JP2002189634A - Data storage system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect dishonest altering of an access log used to detect dishonest altering of a file. SOLUTION: Logs 22a-22g for preparation, updating, referring and deletion of the file are added by an access log preserving recording medium 22h every time when preparation, updating, referring and deletion of the file are carried out in a volume 5 of a library using a direct-read-after-write recording medium, the log for collating the logs with the file is verified, and a verification flag of 'settled' is set to the already verified log. Then, the file 2, for example, is updated by an optical disk 33 of the volume 5, and the log 22h is set in the recording medium 21 to correspond thereto. When the log 22h is updated or erased thereafter by the dishonest altering of the recording medium 21, the dishonest altering of the data in the recording medium 21 is determined in a new log verification because the log corresponding to the file 2 is not detected in the file 2.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an optical disc and a DV
BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a data storage system using a library of data in a storage medium such as a magnetic disk or a magnetic disk, and more particularly to a data storage system capable of detecting that data has been tampered with.

[0002]

2. Description of the Related Art In recent years, electronic information stored in a memory has been regarded as an original. For this reason, falsification of the original has become a serious problem. In a system that manages such an original and issues this original to a client in response to a request, the issued original is stored in a client terminal so that the client can use it many times. After many uses, the published original may be tampered with by its use.

[0003] One example of a conventional technique capable of verifying such tampering is disclosed in, for example, JP-A-11-23804.
No. 9 discloses this. This makes it possible to confirm whether or not the issued original is the same as the original that is stored and managed. This prior art will be described below.

According to this prior art, an original is stored in a server and can be referred to (issued) from a client terminal such as a workstation or a personal computer. This is used to verify the identity of the original issued to the client and the original. Specifically, the server of the original issuer prepares first summary information generated by applying a predetermined summary function to the original original information in advance,
On the other hand, on the client side, when verification is necessary, the above-mentioned predetermined summary function is applied to the issued original to generate second summary information, and the first summary information prepared on the server side is taken in. And the second summary information. When the first and second summary information match as a result of this comparison,
The issued original has not been tampered with, and if they do not match, the issued original has been tampered with.

[0005] However, such a conventional technique guarantees the identity of these originals on a network in a software manner, and it is not impossible to rewrite the digest function. If the summary function is rewritten in this way, the published original will be considered to have been tampered with, even if it has not been tampered with. May be considered the same as the original. As described above, when the summary function is rewritten, the summary information of the issued original is generated using the summary function, and the summary information is compared with the summary information of the original original of the issued original using the summary information. That makes no sense.

[0006]

On the other hand, a library composed of a storage medium that is write-controlled (hereinafter referred to as a write-once storage medium) is used.
In order to prevent such falsification of the original, the managed data storage system keeps a history of access to the library (access log) for creating, updating, referencing, and deleting files as the original. I have. When you create a new file and store it in the library (this is called Create), or when you change the contents of the file stored in the library (Update), it is stored in the library. When reading a file that is being read (this is called a Reference),
Also, when unnecessary files stored in the library are deleted (this is called “delete (Delete)”), the library is accessed. The access log indicates the history of such access to the library, and records the purpose (creation, update, reference and deletion), file name, creation date and time, etc. for each access.

Here, since this library uses a write-once storage medium, the created file remains in the library even if it is updated and becomes a new file. Even if the file is updated, the file before the update remains in the library. Even if this file becomes unnecessary and is deleted, this file remains as it was when it was created or when it was updated thereafter. For this reason, an access log is set corresponding to each of the file created at the library and the updated file.

Since there is such a relationship between the file in the library and the access log, the file in the library can be managed by the access log, and when the file in the library is tampered, the file is tampered with. Since the file is stored in the library and an access log for the file is set, it is possible to detect the falsification of the file from the access log.

However, there is a possibility that the access log is also falsified. Conventionally, even if the access log is falsified, the access log of the library including the falsified access log is grasped, so that the falsification of the access log cannot be detected.

An object of the present invention is to solve such a problem,
An object of the present invention is to provide a data storage system capable of detecting tampering of an access log provided for detecting tampering of library data.

[0011]

In order to achieve the above object, the present invention provides a storage medium library in which data is written in a write-once format, and a storage medium for storing an access log for writing an access log for the written data in a write-once format. In the data storage system having the above, by detecting the presence or absence of the access log for the data stored in the storage medium library in the access log storage medium, the presence or absence of tampering in the access log storage medium is detected. Things.

Further, the present invention detects the presence / absence of tampering in the access log storage medium by determining the presence / absence of data in the storage medium library for the access log in the access log storage medium. It is.

A verification flag is set for each access log stored in the storage medium for storing the access log, and whether the data for the access log exists in the storage medium library is verified for the access log. When the data for the access log exists in the storage medium library, the verification flag is verified, and the verification process is omitted for the access log for which the verification flag has been verified.

The storage medium for storing the access log may be a rewritable storage medium or a write-once storage medium.

[0015]

Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 is a schematic configuration diagram showing one embodiment of a data management system according to the present invention, wherein 1 is a server, 1a is control software, 1b is an operation DB (database), 2 is an array disk, and 2a is a hard disk , 3
Disk library, 3 ₁ to 3 _n is the optical disc, 4a is
4b is an interface cable.

In this figure, in this system, a PC
An array disk 2 composed of one or a plurality of high-speed accessible hard disks and a disk library 3 composed of a plurality of optical disks are connected to a server 1 composed of (a personal computer) or a workstation via interface cables 4a and 4b, respectively. ing. In the server 1, control software 1a for controlling access to the array disk 2 and the disk library 3 and an operation DB 1b for storing file management information for managing a directory structure of a file in the disk library 3 are provided. Have been.

Here, the array disk 2 and the disk library 3 constitute a hierarchical storage.

That is, under the control of the control software 1a installed in advance in the server 1, the optical disks of the disk library 3 are grouped by a predetermined number, and each group is used as a volume. In Figure 1, as an example, the group of the optical disk 3 ₁ to 3 _n and one volume. Further, the control software 1a allocates each hard disk of the array disk 2 as a cache memory to each volume in the disk library 3. Here, the hard disk 2 in the array disk 2
a cache memory corresponding a to the optical disk 3 ₁ to 3 _n of the volume.

With such a configuration, in each volume, among the files stored therein, the file having a high access frequency is read from the optical disk and stored in the cache memory corresponding to the volume, and is stored in the cache memory. The file is read out from the cache memory, and files with low access frequency are read directly from the optical disk. In this way, hierarchical storage management that improves overall access performance is realized.

Next, by Figure 2, the operation of the volume 5 consisting of a hard disk 2a of the optical disc 3 ₁ to 3 _n and the cache memory.

In FIG. 2, when a write process 6 of a file 8 occurs to the volume 5,
Under the control of the control software 1a (FIG. 1), first, this file 8 is written to the cache memory 2a (processing S
1). Then, when a predetermined period of time has elapsed from the date and time (update date and time) at this time, the control software 1a
It is assumed that the data of this file 8 has been determined, and the operation DB
1b refers to the file management data (Fig. 1), and stores the file 8 to the appropriate optical disk of the optical disk 3 ₁ to 3 _n (process S2). The above operation is called an optical disk file update.

Read of file 8 to volume 5
(Read) When the processing 7 occurs, the control software 1a
File 8 is stored in the cache memory 2a
In when present are read from the cache memory 2a (process S3), if present in the cache memory 2a, the control software 1a refers to the file management information of the management DB 1 b, of the optical disk 3 ₁ to 3 _n Then, a file 8 is read from the corresponding optical disk and stored in the cache memory 2a (process S4). And this cache memory 2
This file 8 is read out from a (step S3).
Even if the file 8 from the optical disk is stored in the cache memory 2a, the file 8 stored on the optical disk is valid. Cache memory 2a
Is returned to the optical disk, the file 8 remaining on the relevant optical disk is updated and becomes invalid, and the file 8 returned from the cache memory 2a is updated as an updated file. Is stored in the free area of the above-mentioned corresponding optical disc or another free optical disc of the same volume 5. Therefore, the next time this file 8 is read, the updated file 8 will be read.

FIG. 3 shows the disk library 3 in FIG.
FIG. 9 is a schematic configuration diagram of a semiconductor device, wherein 9 and 10 are cell groups, 11 is an optical disk, 12, 12a, 12b, 13, and 13a are cells,
14 is an accessor, and 15 and 16 are drives.

In FIG. 1, two cell groups 9 and 10 of the disk library 3 are shown, but the number of such cells may be one or three or more.

The cell group 9 is composed of a plurality of cells 12 each having an optical disk 11, and similarly, the cell group 10 is composed of a plurality of cells 13 each having an optical disk 11. The cell group 9 is provided with a drive 15 for driving the optical disk 11 there, and the cell group 10 is similarly provided with a drive 16 for driving the optical disk 11 there. . The accessor 14 transports the optical disk 11 between the designated cell 12 or 13 and the drive 15 or 16, and is commonly used by the cell groups 9 and 10.

In this disk library 3, for example, if an access request is made in the order of cells 12a, 13a, and 12b, under the control of the control software 1a,
The sequence processing is performed as follows.

(1) First, the accessor 14 moves to the cell 12a of the cell group 9, and the optical disk 1 of this cell 12a
1 and transported to the drive 15 (process S1).
0), the optical disk 11 is driven to perform I / O processing.

(2) When the above processing S10 is completed, the accessor 14 moves to the cell 13a of the cell group 10, takes in the optical disk 11 of this cell 13a, and transports it to the drive 16 (processing S11). The drive 16 waits for the drive 15 to finish driving the optical disk 11 from the cell 12a, and then drives the optical disk 11 from the cell 13a to perform I / O processing.

(3) When the drive 15 finishes driving the optical disk 11 from the previous cell 12a, the accessor 14 takes in the optical disk 11 from the drive 15 and transports the optical disk 11 to the cell 12a (process S12), and returns to the cell 12a. .

(4) Next, the accessor 14 sets the cell group 9
The optical disk 11 of the cell 12b is taken and transported to the drive 15 (processing S1).
3). Then, the drive 15 drives the optical disc 11 from the cell 12b after waiting for the drive 16 to finish driving the optical disc 11 from the cell 13a.
/ O processing is performed.

Next, normal data access control of a volume in the disk library 3 will be described.

In FIG. 1, the directory structure of a file in the disk library 3 is held as file management information in the operation DB 1b, and the file is usually stored on the optical disk of the disk library 3. Since these optical disks are write-once storage media,
When a file is updated on the optical disk (that is, the updated file is written from the cache memory of the array disk 2 to the optical disk), the disk library 3 includes a plurality of files having the same contents.

Therefore, in this embodiment, the data address of a valid file (the file obtained by the last update) of the plurality of the same files is stored in the operation DB 1b as file management information, and this data address is used. , So that you can access the desired valid files. This will be described below with reference to FIG.

In the same figure, three optical disks 3 ₁ , 3 ₂ , 3 ₃ of the volume 5 are targeted. In the optical disks 3 ₁ , 3 ₂ , data (file) is stored in the entire data storable area. and which, in the optical disk 3 _3, part of the data storage area in the data has been stored without a storage area 17, and other areas constitute a free area.

[0035] Therefore, now, if you had update request 101 of the file 18 that is stored in the optical disk 3 _1, under the control of the control software 1a (FIG. 1), a new file to update the file 18 ( writes the updated file) 18 'in the empty space following the optical disc 3 ₃ of the storage area 17 (process S20), the physical address of the file 18 of the optical disk 3 ₁ as a file management information held in the operation DB 1 b (hereinafter, the) that LBA is changed to LBA of the file 18 'of the optical disk 3 ₃ (process S21). Accordingly, the file 18 of the optical disk 3 ₁ becomes invalid, Alternatively, the optical disk 3
The file 18 'at ₃ becomes valid. However, the file 18 is left remain stored in the optical disk 3 _1.

Further, since the file 19 stored on the optical disk 3 ₁ is not used for a long time, when there is a deletion request 102 of this file, control software 1a (Figure 1)
Under the control of, the information on this file 19 in the file management information in the operation DB 1b is deleted (processing S
22). Thus, the file 19 is disabled, and will have been removed from the optical disk 3 _1. Again, this file 19 is left remain stored in the optical disc 3 _1.

Further, when there is a request 103 from the user to create a new file 20 in the volume 5,
Under the control of the control software 1a (FIG. 1), to the new file 20 is followed in the storage area 17 of the optical disk 3 ₃ writes to free space (process S23), the file management information held in the management DB 1 b, file management information such as LBA is added about the file 19 that is stored in the empty area of the optical disk 3 ₃ (process S24).

As the file management information of the operation DB 1b, user information (access user information) of a user who has updated, deleted, created a file, and the like is also recorded. As a result, it is possible to verify who created or updated the file.

Next, setting of an access log in this embodiment will be described with reference to FIG.

In this figure, three optical disks 3 ₁ , 3 ₂ , 3 ₃ of the volume 5 are targeted here. Also,
An access log storage medium 21 is also provided. The storage medium 21 may be a write-once storage medium, but is preferably a rewritable storage medium such as a magnetic disk or a magnetic tape. This is to make it possible to repeatedly write the access log. However, even when using a rewritable storage medium,
Writing of the access log is performed by a write-once method, as will be described below.

Now, all of the data storable areas of the optical discs 3 ₁ , 3 ₂ , 3 ₃ are free areas, and in this state, if there is a request 202 to create a file 0, the control software 1
a under the control of (1), writing of the file 0 is performed at the head of the head of the optical disk 3 ₁ of free space (process S30. In this case, as described above, the cache memory 2a (FIG. This writing is carried out via 1)), and at the same time, the storage medium 21 for storing the access log.
Creates a new file 0 at the beginning of the free area (CR)
Is written (step S3).
1). The access log written to the access log storage medium 21 is verified as described later. In this case, the access log 22a includes a verification flag indicating that the access log has not been verified. The verification flag is set to “not yet”.

[0042] Thereafter, similarly, such as creating a file in the optical disk 3 ₁ is made sequentially (access log for this is omitted), the entire optical disc 3 ₁ blocked, when there is a request 203 for update of the file 0 , under the control of the control software 1a, file 0 from the optical disk 3 ₁
Is read out (process S32), and then this file 0
There is written in the first free space on the volume 5 (in this case, the head of the data storage area of the optical disc 3 ₂₎ (process S33). At the same time, the access log 22b indicating the update (UP) of the file 0 is written at the head of the free area of the access log storage medium 21 (step S34). Also in this case, the access log 22a
Has a validation flag "not yet" indicating that this is not yet verified.
Is set.

The updating means replacing (updating) a file already stored in the volume 5 with another location (address). As described above, this involves replacing a file with a high access frequency with another file. This is performed when reading from the optical disk and transferring it to the cache memory 2a of the array disk 2 and reading this file from the cache memory 2a instead of reading from the optical disk, and then when returning from the cache memory 2a to the optical disk.

Reference is made to directly accessing the volume in response to an external file request. When there is a file 0 reference request 204, in this case, under control of the control software 1 a, in this case, the optical disk 3 ₂ Is updated (step S35), and at the same time, the access log 22c indicating the reference (RF) of the file 0 is written at the head of the free area of the access log storage medium 21. (Step S36). No verification flag is set for this.

When there is a request 205 for deleting file 0,
Under the control of the control software 1a, the file 0 is deleted (D
L) is written (processing S
37). Again, no verification flag is set.

As described above, the access log is sequentially added, and when a file is written or updated on the optical disk of the volume 5, the access log is stored in the storage medium 21 for storing the access log. A verification flag is also set in the access log to be written, but in the case of reference or deletion in which writing is not performed, the verification flag is not set. This verification flag is used to verify that the file has been written correctly and to detect tampering of the file. It is unnecessary for reference or deletion where the file is not written. is there.

FIG. 6 is a diagram showing the data structure of the volume 5.

As described with reference to FIG. 2, the volume 5
As shown in FIG. 6A, the data storage area of the plurality of optical discs is entirely provided with a header portion at the head of the series of data storage areas. The region is, as shown in FIG.
It constitutes a data section in which files are stored. An area of the data portion where no file is stored yet is a free area. In this data section, as described above, a new file created or updated as described above is stored at the head of the free area. As shown in FIG. 6C, each file includes management information and data indicating the information content of the file. This management information is shown in FIG.
As shown in (d), the file includes the file name and file size of this file, the creation date and time of this file, the attributes and access information of this file, and the like.

FIG. 7 is a diagram showing a data structure in the access log storage medium 21 shown in FIG.

In the access log storage medium 21, as shown in FIG. 7A, a header portion is provided at the head of the data storable area, and subsequently, as shown in FIG. , An access log is stored. The new access log is stored at the head of this data part. Then, as shown in FIG. 7C, each access log has an “access type” column indicating the type of access such as creation, update, reference, and deletion, and a “before update” that records information on a file before update. Column, an “after update” column for recording information about the file after the update, and a “verification flag” column for recording the verification flag. In the column, each after update,
File name and file size of the corresponding file, creation date and time of this file, medium ID (Identification), L
BA is recorded.

Here, the file names and file sizes in the “before update” column and “after update” column in the access log are not necessarily the same, and the “before update” column and “after update” column are not always the same.
The file name, file size, and creation date and time in the “after update” column are different from the file creation date and time in the column “management information” of the file stored in the optical disk corresponding to the access log (FIG. 6 (c)). )) Are the same as the file name, file size, and creation date and time.

When a file is created, a new file is written to the volume 5. Therefore, there is no data before update, and no data is recorded in the "before update" column of the access log for the data. Not done.

The verification flag may be set as "not yet" in the access log of the reference "RF" or the deletion "DL". In this case, the access type of the access log is "RF", By the deletion “DL”, the verification flag of the access log is ignored when verifying the access log described later.

Next, a method of verifying an access log in this embodiment will be described with reference to FIG.

[0055] As shown in FIG. 8 (a), where is intended to describe three of the optical disk 3 _1, 3 _2, 3 ₃ volumes 5, file 0 is created in the optical disk 3 _1, then, updated in the optical disk 3 _2, reference, it is assumed to be removed. Further, in the optical disk 3 _1, after creating a file 0, file 1 is created, the optical disk 3 ₂
It is assumed that file 2 has been created after updating, referencing, and deleting file 0. Therefore, in the access log storage medium 21, the access logs 22a and 22a of the file 0 having the access type “CR (create)” in the order shown in the figure.
Access log 2 for file 1 with access type "CR"
2b, access log 22c of file 0 whose access type is "UP (update)", access type is "RF (reference)"
The access log 22d of the file 0, the access log 22e of the file 0 having the access type “DL (deletion)”, and the access log 22f of the file 2 having the access type “CR” are stored, and the access logs 22a, 22b, and 22 are stored.
The verification flag “not yet” is set in c and 22f.

Here, in the access log 22a, FIG.
As shown in (b), “CR” is set as the access type, and data as shown in FIG. 7B is stored in the “after update” column. Access logs 22b, 22
f is the same, but in the access logs 22c and 22d,
Data is stored in the “before update” column and the “after update” column. The access log 22c, data of "updated" column shown in FIG. 8 (b) is stored in the "pre-update" column, the data about the file 0 on the optical disc 3 ₂ is stored in the "post-update" column. In the access log 22d, the data stored in the "before update" and "after update" columns are the same.
In the access log 22e, the optical disk 3
Data on file 0 on ₂ is stored, and no data is stored in the “after update” column.

When verifying the access log in such a state, the access log is verified from the top in the order of storage in the storage medium 21 for storing the access log.

That is, in FIG. 8A, first, the access log 22a is verified. For this purpose, the access log 22a is read from the storage medium 21 for storing the access log, and the medium ID 22a1 is set to " ₁ ". Since the access log 2 represents the “optical disk 3 ₁ ”, the access log 2
Creation (CR) of file 0 for optical disk 3
₁ is determined to have been performed, and the access log 22
Since LBA22a ₂ of a indicates the address "0", reads the file size of the data according to the access log 22a from the address 0 of the optical disc 3 _1. The "file name", "file size",
The access log 22a is verified by comparing the "creation date" with "file name", "file size", and "creation date" described in the "after update" column of the access log 22a, and these data are all equal. Time, access log 2
2a verification is finished assuming that take a matching with the actual data on the optical disk 3 _1, content representing verified from the "Not" (here a validation flag for the access log 22a, be represented as "Done" To be rewritten)
Process S40).

Next, the access log 22b is verified. Again, read the access log 22b from the access log storage storage medium 21, reads the file 1 from the optical disk 3 ₁ based on the data of "updated" field of the access log 22b thus read out, the management of the file 1 "File name", "File size",
The access log 22b is verified by comparing the “creation date and time” with the “file name”, “file size”, and “creation date and time” described in the “after update” column of the access log 22b. If they match, they are verified and
The verification flag of the access log 22b is rewritten from “not yet” to “done” (the above processing S41).

Next, the access log 22c is verified. Again, read the access log 22c from the access log storage storage medium 21, reads the file 0 from the optical disk 3 ₂ based on the data of "updated" field of the access log 22c thus read out, the management of the file 0 "File name", "File size",
The access log 22c is verified by comparing the “creation date and time” with the “file name”, “file size”, and “creation date and time” described in the “after update” column of the access log 22c. If they match, they are verified and
The verification flag in the access log 22c is rewritten from “not yet” to “done” (the above processing S42).

For the access logs 22d and 22e,
Without verification, next, regarding the access log 22f,
The same verification as above is performed (process S43).

FIG. 9 is a diagram showing a state in which the access log has been falsified in the storage medium 21 for storing the access log.

[0063] In the figure, the creation of the file 0 in the optical disk 3 ₁ to 3 ₃ Volume 5 (CR), the creation of the file 1 (CR), updates the file 0 (UP), a reference file 0 (RF), file Delete 0 (DL), file 2
The creation (CR) and the creation of the file 3 (CR) are performed in this order, and the access logs thereof are verified. The creation (CR) and update (UP) access logs 22a and 22
It is assumed that these verification flags are set to “done” for b, 22c, 22f, and 22g. The shaded portion of the volume 5 has the access log verified.

Here, since the verified file is correct, there is no need to verify it again. Therefore, when the access log of the access log storage medium 21 is newly verified, the verified file is verified. Skip the access log and do not repeat the verification of the access log.
For this purpose, an address of the last verified access log in the access log storage medium 21 is secured,
Next, when a new verification of the access log is performed, the secured address is referred to, and the verification is performed from the unverified first access log.

[0065] In such a state, the file 2, following the file 3, and that it has updated to the optical disk 3 _3,
The access log 22h for this file 3 update is
The access log 2 is stored in the access log storage medium 21 as the access log of the update “UP” with the verification flag “not”.
It is written after 2g.

Here, the access log storage storage medium 21
Assuming that a rewritable recording medium is used, before access log 22h is verified, it may be considered that data in storage medium 21 for storing access log is illegally falsified without using external means. Can be This embodiment allows such tampering to be detected.

Now, after the verification shown in FIG.
Is updated, and at the same time, in a state where the access log 22h corresponding thereto is added to the access log storage medium 21, the data is falsified in the access log storage medium 21 and the access log 22h is deleted. It has been assumed. Thereafter, when the access log is verified, there is no unverified access log next to the verified access log 22g. Therefore, in this embodiment, the file 3 in the volume 5 is deleted from the last verified access log 22g. Is detected, and it is confirmed whether or not there is a file following the last address. In this case, since there is an updated file 2, this is read out, and based on the management information of this file 2 (FIGS. 6C and 6D), the access log for verification of only this file 2 is stored in the access log. In the storage medium 21 for use. In this search, the access log may exist even after the deleted access log 22h in the access log storage medium 21 (in this case, files for these access logs are stored in the volume 5). Yes), what to do. In this case, since the access log 22h for the updated file 2 has been deleted, the access log for the file 2 cannot be found.

Therefore, in this case, it is determined that the data has been falsified in the access log storage storage medium 21. If such a determination is made, the entire access log storage medium 21 becomes unreliable, and the files stored in the volume 5 cannot be used.

Although the access log 22h is not erased, the information content may be changed. In such a case, as described above, this access log 2
Although verification of 2h is performed, a file of management information that matches the contents of the access log 22h cannot be found from the volume 5, and in this case also, it is determined that the data has been falsified in the access log storage medium 21. I do.

In this way, the falsification of the access log can be detected. However, if the verified access log is rewritten or deleted as the falsification of the access log, the falsification of the access log is performed. Since the verification has been completed, the file corresponding to the verification has been correctly stored, and the verification is not performed again on this file.

The above is the description of the storage medium 21 for storing the access log.
The case where a rewritable storage medium is used as
Even when a write-once storage medium is used, it is possible to detect falsification of the access log storage storage medium 21 in the same manner. For example, when creating, updating, referencing, or deleting a file, it may be conceivable that writing of the access log to the access log storage medium 21 cannot be performed by a special method. Even in such a case, since the access log corresponding to the file does not exist in the access log storage medium 21 while the file exists in the volume, the falsification can be detected as described above.

FIG. 10 is a flowchart showing a series of operations for detecting tampering of the access log.

In the figure, when the schedule for detecting falsification is entered (step 300), the unverified first access log in the access log storage medium 21 is searched (step 301), and the unverified first access log is retrieved. Is found (step 302), a file for this access log is read from volume 5 (step 30).
3) The management information of this file is compared with the information of the access log (step 304). If they match, the access log verification flag is rewritten from “not yet” to “done” and the process returns to step 300 to proceed to the verification of the next unverified access log. If the management information of the access log does not match the information of the access log, it is determined that the data in the access log storage medium 21 has been tampered with (step 305).
End the operation.

If the first access log that has not been verified is not found in the process of step 302, it is searched for a file whose access log has not been verified (step 3).
06) If there is no file, it is determined that data has not been tampered with in the access log storage storage medium 21 (step 3).
07) The operation ends, but if there is a file,
Assuming that the data in the access log storage storage medium 21 has been tampered with (step 305), the operation ends.

As described above, in this embodiment, it is possible to detect whether the access log has been tampered with in the normal operation of verifying the access log.

In the above embodiment, the storage medium forming the disk library 3 is an optical disk.
The storage medium may be another write-once storage medium such as D, a rewritable storage medium such as a magnetic disk, or a storage medium usable as a write-once storage medium.

[0077]

As described above, according to the present invention,
It is possible to detect tampering of an access log provided to detect tampering of a file, and the reliability of stored data is further improved.

Further, by the scheduling, the process of detecting the falsification of the access log can be automatically performed in the normal operation, and there is no need for intervention of a manager or an operator, which is advantageous in terms of management and economy.

[Brief description of the drawings]

FIG. 1 is a configuration diagram showing an embodiment of a data storage system having a falsification detection function according to the present invention.

FIG. 2 is a diagram for explaining file write / read operations on a volume of a disk library in FIG. 1;

FIG. 3 is a diagram showing a schematic configuration of a volume of a disk library in FIG. 1 and its operation.

FIG. 4 is a diagram showing each operation of volume file update, file deletion, and file creation in the disk library in FIG. 1;

5 is a diagram for explaining setting of an access log for file creation, file update, file reference, and file deletion in the embodiment shown in FIG. 1;

FIG. 6 is a diagram showing one specific example of a storage format in a volume in the disk library in FIG. 1;

FIG. 7 is a diagram showing a specific example of a storage format in an access log storage medium in FIG. 5;

FIG. 8 is a diagram showing a method of verifying an access log in the embodiment shown in FIG.

FIG. 9 is a diagram showing a method of detecting tampering of an access log in the embodiment shown in FIG. 1;

FIG. 10 is a flowchart showing an operation of verifying an access log and detecting tampering of the access log in the embodiment shown in FIG. 1;

[Description of Signs] 1 server 1a control software 1b operation database 2 array disk 2a hard disk (cache memory) 3 disk library 3 _{1 to} 3 _n optical disk 4a, 4b interface cable 5 volume 9,10 cell group 11 optical disk 12, 12a, 12b , 13, 13a Cell 14 Accessor 15, 16 Drive 21 Access log storage storage medium 22a-22h Access log

 ────────────────────────────────────────────────── ─── Continued on the front page (72) Inventor Takuya Mizoue 6-81-Ouemachi, Naka-ku, Yokohama-shi, Kanagawa Prefecture Hitachi Software Engineering Co., Ltd. In-house F-term (reference) 5B017 AA07 BA00 CA09 5B065 BA01 CC08 CS01 EA25 EK05 EK07 PA02 5B075 KK54 KK66 MM01 PR03

Claims (5)

[Claims] 1. A data storage system comprising: a storage medium library in which data is written in a write-once format; and an access log storage medium in which an access log for the written data is written in a write-once format. A data storage system for determining whether the access log for the data is stored in the access log storage medium and detecting whether the data is falsified in the access log storage medium. 2. A data storage system comprising: a storage medium library to which data is written in a write-once format; and an access log storage medium for writing an access log for the data to be written in a write-once format. A data storage system for determining whether or not the access log has been tampered with in the storage medium for storing the access log by determining whether or not the access log has the data in the storage medium library. 3. The storage medium library according to claim 1, wherein a verification flag is set for each of the access logs stored in the storage medium for storing access logs, and the data for the access logs is present in the storage medium library. By performing the verification on the access log, when the data for the access log is present in the storage medium library, the verification flag is verified and the verification flag is verified on the access log. On the other hand, a data storage system characterized by omitting verification processing. 4. The data storage system according to claim 1, wherein the storage medium for storing access logs is a rewritable storage medium. 5. The data storage system according to claim 1, wherein the access log storage medium is a write-once storage medium.