JP2003233521A - File protection system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a file protection system capable of detecting illicit access regarded to be malicious by the monitoring result of file access in real time for prohibiting the illicit access and preventing illicit operation caused afterward. <P>SOLUTION: Among file accesses monitored by an access monitoring part 60, an access management part 80 rejects a file access violating access policy information 63, and at the same time, the access is recorded as abnormal access summarization information 62. If the summarization information satisfies a criterion defined by rule information 64, it is regarded that there exists an illicit access having malicious intention, and protection processing defined by the rule information 64 is carried out by the access management part 80 for preventing the following illicit operation. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a file protection method suitable for protecting information assets managed by a computer system from unauthorized access.

[0002]

2. Description of the Related Art The security threats that can occur in an information network system are largely attacked from the outside via the network and attacked by directly operating the host in which information assets are stored internally. Can be separated. As a measure for protecting information assets from such an attack, it is general to use a network level access control function by a firewall or a file access control function included in an OS (Operating System) installed in a host. In addition, the packet on the network is analyzed by the pattern matching using the known characteristics of the packet used for the attack (port number in the protocol header, the contents of the data part, etc.), and the packet considered to be an unauthorized access is detected. There is also an unauthorized access monitoring technology that proactively detects communication that seems to be illegal by issuing an alarm or changing the settings of the firewall or router and blocking it on the spot. Furthermore, by recording and saving what kind of packet has passed as log information, it is possible to perform a follow-up investigation when a problem is discovered at a later date.

There are various purposes for fraudulent activities, but since the most important object of protection in an information network system is information assets stored in files and databases, in order to prevent fraudulent activities. In addition, it is desirable to monitor direct access to information assets and detect and prevent unauthorized access. A typical example of such a technique is the file access control function provided in the OS as described above.

This is to define in advance the normal access to each file as permission information which is a combination of information assets (file name), access type (read, write, execute), and access source (user name, group name). In addition, it is intended to block abnormal or abnormal access. Also, a method of monitoring access to a file and changing the permission information of the file when an abnormal access is detected is disclosed in US Pat. No. 5,919,258.
No.

[0005]

The above-described abnormal access can be roughly classified into those due to carelessness (negligence) and those due to intention (maliciousness). In the file access monitoring method disclosed in Japanese Patent Laid-Open No. 9-218837, even if an abnormal file access is detected even once, the access permission is changed. , For example, shared files may be temporarily unavailable to other users. In other words, although effective from the viewpoint of file protection, there is a problem in that normal work is hindered by careless file access.

On the other hand, the access subject (the program or process being executed) that issued the abnormal file access
However, if it is truly malicious, it is impossible to predict what kind of misconduct other than file access will be performed. If a running program (process) that attempts such an abnormal file access is left unattended, security holes that are latent in the OS and programs will eventually be discovered, and it will pass through the eyes of surveillance and be maliciously accessed. There is also a risk of coming.

Therefore, an improved file protection system is desired.

[0008]

SUMMARY OF THE INVENTION The present invention provides a file protection system that monitors file access and determines malicious results from the results.

Further, there is provided a file protection system which, when detecting an access which is determined to be malicious, prohibits the access and executes a defense process for preventing a fraudulent act which occurs thereafter. This makes it possible to use information assets more safely.

[0010] The conventional unauthorized access monitoring technology described by taking communication as an example is to detect the presence or absence of an act considered to be illegal from information such as communication data, communication volume, and commands used in applications. It is not something that monitors whether it is truly malicious. On the other hand, the file protection system according to the present invention further restricts the action of the access subject itself in order to proactively act against the fraudulent act that the access subject who issued the abnormal file access may work. Provide a protection system.

In this specification, an access that is not a normal access is referred to as an "unauthorized access".
ccess) ”, and out of abnormal access, malicious access is called“ malicious access ”.

The file protection system of the present invention comprises access control policy information (referred to as policy information) for distinguishing between normal access and abnormal access, and judgment criteria for distinguishing between unauthorized access and abnormal access that is not. More specifically, the access control policy information may define normal access. The determination criterion may be an unauthorized access determination criterion for detecting unauthorized access.

The file protection system of the present invention detects an abnormal access using policy information as a first step, and detects an illegal access from the abnormal accesses as a second step by using an unauthorized access determination standard.

According to the file protection system of the present invention,
An information processing device equipped with a file system includes an access control unit that monitors and controls file access, access control policy information that defines normal access, and an unauthorized access determination to determine whether the operation is malicious. It includes a standard and rule information describing a process to be executed when the standard is satisfied. The access control unit, when the monitoring result of the file access in the information processing device reaches the unauthorized access determination standard described in the rule information, similarly executes the predetermined process described in the rule information. By this, the subsequent access from the program that is the source of the file access request is restricted.

The access control policy information describes the name of the file to be protected, its importance, and the condition of normal access to the file. The access control is performed for access that does not satisfy the condition of normal access. If the means detects, the access is considered as an abnormal access.

Unauthorized access judgment criteria described in the rule information are, for example, the importance of the file to be protected,
It defines the allowable number N of abnormal accesses to a file to which the importance is assigned, whereby malicious access is attempted when an abnormal access to an important file is attempted N times or more. It is determined that Alternatively, it may be determined as malicious access when an abnormal access to a specific same file is attempted N times or more, and as another criterion, an abnormal access from the same access subject is N times or more. If it is attempted, it may be judged as malicious access.

As the processing to be executed when the above-mentioned unauthorized access judgment criterion is satisfied, for example, the fact that the program being executed which is the source of the unauthorized access is forcibly terminated is described in the above rule information. As a result, the program that has attempted abnormal access to the important file N times or more is forcibly terminated by the access control means.

Further, it may be described in the rule information that an error is returned for all subsequent accesses from the program being executed which is the source of the unauthorized access request.
As a result, the program that has attempted the abnormal access to the important file N times or more is rejected because the access control means returns an error for all the file accesses issued thereafter.

In addition, all the subsequent accesses from the program being executed which is the source of the unauthorized access request are redirected to the access to the dummy file, and the access to the dummy file is monitored and recorded in the rule information. May be described. As a result, from a program that attempts abnormal access to the important file N times or more, it appears that all file accesses issued thereafter have been processed normally. Therefore, important files will not be damaged.

Further, the fact that the access control policy is switched may be described in the rule information. As a result, when the N or more abnormal access to an important file occurs, the access control unit switches to a predetermined access control policy and controls subsequent file access. At this time, by setting the access control policy after switching to be more restrictive than the policy before switching, it becomes possible to more strictly check the legitimacy of subsequent file access.

According to the file protection system of the present invention,
In the rule information, it is possible to specify different combination information of the unauthorized access determination standard and the process to be executed when the standard is satisfied, depending on the type and importance of the file to be protected.

Further, each program (also referred to as a code, a module or a unit) necessary for realizing the present invention is
Installed in advance or when necessary via a computer-readable medium from another server connected to the network, that is, a transmission signal on the network or a portable storage medium such as a CD-ROM or FD. May be.

[0023]

BEST MODE FOR CARRYING OUT THE INVENTION An embodiment of the present invention will be described below with reference to the drawings. FIG. 1 shows the configuration of an information processing apparatus to which an embodiment of the present invention is applied. Information processing device 100
Is composed of a CPU 10, a communication device 20, an input device 22, a display device 25, an external storage device 40, a main memory 50, an internal signal line 5 such as a bus, and an application program 81 or the like can access the external storage device 40. ,
All are monitored by the access monitoring unit 60, undergo the authority check by the access management unit 80, and are processed through the OS 70 only when permitted. The access management unit 80 uses the policy information 63, the process information 61,
Using the rule information 64, the log information 65, and the abnormal access aggregation information 62, the access right check process and the unauthorized access prevention measure are executed. The recording medium of the external storage device 40 is a hard disk, CD-ROM, FD, MO,
It may be a tape device or the like. Further, these storage media may be fixed to the external storage device 40 or may be portable. Further, the external storage device 40 itself may be a storage area network (SAN) in which an independent network is constructed.

The policy information 63 is stored in the external storage device 4 described above.
It defines normal access to data in 0. The process information 61 is a table that stores information about programs currently being executed. Rule information 64
Among the abnormal file access, the access control unit 8 determines the determination standard for determining the malicious access due to malicious intent and the above-mentioned access management unit 8 when it is determined that the malicious access due to malicious intent occurs.
0 specifies the processing to be performed. The log information 65 is for recording a trail regarding access to data in the external storage device 40 from the application program 81 and a trail regarding various events. The abnormal access aggregation information 62 is real-time aggregation of information regarding past policy violation accesses.

The management program 90 is used by the administrator to refer to and write the various information 61 to 65. The management program 90 transmits the various information 61 to 65 via the access management unit 80.
To access.

The OS 70 is basic software that is equipped with a file system as a standard, and the file protection system of this embodiment has an access monitoring unit 60.
, The access management unit 80, and the various information 61 to 65
And a management program 90. That is, the file protection system according to the present embodiment can be applied to any information processing apparatus having at least a file system.

Further, the application program 8
1 means a wide variety of programs such as word processing software, browsers, and Internet server programs. The OS 70, the access monitoring unit 60,
Access management unit 80 and application program 8
1 and the management program 90 are respectively stored in the external storage device 4
0 or from another information processing apparatus 101 via the network 130 to be loaded into the main memory 50 and executed. However, in order to prevent the application program from executing the file access before the file protection system starts executing, the OS is loaded first, and the access monitoring unit 60 and the access monitoring unit 60 are loaded before the application program 81 and the management program 90. The access management unit 80 is loaded. The order of such loading is O
It can be controlled by S.

In the following, under the assumption that the OS 70 has a user identification / authentication function, and the application program 81 executes file access in the name of the user identified / authenticated by the function, 1 shows an embodiment of the present invention.

FIG. 2 shows the structure of the policy information 63. The policy information 63 is the policy index 200.
, System policy 210 and user policy 22
0 and an error code table 230. The policy index 200 stores identification information of a plurality of policies and information necessary for indexing currently valid policies.

The system policy 210 and the user policy 220 both define normal access to files in the external storage device. The system policy describes a common policy in any case. The user policy is a policy described individually according to the use and situation of the information processing apparatus 100, such as “operation mode”, “maintenance mode”, and “emergency mode”. Therefore, the user policy is
It is desirable that a policy be registered in advance for each of several modes and that the access management unit 80 checks the access right while appropriately switching.

The error code table 230 shows the error codes to be returned from the access management unit 80 via the access monitoring unit 60 to the application program 81 which issued the access in violation of either the system policy or the user policy. It is a description.

FIG. 3 shows an example of the policy index. The policy index 200 includes a default flag 301 for identifying a default policy,
Valid flag 302 to identify the currently valid policy
, Policy identification number 303, and policy name 30
4. Location information 30 showing the location of each policy
It consists of 5. The default flag 301 is also the initial value of the valid flag. Further, since the system policy must always be valid, both the default flag and the valid flag are “1”.

FIG. 4 shows an example of the policy. As described above, the policy can be roughly divided into the system policy 210 and the user policy 220, but the description format is common, and the name 401 of the protection target, its importance 402, access type 403, program name 404, and feature value 40
5, user name 406 and time 407. The access type 403 includes Read, Writ
In addition to e (writing), there are Delete (erase), Rename (name change), Execution (execution), and "All" that includes all access types. The protection target name 401 can be specified not only in file units but also in multiple files using wildcards, or in folder units or drive units.

When actually setting the policy, it is important to clarify what is the minimum access required for using the information processing apparatus 100 and to register them in the user policy as normal access. . Further, the setting of the importance 402 is determined in consideration of the degree of damage in the case where the content of the file is tampered with or is leaked. For example, it is better to set a password file or a file containing a customer list with higher importance than a file that can be obtained from anyone on the Internet. In FIG. 4, the higher the degree of importance, the larger the numerical value is set.

In the program name 404, a program specially permitted as an access means to the above-mentioned protected object,
Specify with the path name of the program file. Feature value 4
Reference numeral 05 is a numerical representation of the characteristics of the program file, and may specify the file size or the hash value of the program file. As a result, it is possible to detect unauthorized alteration of the program. The user name 406 is a part for designating which user ID the program of the access request source is executed to allow access. User name 4 above
In 06, a group ID may be designated instead of the user ID. Both the user ID and the group ID are information managed by the OS 70.

The time 407 is for designating the availability of access and its time zone. For example, if it is desired to allow access only between 18:00 and 24:00, "+18: 00-24: 00".
Specify. If you want to prohibit access from 8:00 to 18:00, specify "-08: 00-18: 00". Explaining the example of FIG. 4, all the files “C: \ Sec_Prog \ *” included in the Sec_Prog directory of the C drive are protected, and the importance thereof is “2”. If the program name is "C: \ prog \ Hsman.exe", the feature value is 0x8A80, and the program is executed with the authority of the user ID "sec_admin", 18:00 Only from 24:00 to C: \ Sec_Prog above
"Read" for files under the directory
And "Write" are allowed.

Among the constituent elements of the above policy, the degree of importance 4
02, access type 403, program name 404,
It is not always necessary to specify the feature value 405, the user name 406, and the time 407. Access management unit 8
A value of 0 ignores items that are not specified when checking the access right. The policy described above sets a normal access condition for each protection target.

FIG. 16 shows, as another policy setting example, an accessible target is set for each program. The program name 1601 is a path name of a program that is an access subject. Feature value 1602
Is a numerical representation of the characteristics of the program file. As with the characteristic value 405 shown in FIG. 4, the file size may be specified, or the hash value of the program file may be specified. The user name 1603 is a part for designating under which user ID the program designated by the program name 1601 is executed to permit access.

As with the user name 406 shown in FIG. 4, a group ID may be designated for the user name 1603 instead of the user ID. Access type 160
4, the same as the access type 403 shown in FIG.
Read, Write, and Delete
(Delete), Rename (Rename), Execution,
Further, from “All” including all access types, the type of access that the program specified by the program name 1601 can execute can be selected. Name of access target 1
Reference numeral 605 denotes an object that can be accessed by the program specified by the program name 1601, and can be specified on a file basis, a plurality of files using a wild card, a folder unit, or a drive unit.

The importance 1607 is the importance 4 shown in FIG.
Similar to 02, it is set in consideration of the size of damage when the access target is tampered with or is leaked, and the larger the value, the higher the importance. Time 16
In 06, as in the case of the time 407 shown in FIG. 4, a time zone in which access is permitted is set. In the example of FIG. 16, “C:
The feature value of the program "\ prog \ editor.exe" is "0x3C
If it is running with a user ID or group ID of "users" with "77", the time "from 8:00
Only during 18:00, read, write, and delete access to the file named "C: \ users \ *. Txt" is possible.

The system policy 210 and the user policy 220 may be set using either the format shown in FIG. 4 or the format shown in FIG.

The policy format shown in FIG. 4 is effective when it is clear what is to be protected in the information processing apparatus 100 and it is desired to limit its use. On the other hand, the policy format shown in FIG. 16 is effective when the programs used in the information processing apparatus 100 are clear and it is desired to limit the accessible range of these programs.

Taking a program whose function can be expanded while dynamically linking the library as an example, the library format that can be linked (readable) from the program is restricted using the policy format shown in FIG. This makes it easy to limit the functions of the program. When it is desired to limit the programs that can link (read) a specific library file, the policy format shown in FIG. 4 can be used.

The access to the protected objects not described in the policy information and the use of the programs not described in the policy information described above may be wholly prohibited or allowed. good. The choice of which is decided by the administrator of the information processing apparatus 100 when the file protection system of the present invention is introduced into the information processing apparatus 100, and which is selected is, for example, external storage device as environment setting information It may be held in the storage unit 40 so that the access management unit 80 can refer to it.

FIG. 5 shows an example of the error code table 230. The error code table is a correspondence table of access types 501 and error codes 502. For example, from the above application program 81,
When the Read access is a policy violation, the access management unit 80 refers to the error code table 230 and returns the error code “0015” to the application program 81 via the access monitoring unit 60.
For the error code 502, the same one used by the OS 70 is registered.

FIG. 7 shows an example of the process information 61. The process information includes the process ID 701 of the program currently being executed, the program name 702, and the user name 7
03, a characteristic value 704, and a start date and time 705. The start date and time 705 is 0 in the past in the same information processing device
Even when the process IDs that have been allocated and used by S are reused, they are assigned so that they can be distinguished. These pieces of information are acquired and registered by the access management unit 80 when the program is started, and are deleted when the program is finished. In this embodiment, the program being executed is handled in process units, but it may be in thread units.

FIG. 8 shows an example of a rule setting graphical user interface (GUI) provided by the management program 90 for setting the rule information 64. The GUI is displayed on the display device 25 shown in FIG. 1 and can be operated using the input device 22. By operating the rule setting GUI 800, the administrator of the information processing apparatus 100 sets a judgment criterion 810 for judging whether it is malicious unauthorized access, and a protection process 820 to be taken when the criterion is satisfied. it can. Judgment criteria 810
For example, the following three types are prepared, and one is selected from these.

The first type is, when a policy violation occurs N times within a certain period T for a file, directory, or drive to which importance L is assigned,
It is determined that the access is malicious and malicious. In this case, the administrator selects the importance degree specification radio button 812 in the figure, specifies the importance degree L in the importance degree input box 813, specifies a certain time T in the valid period input box 818, and sets the number of times N as a policy. It is specified in the violation frequency input box 817. In the example shown in the figure, for a file, directory, or drive of importance level 3, past 1 hour (1
When a policy violation occurs three or more times in h), the access management unit 80 determines malicious malicious access regardless of the access source.

The second type is to judge malicious malicious access when a policy violation occurs N times within a certain period T for a specific file, directory, or drive. In this case, the administrator selects the file designation radio button 814 in the figure,
Specify the directory name or drive name in the name input box 815, and set a certain time T to the valid period input box 8
18, and the number N is designated in the policy violation number input box 817. In the example shown in the figure, C: \ system \ pass
For the file wd, within the last hour (1h),
When the policy violation occurs three times or more, the access management unit 80 determines malicious malicious access regardless of the access source.

The third type is from the same process.
When a policy violation occurs N times within a certain period T, it is determined as malicious malicious access. in this case,
The administrator selects the process designation radio button 816 in the figure, designates the fixed time T in the valid period input box 818, and designates the number N in the policy violation number input box 817. In the example shown in the figure, when the policy violation occurs three or more times in the past hour (1h) from the same process, the access management unit 80 determines that the malicious access is malicious.

Further, a plurality of rules may be registered in the rule information 64 so that it is possible to set a combination of judgment criteria of different types.

In order to achieve an unauthorized purpose, an intruder who intrudes into the information processing apparatus 100 should, for example, access an important file in which a password or a customer list is stored with special emphasis. Based on the idea that there is a high possibility that it will come, a program infected by a computer virus tends to indiscriminately issue unauthorized access to many files in succession. There is a possibility that such unauthorized file access due to malicious intent cannot be prevented only by setting the policy information 63. For example, if there is a file that is not protected by the setting of policy information 63, or if an attacker with advanced knowledge
This is a case in which a loophole in the defense mechanism is found through repeated trial and error.

However, it is highly likely that a number of policy violations will be repeated until the policy information 63 is not set or the loophole of the defense mechanism is reached by mistake or intention. Therefore, by setting the above determination criteria, it is possible for the access management unit 80 to detect the symptom before a malicious unauthorized access subject reaches a setting error in the policy information 63 or a loophole in the defense mechanism. Become.

Next, when the above judgment criteria are satisfied (when an unauthorized access occurs), the access management unit 80
A method of setting the defense process 820 that should be taken is shown. There are, for example, the following three types of defense processing, and two or more types can be combined and designated.

The first is policy switching processing.
The administrator selects the policy switching designation check box 821 in the figure and selects and designates a new policy after switching from the pull-down menu 822. In the pull-down menu 822, all the policy names except the system policy from the policy name 304 in the policy index 200 shown in FIG.
0 reads and displays. In the example shown in the figure, when the above determination criteria are satisfied, the policy is automatically switched to the emergency mode. To actually switch the policy from the operation mode to the emergency mode, the access management unit 80 operates the validity flag 302 in the policy index 200 to set the validity flag of the emergency mode to "1" and the validity flag of the operation mode. Rewrite to "0".

The second is an immediate notification to the administrator. In this case, the administrator selects the administrator notification designation check box 823 in the figure and designates the notification destination in the destination address input box 824. The destination address may be the e-mail address of the administrator, the address of the remote management host, or the telephone number possessed by the administrator.
In the example shown in the figure, when the above criteria are met, the fact is indicated by the administrator's email address (admin@hi-tech.co.
send to m). In the notification processing to the administrator, the access management unit 80 sends a message to a predetermined address via the communication device 20 and the network 130.
In the message, the reason (corresponding determination criteria) for determining that the malicious access due to malicious intention has occurred, and the content of the countermeasure (contents of the defense processing that the access management unit 80 should take)
Include.

The third is disposal of a process (called an unauthorized process) that has made an unauthorized access that satisfies the determination criterion when the process designation radio button 816 is selected from the above determination criteria. In this case, the administrator selects the illegal process disposal designation check box 825 in the figure, and further selects one of the following three disposal methods.
Choose one.

The radio button 826 is designated when prohibiting all subsequent access by the above-mentioned illegal process.
In this case, the specific processing content by the access management unit 80 is that the access right check processing is skipped for the access from the unauthorized process, and the policy information 6
The corresponding error code is read from the error code table 230 in No. 3 and returned to the above unauthorized process via the access monitoring unit 60.

The radio button 827 is designated when the illegal process is forcibly terminated. In this case, the access management unit 80 issues a system call to the OS 70 by designating the process ID of the unauthorized process,
Execute kill process.

The radio button 828 is used to convert all subsequent accesses by the above process into accesses to the dummy file, and to specify when monitoring and recording the accesses. In this case, the access management unit 80 skips the access right check processing for the access from the unauthorized process, converts the access target into a dummy file, and passes the OS 70 through the access monitoring unit 60.
Forward to. In addition, the dummy file is prepared in advance in the external storage device 40, and the file path information thereof is held by the access management unit 80.

Finally, an OK button 830 is a button to be pressed when registering the above setting contents in the rule information,
The cancel button 831 is a button to be pressed when the rule setting GUI 800 is terminated without registering the setting contents.

As described above, since the defense processing can be set for each set judgment criterion, it is possible to change the notification destination address according to, for example, the type and importance of the file that is being illegally accessed. Become.

FIG. 9 shows an example of the rule information 64 set using the rule setting GUI 800. In the figure, three types of rules (910, 920, 93
0) is included. Each rule has a rule number 901,
Judgment standard code 902, importance 3, file name 904,
Policy violation count 905, defense code 906, policy identification number 907, notification destination 908, process disposal 90
9, valid period 940.

The rule number 901 is a number for identifying a plurality of rules registered in the rule information 64. The criterion code 902 is the rule setting GUI 800.
In the above, which is selected as the determination criterion is expressed by a binary three-digit bit string. When the importance degree designation radio button 812 is selected, the bit string “100” is selected. When the file designation radio button 814 is selected, the bit string “0” is selected.
10 ”, when the process designation radio button 816 is selected, the bit string is“ 001 ”.

The degree of importance 903 is registered when the bit string of the above judgment reference code is "100", and is empty (NULL) in the case of other judgment reference codes.
The file name 904 is registered when the bit string of the determination reference code is “010”, and is empty (NULL) in the case of other determination reference codes. In the policy violation count 905, the one specified in the policy violation count input box 817 of the rule setting GUI 800 is stored. The defense code 906 is the rule setting G described above.
The UI 800 indicates what is selected for the defense process 820.

The defense code 906 indicates the protection processing to be executed from the left, "policy switching", "administrator immediate notification",
It is coded with a binary three-digit bit string in the order of “disposition of unauthorized process”, and the selected one is “1” and the unselected one is “0”. Policy number 90
7 is the identification number of the new policy selected from the pull-down menu 822 of the rule setting GUI 800, and is effective when "policy switching" is selected from the defense code 906. Notification destination 908
Is the destination address specified in the destination address input box 824 of the rule setting GUI 800, and is effective when “administrator immediate notification” is selected from the defense code 906.

The illegal process disposal 909 is obtained by coding the result selected from the radio buttons 826 to 828 of the rule setting GUI 800 with a binary three-digit bit string. "Forced termination" and "access monitoring and recording" are arranged in this order, with "1" selected and "0" not selected. It should be noted that the information stored in the process disposal 909 is effective when the “disposal of an unauthorized process” is selected from the protection codes 906. In the valid period 940, the period T entered in the valid period input box 818 of the rule setting GUI is registered.

FIG. 6 shows an example of the log information 65. The log information includes date / time information 610, event information 611, and event content 61 by the access management unit 80.
Information such as 2 is written as a trail. In the event content 612, which rule (number) indicates whether the access was a normal access or a policy violation
Describe so that the administrator can read and understand whether it was a policy violation corresponding to the above or whether it was an access to a dummy file by an unauthorized process.

The log information 65 has the following three types.

One is information relating to file access, and as shown by 601 in the figure, is composed of date and time, event, access target information, and access issuer information. This makes it possible to know when, what, what, and what kind of access was made.

The second is information relating to policy switching, and as shown by 602 in the figure, date and time, event,
It consists of the policy name after switching and the policy name before switching. As a result, it is possible to know when and which policy was switched to which policy.

The third is information regarding the process that has been forcibly terminated, and is composed of date and time, event, and process information, as indicated by 603 in the figure. This tells when and which process was killed.

FIG. 10 shows an example of the total information 62.
The total information is the total number of accesses for policy violations, and includes rule number 1001 and policy violation count 100.
2, process information 1003, flag 1004, start date and time 1005. The rule number 1001 is information for identifying each rule registered in the rule information 64. The number of policy violations 1002 is a total of the number of policy violations that occurred within the valid period specified by the rule, for each rule. The process information 1003 is used for a rule having a determination criterion for specifying a process, and registers the name of the program in which the policy violation has occurred, the process ID, and the start date and time.

The flag 1004 indicates, by rule, whether or not the above judgment criteria are met. If the judgment criteria are met, that is, if the malicious access is considered to be malicious, "1" is set and the judgment is made. "0" is set for those that have not reached the standard. The start date and time 1005 is
It is the date and time when the counting of the number of policy violations is started, and is used by the access management unit 80 to count the number of policy violations that occurred within the valid period.

For the various information described above, for example, an information list display screen 1100 as shown in FIG. 11 is displayed on the display device 25 of the information processing device 100 by the management program 90 so that the administrator of the information processing device 100 can display the information list display screen 1100. By accepting the operation, the administrator can grasp the current status of abnormal access or unauthorized access, or manually switch the policy while operating the input device 22.

The display screen 1100 has a log information display section 1101, a sort button 1102 for rearranging and displaying the log information, a total information display section 1103,
Process list display section 1104 and process end button 1
105, a rule information display unit 1106, a rule addition button 1107, a rule deletion button 1108, a policy display unit 1109, and a policy switching button 1110.
Composed of.

The log information display section 1101 is a section for displaying the contents of the log information 65, and by doing so, the contents of file access and various events that have occurred in the past can be confirmed. The sort button 1102 is used to sort the log information not only by time series but also by the name of an access target (file) or an access subject (process), or by event type.

Further, from the total information display section 1103, it is possible to confirm whether or not an unauthorized access is currently caused by malicious intent. The process list display unit 1104
This is a part for displaying the contents of the process information 61, and the process currently being executed can be confirmed. In addition, the display unit 1
By selecting a process from 104 and pressing the process end button 1105, it is possible for the administrator to manually terminate the process.

From the rule information display section 1106, the contents of the currently registered rule information 64 can be confirmed, a new rule can be additionally registered by pressing the rule addition button 1107, and a rule deletion button 1108 can be pressed. ,
You can also delete the registered rule. The rule setting GUI 800 shown in FIG. 8 is displayed by the management program 90 when the rule addition button 1107 is pressed.

From the policy display portion 1109, a list of policies registered in the policy information 63 and the currently selected policy can be confirmed. Further, by pressing the policy switch button 1110, the policy can be switched manually. At this time, the access management unit 80 rewrites the valid flag 302 in the policy index 200 to dynamically switch the policy.

Since the operation by the administrator as described above is very important in terms of security, prior to the use of the management program, for example, the identification and authentication processing of the administrator is performed by the function provided in the OS of the information processing apparatus. It is desirable to execute.

As another management method, as shown in FIG. 1, a management manager 91 having a function of exchanging commands and data with the management program 90 and a user interface similar to the management program 90 is installed in a network. It is executed by another information processing apparatus 101 connected by 130, and the administrator checks the log information of the information processing apparatus 100, operates the user interface provided by the management manager 91, sets rules, and manually switches policies. An embodiment is also conceivable in which the above processing is performed remotely.

FIG. 12 shows the contents of process monitoring processing by the access management unit 80.
Before the general application program 81 and the management program 90 are loaded, the access management unit 80 loads a table on the main memory 50 for storing the process information 61 (step 1201), and performs the process monitoring process. Is started (step 1202).

When the activation of the process is detected, the system policy 210 and the user policy 220 are checked in step 1203, and the program name 4 shown in FIG.
04 or process activation of a program not described in the program name 1601 shown in FIG. 16, a warning message is displayed to the administrator or user of the information processing apparatus 100, or the program is forcibly terminated. Then, the process of step 1206 is skipped and the process returns to the process monitoring process (step 1202).

When the process of the program registered in the system policy 210 or the user policy 220 is started, the information about the process is stored in the table of the process information 61, and then the process monitoring process (step 1202) is returned to.

When the end of the process is detected, in step 1204, the information of the corresponding process is deleted from the table of the process information 61. Next, if there is information corresponding to the above process in the abnormal access aggregation information 62,
It is deleted in step 1205 and the process returns to the process monitoring process (step 1202).

In the present embodiment, the process monitoring processing has been described assuming the case where the program used in the information processing apparatus 100 is restricted. As a result, it is possible to positively prevent the use of an unauthorized program, so that high security can be realized. However, it is assumed that the names of programs that can be used in the information processing apparatus 100 are registered in the system policy 210 and the user policy 220 in advance. If it is not necessary to limit the program to be used, the process of step 1203 shown in FIG. 12 may be always skipped. Whether or not the restriction of the program to be used is necessary may be left to the judgment of the administrator of the information processing device 100.

FIG. 13 shows an outline of processing of access monitoring and countermeasures against unauthorized access by the access monitoring unit 60 and the access management unit 80. Step 1302, step 1312, and step 131 in the figure
3 is included in the processing of the access monitoring unit 60. Further, steps 1303 to 1311 are included in the processing of the access management unit 80.

When the application program 81 accesses the file stored in the external storage device 40, the access monitoring unit 60 detects the access, and in step 1302, the name of the access target and the type of access. Then, the access management unit 80 is notified of the process ID that is the issuer of the access. In step 1303, the access management unit 80 acquires the program name and start date and time of the process from the process information 61, using the notified process ID as a clue.

Next, in step 1304, by referring to the abnormal access totalization information 62, it is confirmed that the above process is not an unauthorized process that satisfies the judgment criteria defined by the above rule information. If the process is not an unauthorized process, the process proceeds to the policy matching process of step 1305.
If it is an illegal process, the process jumps to step 1307. If the result of the policy collation processing in step 1305 is a legitimate access conforming to the policy, a normal return is returned to the access monitoring unit 60 in step 1306. Upon receiving the normal return, the access monitor 60 forwards (transfers) the access request from the application program 81 to the OS 70 in step 1312.

When it is determined that the policy is violated as a result of the policy collation processing in step 1305, step 130
At 7, the access contents are recorded in the log information 65. Next, in step 1308, if the access that has violated the policy corresponds to any of the rules registered in the rule information 64, it is registered in the abnormal access tabulation information 62. Specifically, the number of policy violations shown in FIG.
02 is incremented, and it is confirmed whether the start date and time 1005 is within the valid period specified by the rule.

If the date and time is older than the valid period, the policy violation that occurred within the time limit will be recorded in the log information 6
5 is counted again to correct the policy violation count 1002. At the same time, the date and time obtained by subtracting the valid period from the current date and time is registered in the start date and time 1005. The unauthorized access tabulation process by the access management unit 80 may be performed at the timing when the policy is violated, or may be periodically performed regardless of the file access.

In step 1309, it is determined whether or not the access criteria violates the above policy and the determination criteria (described in the rule information 64) for determining malicious access due to malicious intent is reached. If the judgment criterion is not reached, in step 1311, the corresponding error code is acquired from the error code table 230 in the policy information 63, and the process returns to the access monitoring unit 60. The access monitoring unit 60 uses the application program 81 that issued the access in violation of the policy.
In response to the error code (step 131
3) Return to the access monitoring process.

On the other hand, when the above determination criterion is reached, the predetermined processing described in the rule information 64 is executed in step 1310, and then the access monitoring processing by the access monitoring unit 60 is returned to. Regarding the processing executed in the above step 1310, such as policy switching, notification to the administrator, forced termination of the unauthorized process, etc., the access management unit 80 records it in the log information 65 as in step 1307, and later. Allow tracing by administrator.

The file protection system described above determines, based on the rule information 64, unauthorized access that is considered to be malicious, based on the number of accesses that violate the policy, the importance of the access target, etc., and takes measures. can do. In other words, not only the file access control function based on the policy information 63, but also a function of detecting a sign of intrusion or virus infection from an unauthorized access pattern and implementing countermeasures early can be provided.

FIG. 14 shows an example of an Internet site and a local area network (LAN) configured by using the information processing apparatus 100 equipped with the file protection system of this embodiment. By installing a firewall 140 between the external network such as the Internet and the internal network, the DMZ (De-Mi
The services provided by the information processing apparatus 100a installed in the litarized zone (demilitarized zone) 130a can be used from the Internet 160 or the LAN 130b, but can be controlled so that the Internet 160 cannot access the LAN 130b.

The information processing apparatus 100a installed in the DMZ 130a is, for example, a WWW (World Wide Web) server or an Internet server such as a mail server. In addition, the information processing device 100b installed on the LAN 130b
The information processing apparatus 100c and the information processing apparatus 100c are used, for example, as various servers used in the company or as terminal devices for business use.

Here, if a WWW server program having a security hole (defective) is operating in the information processing apparatus 100a installed in the DMZ 130a, the security hole is abused and the information processing apparatus 100a enters. There is a possibility that the homepage may be tampered with or the password file may be read out illegally.
Although such an attack cannot be countered by the above firewall alone, by applying the file protection system according to the present embodiment, not only the user ID but also the program or the time zone as the access means can be restricted. The damage can be minimized even if it is done.

That is, it is possible to prevent unauthorized file access. Moreover, for example, when access to a password file or home page file is violated continuously within a certain period of time, the rule information 64 is set so as to forcefully terminate the access issuer.
By setting, it becomes possible not only to protect files, but also to positively exclude programs (processes) that may perform fraud, so that a secure Internet service can be provided.

Such unauthorized access may occur not only on the Internet but also on an intranet such as a company network (LAN 130b). By applying the file protection system of the present embodiment to the information processing apparatus 100b that serves as each server of the in-house LAN and the information processing apparatus 100c that serves as a client (terminal), for example, access to an important file in which a customer list is stored. Can be monitored to prevent leakage and to eliminate processes that are the source of unauthorized access.

In addition, against a malicious computer virus that illegally erases, writes, or reads a file and sends it to an external network,
It is possible to detect malicious unauthorized access from the file access status, and detect a process that is infected by a virus and issues an unauthorized file access and forcibly terminate it. Further, if the file protection system is applied to a client (terminal), the notification message for the administrator is also displayed on the screen of the display device 25 of the information processing device 100c, which is the client, to notify the user. It may be a warning.

Further, by installing the information processing device 101 having the management manager 91, the DMZ 13
0a and each information processing device installed in the LAN 130b, remotely set rules and monitor access status,
It is also possible to manually switch policies.

As another application example, FIG. 14 also shows an example in which the external storage device 40 serving as the storage location of information assets is replaced with a storage area network (SAN). The SAN 170 in the figure is a RAID (Redundant Arrays) that realizes a high-speed, large-capacity and highly reliable disk device by using a plurality of storage devices such as hard disks.
of Independent Disks) 171 and tape library 1
72 is connected. The information processing device 100b and each storage device (RAID 171, tape library 172)
Are connected by a switch 175, and data transfer is performed using, for example, a fiber channel (FC) protocol.

In this case, the information processing apparatus 100b is the SAN
Is used by the information processing apparatus 100c as a server of the. In other words, in order to use the storage device connected to the SAN, the information processing device 1 which is the SAN server must be used.
Via 00b. Currently, as the security function of the SAN, an access control technique for each storage device called zoning using the function of the switch 175 and an access control technique for each volume in a RAID device called LUN masking are established. However, these technologies apply to the SAN server device and each storage device or RAI.
Access permission / prohibition with respect to the D volume is managed, and access permission / prohibition with respect to each storage device or each RAID volume is not controlled for each user (user ID), for example.

Therefore, by applying the file protection system of this embodiment to a SAN server and describing normal access in units of storage devices or volumes in the policy information 63 of the information processing device 100b, which is a SAN server, It is possible to perform fine-grained access management by combining user IDs and program names. This is of course the same for file-by-file access within RAID.

FIG. 15 shows an example of a policy edit screen for setting such policy information. A policy edit screen 1500 in the figure is a GUI provided by the management program 90 or the management manager 91, and is a SAN.
Display device 2 of the information processing device 100b serving as a server of
The administrator operates from the screen of No. 5 or the screen of the information processing apparatus 101 equipped with the management manager 91. The editing screen includes a protection target selection unit 1510, a protection target direct designation unit 1515, a program selection unit 1520,
The other condition setting unit 1530 is included.

In the protection target selection unit 1510, the protection target can be displayed and selected in storage device units, volume units, directory units, and file units. In the example in the figure, the file "idea.doc" under the directory "Doc \ Projects" in the volume "Vol-1" in the storage device "RAID-2" is selected for protection. As a result, the name of the protection target 401 in the policy information 63 is "RAID-2 \ Vol-1
\ Doc \ Projects \ idea.doc "is stored. However, if the volume of the storage device is mapped to a specific drive, the management program 90 or the management manager 91 automatically converts the drive name (for example, D: \) into "D: \ Doc \ Projects \ idea.doc "
It is also possible to set like. Further, the designation of the storage device unit can designate not only the RAID and the tape but also the external storage device 40 included in the information processing device regardless of whether it is self or others.

The protection target direct designation unit 1515 is used when a plurality of protection targets are designated using a wild card. In the example in the figure, "RAID-2 \ Vol-1 \ Doc \ Projects \ *. Do
c ", which is the folder" RAID-2 \ Vol-1 \
It refers to all files with the extension ".doc" under "Doc \ Projects". If the one selected by the protection target selection unit 1510 and the one specified by the protection target direct designation unit 1515 do not match, the one designated by the protection target direct designation unit 1515 is the name of the protection target 401 in the policy information 63.
It may be configured to be stored in.

The program selection unit 1520 selects and specifies a program file to which access to the protection target is permitted. In the example in the figure, "Prog \ office \ Sedit.ex
A program named "e" is selected, and the program name is stored in the program name 404 of the policy information 63. The other condition setting unit 1530 specifies the degree of importance of the protection target, the access type to be permitted, the user name / group name, the characteristic value of the program file, and the accessible time zone.

Regarding the feature value, the management program automatically derives the feature value from the program file selected by the program selection unit 1520 and displays it on the condition setting unit 1530. You can reduce the effort. When the OK button 1540 is pressed after setting the protection target selection unit 1510, the program selection unit 1520, and the other condition setting unit 1530, the setting items are stored in the policy information 63. The cancel button 1541 is used when it is desired to clear the above setting items. The policy edit screen 1500 may be callable by adding a button to the information list display screen 1100 shown in FIG. 11 and pressing the button by the administrator.

As described above, according to the present embodiment, out of the file accesses that occur in the information processing device, those that do not correspond to the normal access defined by the policy information 63 can be regarded as an abnormal access and blocked. At the same time, by detecting malicious unauthorized access from the above abnormal access and executing defense processing, it is possible to quickly detect signs of intrusion, virus infection, etc., and suppress the occurrence of expected damage thereafter. effective.

Further, by the flexible rule setting, there is an effect that an excessive protection process is unnecessary for an accidental access and a protection process can be executed only for a malicious malicious access. In particular, there is an effect that early detection and removal can be performed by detecting and forcibly terminating a malicious program that randomly destroys or deletes files.

Further, in this embodiment, if it is not registered in the rule information, the file access control system based on the policy information can be applied to a field in which security is important but processing speed is also important. It is also possible to use it properly depending on whether it is applied to a field where security is the most important.

Further, if the OS has a user identification / authentication function and a file system, the security can be easily strengthened by applying the file protection system of this embodiment. Furthermore, by combining with a security technology such as a firewall and a communication data encryption function, there is an effect that the security of the entire network system can be improved.

[0115]

As described above, according to the present invention, it is possible to prevent an unauthorized access due to malicious intent from an abnormal access to a file managed by an information processing apparatus.

[0116]

[Brief description of drawings]

FIG. 1 is a diagram showing a configuration example of a file protection system according to an embodiment of the present invention.

FIG. 2 is a diagram showing a configuration example of policy information 63.

FIG. 3 is a diagram showing index information regarding various policies.

FIG. 4 is a diagram showing an example of setting a user policy 220.

FIG. 5 is a diagram showing an example of an error code table 230.

FIG. 6 is a diagram showing a structure of log information 65 for recording file access and various events.

FIG. 7 is a diagram showing an example of process information 61 that stores information about currently executing processes.

FIG. 8 is a diagram showing an example of a screen for setting rule information 64.

FIG. 9 is a diagram showing an internal structure of set rule information 64.

FIG. 10 is a diagram showing an example of aggregate information 62 of abnormal access.

FIG. 11 is a diagram showing an example of a management screen displayed by a management program 90 on a display device.

FIG. 12 is a diagram showing a process monitoring and process information creation flow by the access management unit 80.

FIG. 13 is a diagram showing a flowchart of file access control and intrusion detection processing by an access monitoring unit 60 and an access management unit 80.

FIG. 14 is a diagram showing a configuration example of a network system to which the file protection system according to the present embodiment is applied.

FIG. 15 is a diagram showing an example of a screen for editing policy information 63.

FIG. 16 is a diagram showing an example of a user policy 220 set in program units.

[Explanation of symbols]

5 ... bus, 10 ... CPU, 20 ... communication device, 22 ...
Input device, 25 ... Display device, 40 ... External storage device, 5
0 ... Main memory, 60 ... Access monitoring unit, 61 ... Process information, 62 ... Abnormal access aggregation information, 63 ... Policy information, 64 ... Rule information, 65 ... Log Information, 70
... OS, 80 ... Access management unit, 81 ... Application program, 90 ... Management program, 91 ... Management manager, 100 ... Information processing device, 101 ... Other information processing Device, 130 ... Network, 140 ... Firewall, 160 ... Internet, 170 ... S
AN, 171 ... RAID, 172 ... Tape library, 175 ... Switch, 200 ... Policy index, 210 ... System policy, 220 ... User policy, 230 ... Error code table, 800 ... Rule information setting screen, 1100 ... Information list display screen, 150
0 ... Policy editing screen

   ─────────────────────────────────────────────────── ─── Continued front page    F-term (reference) 5B017 AA03 BA06 CA07 CA16                 5B076 FB03                 5B082 EA11

Claims (13)

[Claims] 1. An information processing apparatus having a file system, access control means for monitoring and controlling file access, policy information for distinguishing between normal access and abnormal access, and unauthorized access from abnormal access The access control means includes means for detecting abnormal access using the policy information, means for detecting unauthorized access using the determination criteria, and the abnormal access and unauthorized access. A file protection system with means for preventing the execution of. 2. The file protection system according to claim 1, further comprising: abnormal access detection means and means for recording a trail of abnormal access and / or unauthorized access detected by the unauthorized access detection means. 3. The file protection system according to claim 1, wherein the access control means detects an abnormal access using the abnormal access detection means as a first step, and the unauthorized access detection means as a second step. A file protection system that uses the abnormal access to detect unauthorized access. 4. The file protection system according to claim 3, wherein the policy information defines a normal access, and / or the determination criterion detects an unauthorized access, and thus the unauthorized access determination defines an unauthorized access. The standard file protection system. 5. The file protection system according to claim 4, further comprising rule information defining a defense process to be executed when the unauthorized access determination standard is satisfied, wherein the access control means is the unauthorized access detection means. A file protection system comprising defense processing means for executing the defense processing in accordance with the rule information when an unauthorized access is detected by. 6. The file protection system according to claim 5, wherein the policy information is a storage device name, a volume name, a drive name, a directory name, a file name, or a name of a protection target represented by a combination thereof. And a file protection system that describes the conditions for normal access to the protection target. 7. The file protection system according to claim 6, wherein the policy information further describes the importance of the protection target, and the importance L of the protection target in the unauthorized access determination criterion , The abnormal access count N and the valid period T are specified,
For one or more protection targets assigned the importance L, the abnormal access is
A file protection system that defines unauthorized access when it occurs more than once. 8. The file protection system according to claim 6, wherein a name F of a protection target is included in the unauthorized access determination standard.
And an abnormal access count N and a valid period T are specified, and a case where the abnormal access occurs N times or more within the valid period T for the protection target of the name F is defined as an unauthorized access. File protection system to do. 9. The file protection system according to claim 5, comprising a plurality of the policy information, wherein the defense processing means includes a switching processing means of the policy information, a notification processing means to a manager, and a plurality of processing means. A file protection system including means for executing one or more processes from among defense processes. 10. The file protection system according to claim 6, wherein the access control unit further includes a monitoring processing unit for the program being executed, and the abnormal access determination number N and the valid state are valid in the unauthorized access determination standard. The period T is specified, and during the valid period T, the abnormal access is
A file protection system that defines unauthorized access when it occurs more than once. 11. The file protection system according to claim 9, wherein the defense processing unit further includes a disposing unit for the running program, and the disposing unit for the running program is executed by the running program. Access prohibition processing means for prohibiting access of the program, forced termination processing means for terminating the running program, and all subsequent accesses by the running program are converted to accesses to the dummy file to monitor and / or monitor the access. A file protection system comprising a monitoring recording processing means for recording, and a means for executing any one of the access prohibition processing means, the forced termination processing means, or the monitoring recording processing means. 12. The file protection system according to claim 3, further comprising means for providing an administrator of the file protection system with a status of occurrence of unauthorized access, and forcibly terminating a running program from the administrator. A file protection system including means for receiving an instruction to execute an arbitrary process from a policy switching process and a rule setting process. 13. The file protection system according to claim 1, wherein the access control unit further includes a program activation monitoring unit, and the policy information is a name of a program available in the information processing apparatus. , Defining a condition for normal access from the program, the access control unit detects the start of the program, collates with the policy information, and when the program is not registered in the policy information, If the program is a program that is registered in the policy information, the file access from the program is collated with the policy information, and the processing means that prevents the program from being activated File protection system with means for allowing execution