having at least one individual facility, and means for generating, for 5 a given set, a record of entry and exit events for individual facilities within that set, wherein the system further comprises means for collating the records to produce at least one collated time-ordered log of entry and exit events and analysing means for analysing the at least one collated time-ordered log. to detect unauthorised use of the access-controlled facilities or potential for such use.
2. A method of detecting actual or potential instances of unauthorised use of accesscontrolled facilities including the steps of (i) recording entry and exit events relating to the facilities; (ii) generating at least one collated time-ordered log of the entry and exit events; 15 (iii) analysing the at least one collated time-ordered log to detect logical inconsistencies therein.
3. A computer program product comprising a medium on which or in which is recorded a program which, when executed, will perform the method claimed in claim 2.
GB0014110A 2000-06-10 2000-06-10 Integrated security system Withdrawn GB2363237A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
GB0014110A GB2363237A (en) 2000-06-10 2000-06-10 Integrated security system
PCT/GB2001/002521 WO2001097177A1 (en) 2000-06-10 2001-06-08 Integrated security system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0014110A GB2363237A (en) 2000-06-10 2000-06-10 Integrated security system

Publications (2)

Publication Number Publication Date
GB0014110D0 GB0014110D0 (en) 2000-08-02
GB2363237A true GB2363237A (en) 2001-12-12

Family

ID=9893332

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0014110A Withdrawn GB2363237A (en) 2000-06-10 2000-06-10 Integrated security system

Country Status (2)

Country Link
GB (1) GB2363237A (en)
WO (1) WO2001097177A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5321396A (en) * 1991-02-07 1994-06-14 Xerox Corporation Indexing of audio/video data
WO1997032284A1 (en) * 1996-02-27 1997-09-04 Richard Sydney Thorp Security identification and information system
US5682142A (en) * 1994-07-29 1997-10-28 Id Systems Inc. Electronic control system/network

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU4516089A (en) * 1988-11-15 1990-06-12 Eric Hultaker Process for identifying a person for access, on the one hand, to a computer installation, and, on the other hand, to premises and/or computer-controlled equipment, on the basis of the person's characteristic odour
FR2704335B1 (en) * 1993-04-20 1995-07-13 Fh2I Centralized system of heterogeneous information, linked to an identity, collected and time-stamped, from delocalized terminals.
DE19809043A1 (en) * 1998-03-04 1999-09-09 Deutsche Telekom Ag Method and device for universal and secure access to telephone networks
DE19850972A1 (en) * 1998-11-05 2000-05-11 Alfred Fehrenbacher Coupling employee time detection with automatic drive for workstation computer involves connecting employee clocking system with workstation computer starting it up automatically

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5321396A (en) * 1991-02-07 1994-06-14 Xerox Corporation Indexing of audio/video data
US5682142A (en) * 1994-07-29 1997-10-28 Id Systems Inc. Electronic control system/network
WO1997032284A1 (en) * 1996-02-27 1997-09-04 Richard Sydney Thorp Security identification and information system

Also Published As

Publication number Publication date
WO2001097177A1 (en) 2001-12-20
GB0014110D0 (en) 2000-08-02

Similar Documents

Publication Publication Date Title
Lunt Automated audit trail analysis and intrusion detection: A survey
US5557742A (en) Method and system for detecting intrusion into and misuse of a data processing system
JP3628374B2 (en) Method and apparatus for providing access security for control of a graphical user interface
EP0736827B1 (en) Security administration for electronic data processing
US7506171B2 (en) Method and systems for securely supporting password change
US7752652B2 (en) System for integrating security and access for facilities and information systems
US5961644A (en) Method and apparatus for testing the integrity of computer security alarm systems
KR100419957B1 (en) Information Security System Inter-working with Entrance Control System and Control Method Thereof
EP0501475A2 (en) A keyring methaphor for users' security keys on a distributed multiprocess data system
US20060123101A1 (en) Application instrumentation and monitoring
AU5895399A (en) Method and system for providing cross-platform remote control and monitoring of facility access controller
Fisch et al. Secure computers and networks: analysis, design, and implementation
Madnick Management policies and procedures needed for effective computer security
US20020184406A1 (en) Method and system for handling window-based graphical events
JP4885683B2 (en) Authentication device, authentication method for authentication device, and authentication program for authentication device
GB2363237A (en) Integrated security system
JP2009116512A (en) Confidential information protection system
Lunt Using statistics to track intruders
JPH07262135A (en) Security management devices
Brown RACF-A Program to Enhance Security and Control
Sibley et al. A case-study of security policy for manual and automated systems
CN113572777A (en) Method and system for hierarchical account access
Arehart A scheme regarding the analysis of security risks for enterprise computer and network systems: A case study
Mollema et al. Prerequisites for data control
Yen et al. System controls

Legal Events

Date Code Title Description
COOA Change in applicant's name or ownership of the application
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)