JP2002108659A - Method for collecting data access history and apparatus for the same - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a method and device for collecting the history of data access capable of collecting an access log, and for analyzing the collected log. SOLUTION: This device is provided with: a log information managing means for periodically collecting log data; a monitoring means for realizing data analysis when a designated significant file is accessed; a filtering means for selecting the collected data, and for switching a condition to that for collecting the log data related with the accessed file cooperatively with another computer having a function being different from the pertinent computer when the designated significant file is accessed; and a collected data analyzing means for automatically switching the condition to an analytic condition suitable for the accessed file when the designated significant file is accessed.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a data access history collecting method and a data collecting apparatus, and more particularly to a data access history collecting method and a data collecting apparatus for collecting an access log and analyzing the collected log.

[0002]

2. Description of the Related Art As a conventional technique related to data access history collection, for example, a technique described in Japanese Patent Application Laid-Open No. 8-106408 is known. This conventional technique collects and manages operation information access logs, collects access logs in real time and accumulates them in a specified storage area. In this case, log information is collected so that the collected data can be easily searched. Are classified, processed and accumulated.

[0003]

The prior art described above is
There is a problem that the load of management of access log information increases when the amount of access log information is enormous without considering the burden of managing access log information.

[0004] Further, the above-mentioned prior art does not take into account an increase in the amount of resources used or the burden on an administrator by accumulating collected data in a plurality of files according to data types. For this reason, in the above-described conventional technology, when the timing of analyzing the collected data is inappropriate, when the data storage format wraps around, for example, the data to be analyzed is lost due to the disappearance of the data effective for the analysis. In particular, when information is leaked due to an illegal access in the field of EC in recent years, log data such as Web wraps around, and data effective for analyzing the illegal access is analyzed. There is a problem that the data is overwritten by invalid data and analysis becomes insufficient.

Further, in the above-mentioned prior art, since the analysis conditions are uniform, it becomes difficult to apply appropriate analysis conditions at appropriate timing, and it becomes impossible to obtain more detailed analysis results. There is a problem that it is. That is, in the above-described conventional technology, when an important file such as a personal identification number management file of a financial institution is accessed for data to be analyzed, information indicating a use state of the computer in a time zone near the access time is obtained. Analysis such as extracting only information that is useful for analysis with information indicating the usage status of multiple other computers that can communicate with the computer that accessed the important file, and collecting information along with information on the accessed important file By collecting the target data from multiple and wide areas, for example, it is not possible to perform more detailed data analysis such as tracking the route of an unauthorized access user and analyzing the behavior when an unauthorized access occurs. Have.

SUMMARY OF THE INVENTION An object of the present invention is to solve the above-mentioned problems of the prior art, to reduce the burden on a computer or an administrator in collecting and managing logs, and to provide access as data used for analysis. In addition to the generated file information, it is also possible to collect log data output by systems and applications related to the access generated file on the same computer or other computers connected via the network, so that more detailed and thorough data can be collected. It is an object of the present invention to provide a data access history collection method and apparatus that can be analyzed.

[0007]

According to the present invention, there is provided a data access history collection method for a computer system, wherein when data in a file of the computer system is accessed, a history collection condition definition is referred to. Determine whether the file is defined in the history collection condition definition, if defined, collect the data access history, and, as related data related to the data, the data in the file Information indicating the use status of the computer that caused the access to the file in a time zone near the time of access, and the use status of a plurality of other computers that can communicate with the computer that caused the access to the file This is achieved by collecting information indicating the like.

[0008] Further, the object is to provide a data access history collection device for a computer system, which stores history collection conditions defining a file for collecting data access history when data in a file of the computer system is accessed. A storage unit, an access history collection unit that collects a data access history of a file by referring to a history collection condition stored in the storage unit when a file of the computer system is accessed, and accesses a usage state of the computer and the file. Means for collecting a data access history of related data related to the data, which is a usage state of a computer different from the computer having the data, and a means for filtering the data; Means to switch to appropriate conditions with A means for switching the filtering conditions of another computer having a security monitoring function to an appropriate condition at an appropriate timing, and a means for changing the conditions for analyzing a file to be subjected to data analysis. It is achieved by further providing.

[0009]

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram showing an embodiment of a data access history collecting method and a data collecting apparatus according to the present invention.

FIG. 1 is a block diagram showing a configuration on a network of a system to which a data access history collection device according to one embodiment of the present invention is applied, and FIG. 2 is a data access history collection according to one embodiment of the present invention. FIG. 3 is a block diagram showing the configuration of a system to which the apparatus is applied, FIG. 3 is a diagram for explaining the structure of a data table in which collected data is edited for data analysis, and FIG. 4 stores conditions for selecting collected data. FIG. 5 is a diagram illustrating the structure of a condition table, and FIG. 5 is a diagram illustrating the structure of a security monitoring unit management table. 1 and 2, reference numerals 101, 104 and 107 denote OSs, 102 denotes a security processing unit, 103 and 106 denote security monitoring units, 105 and 108 denote applications, 201 and 214 denote terminals, 205 denotes periodic collection data management units, and 206 Is a file to be collected periodically, 207 is a designated file monitoring unit, 208 is a designated file, 209 is a filtering condition table, 210 is a collected data filtering unit, 211 is a collected data management unit, 212 is a collected file, 213 and 218 are data transmission units. 217, a data receiving unit; 219, a security information file storage unit;
20 is a security information file, 221 is a security information analysis unit, and 222 is a security monitoring unit management table.

As shown in FIG. 1, a system to which a history collection device according to an embodiment of the present invention configured on a network is applied includes an OS 101 and a security processing unit 10.
A having the OS 2 and the computer B having the OS 104, the application 105, and the security monitoring unit 103
As with the computer B, an OS 107, an application 108, and a computer C having a security monitoring unit 106 are housed on a network. In addition,
Many computers similar to the computers A and B may be accommodated on the network. Then, the security processing unit 102 of the computer A sends the other computers A, B,.
.. Can be managed.

As shown in FIG. 2, the minimum configuration of the data access history collection apparatus according to one embodiment of the present invention is as follows: a terminal 201, an OS 104, an application 105, a computer B having a security monitoring unit 103;
4, the computer 101 having the OS 101 and the security processing unit 102. The computer A and the computer B communicate with each other. And computer A
Has the terminal 214, the security monitoring unit management table 2
22, a security information file 220 is connected, and the computer B is connected to a terminal 201, a periodic collection file 206, a designated file 208, a filtering condition table 209, and a collected data file 212.

In FIG. 2, a security monitor 103
Is composed of a periodic collection data management unit 205, a designated file monitoring unit 207, a collection data filtering unit 210, a collection data management unit 211, and a data transmission unit 213 to the security processing unit. And the terminal 20
1 designates a file name of the periodic collection target file 206 and a designated file 208 to the security monitoring unit 103.
Define and enter the file name and filtering conditions. The periodic collection target file 206 is the designated file 2
08 is a file for storing collected data necessary when an access is made to the server 08 and the analysis is performed.
4 and a file that stores a log of related data output by the application 105. Where the relevant data is
This is information indicating the usage status of the computer in a time zone near the access time, and usage information of a plurality of other computers that can communicate with the computer that has generated access to the important file. In addition, the information indicating the usage status of the computer in the time zone near the access time described above includes user login information indicating what user was logged in to the computer in the time zone, trace log information of the specified file, System log information. The information indicating the usage status of a plurality of other computers that can communicate with the computer that generated the access to the important file includes not only the computer from which the regularly collected file, which is related data, accessed the important file, but also that computer. And those of a plurality of other computers that can communicate with it.

The designated file 208 is a file whose access status is to be monitored. For example, the designated file 208 is a file in which important data such as a password number file of a financial institution is stored. The filtering condition is a condition used by the collected data filtering unit 210.

When the file name of the specified file is defined from the terminal 201, the data transmission unit 213 to the security processing unit transmits the file name information of the specified file to the data reception unit 217 of the computer A. The data receiving unit 217 of the computer A sends the received specified file name information together with the information of the transmission source computer to the security monitoring unit management table 22.
2 is stored. The structure of the security monitoring unit management table 222 will be described later with reference to FIG. The filtering condition definition screen will be described later with reference to FIG. 12, and the structure of the filtering condition table 209 created by defining the filtering condition will be described later with reference to FIG.

The periodically collected data management unit 205 collects the periodically collected files 206, edits the collected data, and transmits the edited data to the collected data filtering unit 210.
The processing operation of the periodic collection data management unit 205 will be described later with reference to the flowchart shown in FIG.

The designated file monitoring unit 207 monitors the designated file 208. When an access to the designated file occurs, the designated file monitoring unit 207 transmits the access information to the collected data filtering unit 210, and sends an access occurrence notification to the collected data management unit 211. The periodic collection data management unit 205 transmits the data to the data transmission unit 218 to the security monitoring unit of the computer A. The processing operation of the designated file monitoring unit 207 will be described later with reference to the flowchart shown in FIG.

When the data transmission unit 218 of the computer A receives the specified file access notification from the computer B, the data transmission unit 218 searches the security monitoring unit management table 222 and collects relevant data related to the specified file accessed in the computer B. Recognizing the computer that is performing the request, the designated file monitoring unit 207 of all the applicable computers is notified of the designated file access. Therefore, in a computer having a security monitoring unit that can communicate with the computer A, other than the computer B, such as the computer C shown in FIG.
A notification can be received when a specified file access occurs in the computer B, and similar to the computer B, collection of related data of the accessed specified file and filtering conditions for the occurrence of an access to the accessed specified file To perform the filtering process. The computer A can use not only the data from the computer B but also information from another computer as analysis data when the designated file access of the computer B occurs.

The collected data filtering unit 210 includes a periodic collected data management unit 205, a designated file monitoring unit 207
Is filtered and transmitted to the collected data management unit 211. The processing operation of the collected data filtering unit 210 will be described later with reference to the flow shown in FIG. The collected data management unit 211 receives the data from the collected data filtering unit 210 and stores the data in the collected data file 212. The collected data management unit 211
Is specified from the specified file monitoring unit 207 to the specified file 208
When the data access unit 2 receives the access notification
13 is requested to be transferred to the collected data file 212 computer A. The processing operation of the collected data management unit 211 will be described later with reference to the flow shown in FIG.

Upon receiving the transfer request from the collected data management unit 211, the data transmission unit 213 transfers the collected data file 212 to the data reception unit 217 of the security processing unit 102 of the computer A.

In FIG. 2, the security processing unit 102 of the computer A includes a security information analysis unit 221, a security information file storage unit 219, and a data reception unit 2
17 and a data transmission unit 218. Then, the terminal 214 defines and inputs a plurality of analysis conditions for analyzing the security information file 220.
The security information analyzer 221 recognizes the analysis condition and manages the analysis condition. The data receiving section 217 transmits the data received from the data transmitting section 213 of the security monitoring section 103 to the security information file storage section 219. The security information file storage unit 219 stores the received data in the security information file 220.

The record formats of the collected data file 212 and the security information file 219 are shown in FIG.
Indicates the format of one record. The record includes a collection target file identification flag indicating whether the file is a designated file or a periodic collection file, an event occurrence time, an event occurrence computer name, an event occurrence computer address, a user name, a file name, It consists of a name and processing detailed information.

FIGS. 4A and 4B show a filtering condition table 401 at the time of access to a designated file and a filtering condition table 40 for a related file for periodic collection.
2 shows a record format. These tables are stored and used in the filtering condition table 109 of the computer B in FIG. 2 and serve as conditions for selecting collected data into those to be stored in the collected data file 212 and those not to be stored.

The specified file access-time filtering condition table 401 holds a file name to be collected when a specified file is accessed, and a filtering condition of the collected data. The filtering condition is a related file name. In addition, the filtering condition table 4 for each file related to periodic collection
02 is valid for analysis at the time of access to a designated file, such as stored in a file in a wrap-around storage format or the like in a normal time when the designated file access does not occur in the regular collection target file 206, but may disappear. It has filtering conditions for periodically collecting data for the purpose of storing data with data.

The security monitoring section management table 501 of the security processing section shown in FIG. 5 is stored in the security monitoring section management table 222 shown in FIG. It is a management table. This table is
It is updated when the definition of the specified file of the security monitoring unit to be managed is set or changed. That is, when the definition of the designated file of the security monitoring unit to be managed is set or changed, the information is transmitted to the security monitoring unit 10.
3, the information in the management table 222 is created or updated based on the data transmitted from the data transmission unit 213 to the data reception unit 217 and received by the data reception unit 217.

FIG. 6 is a flowchart for explaining a processing operation for monitoring a designated file which is a designated important file in the designated file monitoring section. This will be described below.

(1) The designated file monitoring unit 207 determines whether or not a termination request has been received, and upon receiving the termination request, terminates the processing without doing anything and receives the termination request. If not, it is determined whether or not information on the file of the specified file is recognized. The information about a file includes a file storage location, a file name, a file owner, a file owner ID, a group name to which the file owner belongs, and a group I to which the file owner belongs.
D, a collection of unique information belonging to the file such as file attributes (steps 601 and 602).

(2) If it is determined in step 602 that the information on the designated file has not been recognized or has been changed from the previously recognized information, the input information is recognized and the The file name is transmitted to the data transmission unit 203 as information for creating or updating the security monitoring unit management table 222 of the security processing unit 102 (step 603).

(3) After the processing of step 603 or when the information of the specified file is recognized in the judgment of step 602, the specified file monitoring unit 207
While monitoring the specified file, it is determined whether an access has occurred to the specified file to be monitored. If no access has occurred in this determination, the process returns to the process from step 601 for monitoring an end request, and continues to monitor the occurrence of access (step 604).

(4) If the designated file is accessed in the judgment of step 604, the designated file monitoring unit 2
07 collects the access information of the designated file and edits the access information into the record format 301 of the collected data file 212 (step 605).

(5) The designated file monitoring unit 207 further notifies the collected data filtering unit 210, the periodic collection data management unit 205, and the data transmission unit 213 that the designated file has been accessed. The edited collected data is transmitted to the collected data filtering unit 210. After the above-described processing, the apparatus enters a state of waiting for reception of an end request or file access (steps 606 and 60).
7).

FIG. 7 is a flowchart for explaining a processing operation for managing files to be periodically collected by the periodic collection data management unit, which will be described below.

(1) The periodic collection data management unit 205 determines whether or not a termination request has been received, and upon receiving the termination request, terminates the processing without doing anything and receives the termination request. If not, it is determined whether or not information on the periodic collection file is recognized. The information on the periodically collected file is information obtained by adding information on the collection interval to the information on the file (steps 701 and 702).

(2) If it is determined in step 702 that the information on the periodic collection file is not recognized, the periodic collection data management unit 205 recognizes the information on the periodic collection file (step 703). After processing or Step 7
If it is determined in step 02 that the information on the periodic collection file has been recognized, it is determined whether or not there has been a notification from the designated file monitoring unit 207 (step 704).

(4) If it is determined in step 704 that there is no notification from the designated file monitoring unit 207, it is determined whether or not the collection time has come. If not, the reception of the end request is monitored. Then, the process returns to step 701 and waits until the collection time is reached unless there is an end request (step 705).

(5) If it is determined in step 704 that there is a notification from the designated file monitoring unit 207, or
If the collection time has come in the determination of step 705, the data of the periodic collection target file 206 is collected (step 7).
06).

(6) The periodically collected data management unit 205 edits the collected data into the record format 301 of the collected data file, and transmits the edited collected data to the collected data filtering unit 210. After transmitting the data to the data filtering unit 210, it waits for reception of an end request or collection time (step 707).

FIG. 8 shows a collected data filtering unit 210.
Is a flowchart for explaining the data filtering processing operation in the first embodiment, and this will be described below.

(1) Collected data filtering unit 210
Determines whether a termination request has been received, terminates the process here without doing anything if a termination request has been received, and recognizes filtering condition information if a termination request has not been received. Is determined. The filtering condition information is information stored in the filtering condition table 209, and is the information already described with reference to FIG. 4 (steps 801 and 802).

(2) If it is determined in step 802 that the information of the filtering condition is not recognized, the collected data filtering unit 210 performs a process of recognizing the filtering condition (step 803).

(3) After the processing in step 803 or in the judgment in step 802, if the information of the filtering condition has been recognized, whether there is a notification of access to the specified file 208 from the specified file monitoring unit 207 It is determined whether or not it is (step 804).

(4) If it is determined in step 804 that a file access is notified, the filtering condition that is currently functioning is switched to the filtering condition defined for the specified file that has been accessed.
If there is no filtering condition defined for the specified file, the collected data is not filtered (step 805).

(5) If it is determined in step 804 that there is no access notification to the designated file, the filtering condition is switched to the filtering condition defined for the file to be periodically collected (step 806).

(6) In the processing of steps 805 and 806,
After the filtering condition is set, the collected data filtering unit 210 performs data filtering according to the set filtering condition, transmits the data extracted by the filtering to the collected data management unit 211, and then receives the end request again. It is in a state of waiting and waiting for a notification from the designated file management unit 207 (steps 807 and 808).

As described above, by sorting the data according to the filtering conditions, the data to be stored in the collected data file 212 can be reduced to a necessary minimum number, and the communication between the computer A and the computer B can be reduced. The load can be reduced.

FIG. 9 is a flowchart for explaining a processing operation for managing collected data in the collected data management unit 211, which will be described below.

(1) The collected data management unit 211 recognizes the settings related to the data collection file. The settings relating to the data collection file are the settings of the maximum allowable amount, storage location, file name, and file format of the data collection file. The file format is a format that increases monotonously without specifying the file size, and a format that saves the data and creates a new file when the file size reaches a certain maximum capacity. Means the type of data storage means when the data amount of the file reaches a set limit amount, such as a format in which the record is overwritten one record at a time from the beginning of the file when the maximum allowable amount is reached. A fixed name or a parameter can be specified as the file name (step 901).

(2) After recognizing the settings relating to the data collection file in step 901, it is determined whether an end request has been received. If the end request has been received, the processing here ends without doing anything (step 901). 902).

(3) If it is determined in step 902 that an end request has not been received, it is determined whether data from the collected data filtering unit 210 has been received. If the data has not been received, the process returns to step 902 to perform the process of determining whether to receive the end request (step 90).
3) (4) If it is determined in step 903 that the data is received from the collected data filtering unit 210, the collected data is stored in the collected data file 212.
It is determined whether a notification from the designated file monitoring unit has been received (steps 904 and 905).

(5) If it is determined in step 905 that the notification from the designated file monitoring unit has not been received, it is determined whether or not the capacity of the collected data file exceeds the maximum allowable amount when storing data next time. If the capacity of the collected data file exceeds the maximum permissible amount, a check is made to confirm that the file format is appropriate for the set file format, such as switching files or moving a file descriptor to overwrite the first record of the file. After performing the appropriate processing, the flow returns to the processing of step 902, and the determination of whether or not the end request has been received is continued.

(6) If it is determined in step 905 that there is a notification from the designated file monitoring unit 207, a request for transmission is made to the data transmission unit 213, and thereafter, the process returns to step 902 to receive the end request. The determination as to whether or not it has been made is continued (step 906).

FIG. 10 is a flowchart for explaining a processing operation for managing a file to be subjected to data analysis in the security information file storage unit 219, which will be described below.

(1) Security information file storage 2
19 determines whether or not a termination request has been received. If a termination request has been received, the process ends here without performing any processing. If no termination request has been received, data reception from the data receiving unit 217 occurs. It is determined whether or not the notification has been received. If the notification has not been received, the process of determining whether or not an end request has been received is continued (steps 1001 and 1002).

(2) If it is determined in step 1002 that a notification of data reception has been received, the name of the file in which the access has occurred is recognized, and the currently operating analysis condition is the condition for the name of the file in which the access has occurred. Or not. If the currently operating analysis condition is not the condition for the access occurrence file name, the security information analysis unit 221 is requested to switch to the analysis condition for the specified file accessed (step 1003).

(3) Thereafter, the security information file storage section 219 stores the received data in the security information file 220. Then, after all the received data has been stored, a data analysis request is made to the security information analysis unit 221 (steps 1004 and 100).
5).

FIG. 11 is a flowchart for explaining a processing operation for analyzing data in the security information analysis unit 221. This will be described below.

(1) The security information analyzer 221
Determines whether a termination request has been received, terminates this process without doing anything if a termination request has been received, and determines whether a data analysis condition has been recognized if a termination request has not been received. Is determined. The data analysis conditions are shown in FIG.
3 will be described later (steps 1101 and 1102).

(2) If the data analysis condition is not recognized in the determination at step 1102, a process for recognizing the analysis condition is performed (step 1103).

(3) After the processing in step 1103 or when the data analysis condition is recognized in the determination in step 1102, the security information file storage unit 2
It is determined whether or not there is a request to switch the analysis condition from 19, and when there is a request to switch the analysis condition, the analysis condition is switched to the condition as instructed by the security information file storage unit 219 (steps 1104 and 1105).

(4) After the processing in step 1105 or in the determination in step 1104, if there is no request to switch the analysis condition, it is determined whether an analysis request from the security information file storage unit 219 has been received. And
If an analysis request has not been received, the process returns to step 1101 and continues to determine whether an end request has been received (step 1106).

(5) If it is determined in step 1103 that an analysis request has been received, analysis is performed according to the set analysis conditions, and the result is output. The output image of the analysis result will be described later with reference to FIG. After outputting the result, the process returns to step 1101 to determine whether or not the end request has been received (steps 1107 and 1108).

FIG. 12 is a diagram showing an example of a definition screen for the terminal 201 to set a filtering condition.
This will be described.

The example of the definition screen shown in FIG. 12 is created for each file to be collected. This screen is associated with the filtering condition type 1201, the file name to be collected 1202, and the specified file to be set only when the filtering condition type is the specified file access occurrence condition. A field 1203 to be specified, a time frame 1204 of data to be selected and set from a pull-down menu, a user name 1205,
A process name 1206 can be specified, and only data that matches this condition is stored in the collected data file 212.

FIG. 13 is a diagram showing an example of a definition screen for the terminal 214 to set analysis conditions, which will be described below.

The definition screen shown in FIG. 13 is created for each designated file. The analysis ID 1301 on the illustrated screen is
Specify the ID for identifying the analysis condition. Target file name 1
302 designates a designated file name 208. The analysis data range designation 1303 designates the time before and after the designated file access time or the current time as a base, and extracts data in a time zone near the event occurrence time in the target data. Enables analysis. The unit of time can be selected from a pull-down menu. The analysis point designation 1304 sets the items to be focused on the analysis and the data to be extracted. The analysis level 1305 specifies an analysis level. When the specified level is high, more detailed information can be obtained and reported as compared to when the specified level is low.

FIG. 14 is a view showing an example of an output screen of an analysis result after the analysis processing by the security information analysis unit 221.
Hereinafter, this will be described.

In this processing screen, the condition 1 used in the analysis is displayed.
A display 401 and an analysis result 1402 are displayed and output. If the analysis level is high, more detailed contents of the analysis result 1402 are also output.

According to the above-described embodiment of the present invention, it is possible to specify an object to be monitored for access and to select related data to be collected, and to accumulate only information which is easy to search and analyze specific data. . In addition, a single file to be subjected to data analysis can be used to appropriately change the analysis method.

[0069]

As described above, according to the present invention, it is possible to reduce the burden on a computer and an administrator in collecting and managing logs. Also, as data used for analysis,
In addition to the information on the file where the access occurred, it can also include log data output by systems and applications related to the file where the access occurred on the same computer or another computer connected via the network, providing more detailed and thorough analysis It can be performed.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration on a network of a system to which a data access history collection device according to an embodiment of the present invention is applied.

FIG. 2 is a block diagram showing a configuration of a system to which a data access history collection device according to an embodiment of the present invention is applied.

FIG. 3 is a diagram illustrating the structure of a data table in which collected data is edited for data analysis.

FIG. 4 is a diagram illustrating a structure of a condition table storing conditions for selecting collected data.

FIG. 5 is a diagram illustrating the structure of a security monitoring unit management table.

FIG. 6 is a flowchart illustrating a processing operation of monitoring a designated file, which is a designated important file, by a designated file monitoring unit.

FIG. 7 is a flowchart illustrating a processing operation of managing a file that is periodically collected by a periodic collection data management unit.

FIG. 8 is a flowchart illustrating a data filtering processing operation in a collected data filtering unit.

FIG. 9 is a flowchart illustrating a processing operation for managing collected data in a collected data management unit.

FIG. 10 is a flowchart illustrating a processing operation for managing a file to be analyzed in the security information file storage unit.

FIG. 11 is a flowchart illustrating a processing operation of performing data analysis in a security information analysis unit.

FIG. 12 is a diagram illustrating an example of a definition screen for a terminal to set a filtering condition.

FIG. 13 is a diagram showing an example of a definition screen for the terminal to set analysis conditions.

FIG. 14 is a diagram illustrating an example of an output screen of an analysis result after an analysis process in a security information analysis unit.

[Explanation of symbols]

 101, 104, 107 OS 102 Security processing unit 103, 106 Security monitoring unit 105, 108 Application 201, 214 Terminal 205 Regular collection data management unit 206 Regular collection target file 207 Designated file monitoring unit 208 Designated file 209 Filtering condition table 210 Collection data Filtering unit 211 Collected data management unit 212 Collection file 213, 218 Data transmission unit 217 Data reception unit 219 Security information file storage unit 220 Security information file 221 Security information analysis unit 222 Security monitoring unit management table

Claims (5)

[Claims] In a data access history collection method for a computer system, when data in a file of the computer system is accessed, a history collection condition definition is referred to,
Determining whether the file is defined in the history collection condition definition, collecting the data access history if defined, and collecting the data access history of related data related to the data; A data access history collection method characterized by the following. 2. The related data related to the data includes information indicating a use state of a computer that has generated access to the file in a time zone around a time when the data in the file was accessed, and information related to the file. 2. The data access history collection method according to claim 1, wherein the information is information indicating a use status of a plurality of other computers capable of communicating with the computer which has generated the access. 3. The data access history collection method according to claim 1, wherein the data is stored in a file, and an access history is collected for each file. 4. A data access history collection device for a computer system, comprising: a storage unit for storing history collection conditions defining a file for collecting a data access history when data in a file of the computer system is accessed; An access history collection unit that collects a data access history of a file by referring to a history collection condition stored in the storage unit when a file of the system is accessed; and a computer that has used the computer and accessed the file. Means for collecting a data access history of related data related to the data, which is a usage status of another computer. 5. A means for filtering data, a means for switching a filtering condition to an appropriate condition at an appropriate timing, and a means for another computer having a security monitoring function which is different from a computer which has accessed a designated file. 5. The file access history collection device according to claim 4, further comprising: means for switching a filtering condition to an appropriate condition at an appropriate timing; and means for changing a condition for analyzing a file to be subjected to data analysis.