JP2005222216A - System audit method and system audit device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a system audit method automatically detecting accurate false operation, abnormal processing or the like by setting a specific event leading to the false operation or the abnormal processing from system operation or computer processing, and generating time series information about the event when the event occurs. <P>SOLUTION: Operation information or processing information generated in a computer constituting a system is transmitted to a system monitor by an event transmission function as an event, and registered in a database by a registration function in the system monitor. Simultaneously, it is decided whether an input event by a monitoring function is the specific event leading to falseness or not. When confirming the generation of the specific event, the database is searched about the event before and after the generation from internal information about the event, time series data are generated by a time series information generation function, and the time series information is collated in a falseness analysis function having a previously assumed pattern of the false operation, false processing and the abnormal processing, so that falseness decision is performed. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

The present invention focuses on computer processing by a specific user operation in detection of unauthorized operation of an operator in a system with high information confidentiality, system abnormality, and unauthorized access from outside such as a network. The present invention relates to a system audit method for determining an unauthorized computer process from previous and subsequent operations, and a system audit apparatus using this audit method.

In recent years, hacking and cracking acts such as unauthorized access and information acquisition, interference with services and functions have increased against computer systems, and countermeasures have been taken. As one of countermeasures, a system audit apparatus using an operating system (hereinafter also referred to as OS) with enhanced security function has been introduced. For example, in the product “Trusted Solaris Operating System” manufactured by Sun Microsystems, Inc., security is enhanced by controlling access to data, an operator identification function, and the like (for example, see Non-Patent Document 1).
However, this product was developed for the purpose of preventing unauthorized access from the outside, and the security function was scraped and entered by unauthorized actions by an operator with access rights or actions such as hacking. The ability to monitor the actions of unauthorized intruders is poor.

“Trusted Solaris Operating System—Overview”, Internet: URL (http: jp.sun.com/products/software/solaris/trustedsolaris/ds-ts8.html), P1-P6, 2004/01/19.

In the conventional method shown above, in order to prevent fraud by an operator having access rights, or in order to prevent in advance, the auditor directly searches the relevant history from all of a large amount of history data such as system logs, It is necessary to extract data necessary for analysis. This means that when the system becomes large, the amount of data to be collected / analyzed becomes enormous, the amount of search work and the amount of analysis become large at the same time, and there is a high possibility of inducing audit omission.

An object of the present invention is to provide a system audit method and a system audit apparatus capable of reducing the workload of an auditor when discovering an illegal operation and abnormal processing and performing analysis support.

  The system audit method according to the present invention is a system audit method for protecting a system or protecting data of a system against leakage, falsification, unauthorized citation, etc. of various information such as confidential information and bank account information. When a computer operator uses a remotely connected computer to execute data access or execution of an application program for updating data, or output to a storage medium such as a flexible disk or an external device such as a printer. Focus on at least one specific event process that may cause exploitation of various information or system destruction in the system, and use systematic information before and after this event process to extract unauthorized operations or program execution To have a function and judge fraud Those were.

  The system audit device according to the present invention includes an operation history of an operator, or a registration unit that registers an event that occurs sequentially for the at least one specific event process, and a database that has a database function for managing registration data by the registration unit, , A search means for searching for events registered in the database, an audit means for auditing at least one specific event occurrence from the registration status of sequentially generated events, and the occurrence of at least one specific event as a trigger, From the information described in this event, search the database for events before and after the occurrence, time-series information generation means for generating time-series information, and the patterns and times of assumed unauthorized operations, unauthorized processes, and abnormal processes Judgment of fraud events by collating series information It is obtained by a fraudulent analysis means.

According to the present invention, it is possible to automatically evaluate a time-series event and present it to an auditor regardless of only the occurrence event. Furthermore, fraud that is difficult to detect by individual events alone in a large amount of data can be accurately extracted by processing with time-series data, and unauthorized access / unauthorized processing and abnormal processing of the system can be accurately performed. It becomes possible to detect.

Embodiment 1
FIG. 1 is a block diagram showing a configuration of a system audit apparatus using a system audit method according to Embodiment 1 of the present invention. FIG. 2 is an operation flowchart of the first embodiment. FIG. 1 is a basic configuration diagram of an information processing system for sharing personal information through a network for carrying out the first embodiment, and for browsing and updating the personal information.

In the first embodiment, an acquirable unit related to system operation is defined as an event (hereinafter, the same applies to other embodiments). Set at least one specific event (same below) that leads to system operation from this event, computer processing to unauthorized operation, and abnormal processing, and triggers the occurrence of that event to generate event time-series information to automatically detect fraud Detect.

In the first embodiment, a plurality of computers 8 connected to a network and processing common data, a system audit device 1 for auditing operations of the computers 8, events generated in the computers 8, for example, data Has an event transmission function 9 for transmitting events such as print output to the printer and data copy to a storage medium such as a flexible disk to the system audit apparatus 1.
The system auditing apparatus 1 includes a registration function 2 for registering an event that has occurred in a computer 8 in the system, a database 3, a search function 4 for searching for an event registered in the database 3, and a registration status of events that have occurred sequentially. From the audit function 5 for auditing the occurrence of a specific event, and the occurrence of the specific event as a trigger, the computer in which the event occurred is specified, the database 3 is searched for events before and after the occurrence, and time series information is generated The time-series information generation function 6 and the fraud analysis function 7 for judging fraud by collating time-series information with a pattern of a fraudulent operation, fraud processing and abnormality processing assumed in advance.

The first embodiment assumes a system configuration in which a plurality of computers / PCs or workstations are connected to a network. The computer 8 can record a processing history in the computer or incorporate such a function. Here, one recorded history is defined as an event, and information recorded in the event includes execution computer name, execution date and time, operator information such as an operator name, and processing contents.

The event and the specific event acquisition method utilize the function of the computer OS. An OS such as UNIX (registered trademark) leaves a unique history in a log file at the time of log-in or output to an external medium. The computer 8 starts an event extraction function 10 that extracts new data records from the log file as a resident program, acquires the added data when the log file is updated, and sends it to the system audit apparatus 1 for the event transmission function. A transmission instruction is output (S01).

An event that has occurred in the computer 8 is transmitted to the system auditing apparatus 1 via the network by the event transmission function 9 (S02). At this time, the event transmission function 9 can change the transmission timing of information on the event that has occurred in accordance with the load on the network or the system audit device 1.
For example, when no other computer 8 is used, an event is transmitted to the system audit apparatus 1 every time an event occurs, but the time of the return value of the reception process from the system audit apparatus 1 is measured, and a time threshold value is measured. If the number exceeds, switch to send all after multiple events. In this way, by shifting the transmission timing, it is possible to avoid load concentration on the system audit apparatus 1 without transmitting data to the system audit apparatus 1 all at once.

The system audit device 1 is always on standby for receiving an event (S03). When event information is received from the computer 8 (S04), the event information is registered in the database 3 by the registration function 2 (S05). At the same time, the audit function 5 determines a specific event (S06). The specific event is set in advance by the auditor or the system operation manager at the time of system design depending on the system operation and the processing contents of the computer. As specific events, operations such as login to the computer 8, access to data stored in a designated area, data printing, and data copying to an external storage device such as a flexible disk are set.

For example, in order to prevent data leakage and falsification of highly confidential data, “access to confidential data storage location” is designated as a specific event in the specific event. The audit function 5 extracts the processing content from the received event information and determines whether it matches the content of the specific event.
Further, in addition to the event contents, the specified operator's operation, an event that occurred within the specified time, and the like can be set as the specific event.
This makes it possible to audit the possibility of unauthorized operations such as login and file operations outside working hours. As a result of the determination, if the received event is a specific event, event information is transmitted from the audit function 5 to the time-series information generation function 6.

The time-series information generation function 6 searches the database 3 by using the search function 4 for the events before the specific event occurrence time for each information from the information described in the event (S07). The number of events to be searched is set in the time-series information generation function 6 by the auditor. The time series information generation function 6 receives the search result of the search function 4, generates event time series data for each piece of information, and transmits it to the fraud analysis function 7 (S08).

The fraud analysis function 7 receives the time series data generated by the time series information generation function 6 and collates with a preset fraud pattern (S09). The fraud pattern is a combination of events considered to be fraudulent execution set in advance by an auditor.
For example, “access to confidential data storage location” → “data read” → “print” or “record to external recording device” is set as an event pattern for acquiring highly confidential data. The fraud analysis function 7 checks whether or not there is a fraud pattern in the received time series data. If it is determined to be fraudulent, the specific event that caused the fraud, the time-series data, and the fraud pattern are presented to the auditor (S10).

  According to this embodiment, it is possible to automatically evaluate not only an occurrence event but also a time-series event and present it to an auditor, and detect only an individual event in a large amount of data. By processing difficult fraud with time-series data, it is possible to accurately extract and correctly detect unauthorized access, fraudulent processing, and abnormal processing of the system.

Embodiment 2. FIG.
FIG. 3 is a block diagram showing configurations of a system monitoring apparatus and a computer according to Embodiment 2 of the present invention. In FIG. 3, 11 is an event audit function that audits the occurrence of a specific event for an event that has occurred in the computer 8, similarly to the audit function 5 in the system audit apparatus 1.

An event that has occurred in the computer 8 is extracted from the system log as event information by the event extraction function 10 and transmitted to the event audit function 11. The event audit function 11 determines whether the received event is a specific event, and stores information therein until the specific event occurs. When a specific event occurs, the event audit function 11 instructs the event transmission function 9 to erase all the event information stored last time to the system audit apparatus 1 and erases the stored data. The event transmission function 9 transmits a plurality of pieces of event information to the system audit apparatus 1 according to the command. After the event data is transmitted, fraud determination is performed as in the first embodiment.

According to this embodiment, by transmitting event information from the computer 8 to the system audit apparatus 1 when a specific event occurs, it is possible to reduce the load of the transmission processing of the computer 8, and at the same time, the system It is possible to reduce the load on the entire network constituting the system and to perform operation auditing without degrading the performance of the entire system.

Embodiment 3.
FIG. 4 is a block diagram showing a configuration of a system audit apparatus using the system audit method according to the third embodiment of the present invention. In FIG. 4, 12 is an input of the result of the fraud analysis function 07 to determine the degree of risk of fraud, a risk judgment function for presenting to the auditor, and 13 is a result of registering the result of the fraud analysis function 07 as fraud data. The fraud case management function presents past fraud cases according to the operations of the auditor, and 14 is a fraud case database for the fraud case management function 13.

In this embodiment, fraud determination is performed by the fraud analysis function 07 for an event that has occurred in the computer 8 as in the first embodiment. Here, the generated fraud result determines the risk of the fraud result in the risk determination function 12 (S11). The risk level determination function 12 sets the risk level in steps for the fraud content, and selects and calculates the risk level for the generated fraud.
The degree of risk is composed of the type of operation processing, the operation target, and the operation status. The operation processing type includes login failure, file access, printing, media output, abnormal program termination, shutdown, reboot, etc. The operation target is the file type, the operation status is the execution time, the operator's job, and during continuous operation Set the number of times. Points are assigned to the setting items, and the risk of fraudulent events is calculated by multiplying the points. In addition, the calculation formula, score, and calculation result are presented to the auditor.

The fraud case management function 13 receives the fraud determination result of the fraud analysis function 07 and registers it in the fraud case database 14 (S12). Further, according to the request of the auditor, the fraud case management function 13 searches for past fraud cases in the fraud case database 14 (S13) and presents the result to the auditor.

According to this embodiment, it is possible to grasp the status of the system by automatically calculating the degree of risk for the fraud event detected by the system audit device 01, and for unknown fraud events, It becomes possible to recognize the risk level. In addition, since past fraud cases can be searched, it becomes possible to investigate the behavior of a specific operator and grasp the operating status of a computer.

It is a block diagram which shows the whole structure containing the system auditing apparatus using the system auditing method regarding Embodiment 1 of this invention. It is an operation | movement flowchart of the computer which generate | occur | produces the event regarding Embodiment 1 of this invention, and a system auditing apparatus. It is a block diagram which shows the whole structure which added the event auditing function to the computer which generate | occur | produces the event regarding Embodiment 2 of this invention. It is a block diagram which shows the whole structure which added the risk determination function, the fraud case management function, and the fraud case database to the system audit apparatus using the system audit method regarding Embodiment 3 of this invention. It is an operation | movement flowchart of the computer which generate | occur | produces the event of Embodiment 3 of this invention, and a system auditing apparatus.

Explanation of symbols

  1 System audit device, 2 registration function, 3 database, 4 search function. 5 Audit function, 6 Time series information generation function, 7 Fraud analysis function, 8 Computer in system, 9 Event transmission function, 10 Event extraction function, 11 Event audit function, 12 Risk assessment function, 13 Fraud case management function, 14 Fraud case database.

Claims (9)

In the system audit method for system maintenance or system data protection against leakage, falsification, unauthorized citation, etc. of various information such as confidential information, bank account information,
A storage medium such as a flexible disk or an execution of an application program for accessing or updating data by an operator having access to the computer using a computer constituting the system or a computer remotely connected via a network Focusing on at least one specific event processing that may cause exploitation of various information or system destruction in the above system when outputting to external devices such as printers and printers, the time series before and after this event processing A system audit method comprising a system audit function for extracting fraudulent operations or program execution using information, and judging fraud. Registration means for registering an operation history of the operator or an event that occurs sequentially with respect to the at least one specific event process;
A database having a database function for managing registration data by the registration means;
Search means for searching for events registered in this database;
An auditing means for auditing the occurrence of at least one specific event from the registration status of the sequentially generated events;
Using the occurrence of the at least one specific event as a trigger, from the information described in this event, search the database for events before and after the occurrence, time series information generating means for generating time series information,
A fraud analysis means for judging a fraud event by collating time-series information with a pattern of a fraudulent operation, fraud processing, and anomaly processing assumed in advance;
A system audit apparatus comprising: The system audit method according to claim 1,
A system audit method for judging fraud from an operation to the computer by an operator who does not have access right or an intrusion into a system through a computer remotely connected by a network from the at least one specific event. In the system auditing method according to claim 1 or 3,
A system audit method for determining fraud on the basis of at least one event outside the specification or time series information related to the event when the processing contents of the computer are specified. In the system auditing method according to claim 1 or any one of claims 3 to 4,
A system audit method for judging fraud from the operation content status of the operator such as an operation other than the business authority of the operator or an operation of a work amount exceeding the assigned work amount. In the system audit method according to any one of claims 1 or 3 to 5,
When at least one specific event occurs multiple times in the above computer, all event information from the previous specific event occurrence to the specific event occurrence is transmitted to the outside and the retained information is deleted A system audit method characterized by the fact In the system audit device according to claim 2,
A system audit method for determining a risk level of an operation based on a determination result based on time series information of the at least one specific event, and presenting the risk level information to an auditor, and a system audit apparatus having a presentation function. In the system audit device according to claim 2 or 7,
A system audit apparatus having means for storing past fraud history information and presenting warning information in response to an operation by an auditor. In the system audit apparatus according to claim 2 or any one of claims 7 to 8,
If it is determined that the analysis result is invalid, search the past case history from the database using this computer's processing or the corresponding operator as a search key, investigate similar case history, and send the audit result to the auditor. A system audit apparatus having means for presenting.

Images