JP2005322261A - Irregularity monitoring program, irregularity monitoring method and irregularity monitoring system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an irregularity monitoring program capable of monitoring input and output data not only in a network but also with an externally connected device in monitoring invalid data for making a computer execute an invalid operation, and enabling setting of various rules for irregularity determination and efficient application of the rules. <P>SOLUTION: A data acquisition part 14 acquires input and output data carried in the network or an external connecting bus and the ID of an operator. An invalid operation determination part 15 acquires the attribute information of a user corresponding to the ID from a user data storage part 12, and performs an irregularity determination in reference to a rule corresponding to this attribute information from rules determined for every attribute of users stored in an invalid rule storage part 13 and a rule to be generally determined invalid regardless of the attributes stored in the invalid rule storage part 13. When an operation is determined as an invalid operation, an interruption processing execution part 16 stops the processing executed by this operation. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a fraud monitoring program, a fraud monitoring method, and a fraud monitoring system for monitoring fraudulent data that causes a computer to perform fraudulent operations.

  When using a computer connected to a network such as the Internet, it is necessary to prevent unauthorized entry of data from the outside and to prevent data leakage and leakage from the inside due to unauthorized operation of the computer. In order to prevent unauthorized data intrusion, a firewall is provided between the internal network, such as the corporate LAN, and the Internet to block unauthorized data, and to prevent viruses from entering the internal network and individual computer terminals. Placing vaccine software to do is widely done. In firewalls and vaccine software, it is common to determine in advance rules for judging illegal data from keywords, sender IP addresses, etc., and to determine whether the data is illegal by referring to the rules. Is.

  On the other hand, with respect to a method for preventing data from being leaked due to an unauthorized operation, for example, for data transmitted to a network, predetermined rules regarding access right, transmission source, type of document to be transmitted, etc. A technique for disconnecting communication when it is detected that there is a risk of fraud is disclosed (for example, see Patent Document 1).

Japanese Patent Laid-Open No. 2002-232451

  The firewall, the vaccine software, and the invention described in Patent Document 1 are all for preventing unauthorized data intrusion and leakage in the network. However, unauthorized operations using a computer are not limited to those via a network. For example, an unauthorized third party operates a computer that is not connected to an external network and outputs information inside the computer to a printer. There is also the risk of information leaking by methods that do not use a network, such as writing to disk. That is, it is preferable to monitor data for executing an illegal operation not only with a network but also at a driver level connected to a printer or a drive.

  Further, as described above, the current illegal data monitoring method is mainly based on a rule base in which keywords, IP addresses, MAC addresses, etc. are registered. However, the contents of rules that can be registered by such a method are limited. is there. In order to make the determination as accurate as possible, it is preferable to increase the number of rules. However, even if the number of rules is too large, there is a problem that the processing for the determination becomes heavy. Therefore, it is effective to have a mechanism for registering rules from various viewpoints as concisely as possible and efficiently referring to the rules.

  Furthermore, the fraud determination based on the rule base has a problem that it is difficult to detect the fraud only by the rule base when an illegal operation not corresponding to the registered rule is executed by a completely different method. For this, it is effective to be able to accurately determine the possibility of fraud by capturing a different pattern of user action than in the past.

  The present invention has been made in response to these problems, and in monitoring unauthorized data that causes a computer to perform unauthorized operations, it is possible to monitor data that is input to and output from external devices as well as the network. It is an object of the present invention to provide a fraud monitoring program, a fraud monitoring method, and a fraud monitoring system capable of setting various rules for fraud determination and applying rules efficiently.

  The present invention for solving these problems is a program for monitoring unauthorized data that causes a computer to perform unauthorized operations, and connects the computer to a network connected to the computer or to the computer and an external device. Obtaining input / output data input / output through an external connection bus; identifying identification information for identifying a user from the input / output data; and attribute information of each user for a user having authority to use the computer Refer to the step of obtaining at least part of the attribute information corresponding to the identification information from the user information storage unit to be stored, and the determination rule storage unit for storing a rule for determining that the input / output data is invalid data. Determining whether the input / output data is illegal data; If it is determined that the data is incorrect in the step of determining whether it is incorrect data, the operation executed by the input / output data is stopped, and the determination rule storage unit In the step of determining whether the determination rule corresponding to the attribute of the user is stored and the illegal data, the determination rule corresponding to the attribute information acquired in the step of acquiring at least a part of the attribute information is The fraud monitoring program is characterized by determining whether the data is fraudulent.

  In this invention, not only the network but also the data that is input / output through the external connection bus of the computer is monitored, thereby monitoring the data instructing an operation such as illegal printout or writing to the disk without going through the network. Thus, unauthorized operations can be interrupted. Moreover, diversification of rules can be achieved by adding determination items according to user attribute information.

  In the present invention, the computer may be used as a client or a server in the network as long as it is connected to the network and has an external connection bus. The network includes all networks capable of transmitting and receiving data such as a LAN and dial-up. The external device includes all peripheral devices that can be connected to the computer through an external connection bus such as a printer and a drive. Unauthorized data refers to data related to unauthorized operation of a computer, such as a file transmission instruction prohibited from being leaked to the outside or an operation by an unauthorized user. As the user attribute information, for example, the user's age, sex, department, job title, and the like are used.

  According to the present invention, the step of determining whether the user corresponding to the identification information has the right to use the computer by referring to the user information storage unit in the computer, and determining the usage right. If it is determined in the step that there is no usage authority, the step of stopping the operation executed by the input / output data is executed, and the step of determining the usage authority is more than the step of determining the unauthorized data. When it is determined in advance that the use authority is not determined in the step of determining the use authority, it is determined whether the computer is at least a part of the attribute information or whether the data is illegal data. It can also be characterized in that at least one of the steps is not executed.

  In the present invention, the user attribute is registered in advance for use as an item of the rule, so it can be easily confirmed whether or not the user who performed the operation has the authority to use the computer. If the user's use authority is determined before the rule is determined, if the operation is a user operation that does not have the authority in the first stage, the operation is stopped before the rule is applied. , The process of applying the rules can be made more efficient.

  Further, in the step of acquiring the input / output data, when the input / output data is acquired from a network, the present invention performs a session disconnection process in the step of stopping the operation executed by the input / output data. It can also be made to perform. Alternatively, in the step of acquiring the input / output data, when the input / output data is acquired from an external connection bus, the process executed by the driver is stopped in the step of stopping the operation executed by the input / output data. It is good also as making it feature.

  In the present invention, when it is determined that the process being executed by the computer is an unauthorized operation, a process for immediately stopping the process is performed. When the process being executed is data transmission / reception through the network, information leakage due to external transmission of data can be prevented by performing a process of disconnecting the session being executed. When the process being executed is an operation to an external device through the external connection bus, information leakage due to data output can be prevented by stopping the process executed by the driver.

  Furthermore, the present invention refers to a profile storage unit that stores log data related to the input / output data as a profile for each user in the computer, and the input / output data acquired in the data acquisition step is the user's In the step of determining whether it is peculiar to the tendency of daily operation, in the step of stopping the operation executed by the input / output data, it is peculiar in the step of determining whether it is peculiar. Even when it is determined that there is an operation, the operation executed by the input / output data may be stopped.

  By creating a profile that grasps the characteristics of operations for each user by collecting log data for each user in this way, and determining whether or not the user has performed a specific operation by referring to such profiles, the rule determines It is possible to determine impersonation of an authorized user by a third party that cannot be performed, an operation that may be fraudulent that is within the scope of the authority but is not normally executed, and the like.

Further, in the case where it is determined that the data is illegal in the step of determining whether the data is illegal data, the user or the management that the operation executed by the input / output data is an illegal operation is determined. It is also possible to execute a step of notifying a terminal device operated by a person.

  In the present invention, illegal data can be dealt with by notifying a user who is an operator who has executed the processing on the data, or a computer or terminal administrator.

  The present invention can also be understood as a fraud monitoring method that can be performed by executing the fraud monitoring program. Moreover, it can also be comprised as a fraud monitoring system using said fraud monitoring program.

  That is, the present invention is a system for monitoring unauthorized data that causes a computer to perform unauthorized operations, and is input / output through a network connected to the computer or an external connection bus that connects the computer and an external device. Data acquisition means for acquiring input / output data, identification information specifying means for specifying identification information for identifying a user from the input / output data, and a user for storing attribute information of each user for users who have authority to use the computer Information storage means, attribute information acquisition means for acquiring at least part of attribute information corresponding to the identification information from the user information storage means, and determination for storing a rule for determining that the input / output data is illegal data The input / output data with reference to the rule storage means and the determination rule storage means Illegal data determination means for determining whether the data is illegal data, and stopping means for stopping an operation executed by the input / output data when the illegal data determination means determines that the data is illegal data. The determination rule storage means stores a determination rule corresponding to a user attribute, and the unauthorized data determination means includes the determination rule corresponding to the attribute information acquired by the attribute information acquisition means. It can also be configured as a fraud monitoring system characterized by determining whether it is fraudulent data.

  The present invention further includes a use authority determining unit that refers to the user information storage unit and determines whether a user corresponding to the identification information has a use authority for the computer, and the stop unit includes Even when the use authority determining means determines that there is no use authority, the operation executed by the input / output data is stopped, and the use authority determining means is activated prior to the unauthorized data determining means. When the use authority determining unit determines that there is no use authority, at least one of the attribute information acquisition unit and the unauthorized data determination unit is not activated.

  Furthermore, the present invention relates to a profile storage unit that stores log data related to the input / output data as a profile for each user, and the profile storage unit refers to the input / output data acquired by the data acquisition unit. A unique operation determining means for determining whether or not the user's daily operation is unique, and the stopping means is also determined when the specific operation determining means determines that it is unique, The operation executed by the input / output data may be stopped.

  Further, the present invention provides a terminal operated by the user or the administrator that an operation executed by the input / output data is an unauthorized operation when the unauthorized data determination unit determines that the data is unauthorized data. A notification means for notifying the apparatus can also be provided. When the data acquisition unit acquires the input / output data from the network, the stop unit may perform session disconnection processing. Alternatively, when the data acquisition unit acquires the input / output data from an external connection bus, the stop unit may stop processing executed by the driver.

  According to the present invention, in monitoring illegal data that causes a computer to execute an illegal operation, it is possible to monitor data input / output to / from an external device as well as the network, and improper data output by impersonation or unauthorized persons Can prevent information leakage and the like.

  Further, by using user attribute information registered in advance in one item of the rule, various rule settings for fraud determination can be performed. Furthermore, by determining the presence or absence of the computer operation authority using the attribute information prior to the application of the rule, it is possible to improve the efficiency of the fraud determination process. Furthermore, by recording the operation history for each user as a profile, it recognizes unique operation patterns that cannot be determined by rules, impersonates authorized users, and may be fraudulent that is within the scope of authority but not normally executed It is also possible to determine an operation with a fault.

  The best mode for carrying out the present invention will be described below in detail with reference to the drawings. In addition, the following description is an example of embodiment of this invention, Comprising: This invention is not limited to this embodiment.

  FIG. 1 and FIG. 2 are diagrams showing examples in which the fraud monitoring system according to the present invention is used for monitoring a network and monitoring a connection with an external device, respectively. FIG. 3 is a diagram showing the installation position of the fraud monitoring system according to the present invention. 4 and 5 are block diagrams showing a first configuration of the fraud monitoring system according to the present invention. FIG. 6 is a diagram showing an example of a user data storage unit of the fraud monitoring system according to the present invention. FIG. 7 is a diagram showing an example of the fraud rule storage unit of the fraud monitoring system according to the present invention. FIG. 8 is a flowchart showing the flow of the fraud monitoring program according to the present invention.

  The fraud monitoring system according to the present invention not only monitors various data flowing through a network, but also includes an external connection bus for connecting to an external device such as an output device such as a printer and an external storage device such as a disk drive. It is characterized by being able to monitor. As shown in FIG. 3, the fraud monitoring system according to the present invention may be provided in an internal network such as a corporate LAN and a gateway between the Internet and monitor the network, or may be provided in a mail server and sent through the network. You may monitor the transmission and reception. Further, it may be used for monitoring a segment in the internal network, or may be used for monitoring individual user terminals and the network, or monitoring connection with an external device.

  FIG. 1 shows an example when used for network monitoring. The fraud monitoring system according to the present invention includes a fraud monitoring server 10, a user data storage unit 12, and a fraud rule storage unit 13. The fraud monitoring server 10 may be provided at the gateway between the internal network and the Internet to monitor unauthorized data leakage from the entire internal network, or may be provided at the internal network to provide illegal data in the segment. It may be used for monitoring of leaks and the like.

  The fraud monitoring server 10 acquires all input / output data flowing through the network, and acquires information related to the attribute of the user who inputs and outputs data from the user data storage unit 12. The fraud rule storage unit 13 stores, in addition to general fraud data determination rules, rules that are determined to be fraudulent according to user attributes. The fraud monitoring server 10 refers to the fraud rule storage unit 13. Then, a general determination rule is referred to for the input / output data, and a rule corresponding to the attribute acquired from the user data storage unit 12 is referred to determine whether the input / output data is invalid. For the input / output data determined to be invalid, a process for shutting down the session in which the input / output was attempted is executed.

  FIG. 2 is an example when used for monitoring an external connection bus. The fraud monitoring system according to the present invention includes a fraud monitoring program 11 stored in the HDD 214 of the processing device 210, a user data storage unit 12, and a fraud rule storage unit. 13, these programs and stored data are read from the HDD 214 at the time of execution of monitoring and are processed in the processing device 210. In the processing device 210, in order to execute monitoring by the fraud monitoring program 11 stored in the HDD 214, various basic programs for hardware control such as input control and output control stored in the ROM 213 are started. The CPU 211 performs arithmetic processing while causing the RAM 212 to function as a work area for the fraud monitoring program 11. In the calculation process of the fraud monitoring program 11, necessary data is read from the user data storage unit 12 and the fraud rule storage unit 13 of the HDD 214 and used. Note that the HDD 214 that stores the program in the processing device may use another storage medium that can store the program, such as a flash memory.

  The fraud monitoring program 11 acquires instruction data flowing through the external connection bus 23 when the driver program 22 is read by the processing device 210 and instruction data for printing out or writing to a disk or the like is transmitted to the external connection bus 23. Then, information related to the attribute of the user who performed the operation related to the instruction data is acquired from the user data storage unit 12. The fraud rule storage unit 13 stores, in addition to general fraud data determination rules, rules that are determined to be fraudulent according to user attributes. The fraud monitoring program 11 stores fraud rules. A process for determining whether or not a general determination rule stored in the unit 13 corresponds to a rule corresponding to the attribute acquired from the user data storage unit 12 is executed. For instruction data determined to be illegal, processing for stopping the processing executed by the driver program 22, such as stop of printout or communication with a computer directly connected to the external connection bus 23, etc. Execute the process.

  The fraud determination method in the fraud monitoring server 10 of FIG. 1 and the fraud monitoring program 11 of FIG. 2 will be described in more detail with reference to FIG. 4 and FIG. FIG. 4 shows a determination method in which a rule according to a user attribute is added to a fraud determination rule, and FIG. 5 determines not only a rule base but also an operation pattern from a profile for each user to determine an unusual operation as illegal. The structure for performing the method to perform is shown.

  The fraud determination in FIG. 4 includes the acquisition of data to be determined by the data acquisition unit 14, the determination of the rule-based illegal operation by the illegal operation determination unit 15, and the cancellation of the target process by the interruption process execution unit 16. It is done in order. Note that these units are not physically separated, but are stored in the HDD 214 as a part of the fraud monitoring program 11 that executes them, and are sequentially read out to cause the RAM 212 to function as a work area. However, the arithmetic processing may be executed by the CPU 211.

  The data acquisition unit 14 acquires data flowing through the network or the external connection bus. The acquired data includes identification data of a user who has performed an operation related to the data. The identification data is specified by a login ID or the like when the user logs in to the computer.

  The unauthorized operation determination unit 15 acquires user attribute information corresponding to the user identification data acquired by the data acquisition unit 14 from the user data storage unit 12. FIG. 6 is an example of user attribute information stored in the user data storage unit 12, and a user ID and attribute information such as a department and job type are stored in a record provided for each user.

  Next, the unauthorized operation determination unit 15 refers to the unauthorized rule storage unit 13 and determines whether the data acquired by the data acquisition unit 14 corresponds to a rule that should be determined to be unauthorized. The fraud rule storage unit 13 stores a rule that should be generally determined to be fraud regardless of the user's attribute and a rule for each attribute that defines matters that are not permitted according to the user's attribute. For the former, for example, a rule generally used for fraud determination based on keywords, URLs, IP addresses, MAC addresses, and the like. For the latter, for example, an operation authority defined for a specific operation according to a department or job title is applicable.

  FIG. 7 shows an example of a determination rule determined according to the user's attribute stored in the fraud rule storage unit 13, but a target attribute and a rule to be applied are stored in a record provided for each rule. In this example, the right to send mail is granted only to regular employees or higher. For example, if the intern nurse shown in the example of FIG. 6 tries to send an email, it is determined that there is no transmission authority, and the email sending process is stopped.

  As described above, when the operation related to the data acquired by the unauthorized operation determination unit 15 is determined to be an unauthorized operation, the interruption process execution unit 16 executes a process for stopping the process executed by the operation. . In other words, for the input / output data through the network, the session blocking process for the input / output is executed, and for the execution processing data through the external connection bus, the printout is stopped or the data is sent to the disk. Processing such as writing stop is executed.

  In the unauthorized operation determination unit 15, when acquiring user attribute information from the user data storage unit 12, if there is no data corresponding to the user ID, or the user ID is invalidated due to the retirement of the user or the like. If it is, the access by the unauthorized person may be determined to be unauthorized without performing the determination by the unauthorized rule storage unit 13, and the interruption by the interruption process executing unit 16 may be executed. Thus, if access by an unauthorized person is determined before the rule-based determination, it is possible to reduce the processing load on the system and to execute a quick determination and interruption process.

  In FIG. 5, fraud determination is performed for each user who does not depend on acquisition of data to be determined by the data acquisition unit 14, determination of rule-based illegal operation by the illegal operation determination unit 15, and rule base by the specific operation determination unit 18 The determination of the unauthorized operation from the operation pattern and the cancellation of the target process by the interruption process execution unit 16 are respectively performed. Note that these units are not physically separated, but are stored in the HDD 214 as a part of the fraud monitoring program 11 for executing each unit, and are read sequentially to cause the RAM 212 to function as a work area. However, the arithmetic processing may be executed by the CPU 211 as in the case of FIG.

  Also in FIG. 5, the processing for obtaining the data to be determined by the data acquiring unit 14, determining the rule-based illegal operation by the unauthorized operation determining unit 15, and canceling the target process by the interruption process executing unit 16 are as follows. This is the same as in the case of FIG. This configuration is characterized in that the profile creation unit 19 creates a profile for each user, and the unique operation determination unit 18 determines an unauthorized operation from the operation pattern for each user.

  The data acquired by the data acquisition unit 14 is determined by a specific operation determination unit 18 that performs determination based on an operation pattern for each user, together with an unauthorized operation determination unit 15 that performs determination based on a rule base. Each user's past operation patterns are registered in the user profile 17, and the unique operation determination unit 18 compares the operation related to the acquired data with the user's operation pattern registered in the user profile 17, and performs a unique operation. When it is determined that the operation is a simple operation, the interruption processing execution unit 16 performs interruption. For example, when an operation is performed during a time period when the operation is not normally performed, or when a large number of operations that are not normally performed are performed, it is possible to perform improper behavior by the user or impersonation using another user's user ID. The process is interrupted.

  The operation pattern registered in the user profile 17 can be created from the data used for the determination in the specific operation determination unit 18 and the user attribute information in the user data storage unit 12. A log of data acquired by the data acquisition unit 14 may be used. The profile update may be executed as online processing every time new data is acquired, or may be performed by regular batch processing.

  The unique operation determination unit 18 is provided with a knowledge engine for determining a specific operation pattern as compared with the user profile 17. The knowledge engine has a function of artificial intelligence that discriminates between normal operations and unique operations, but the structure of artificial intelligence may be based on a Bayesian network or a neural network .

  In the embodiments described so far, a session blocking process is executed when it is determined that the operation is invalid, and printout is stopped and writing to the disk is stopped for execution processing data through the external connection bus. However, if it is determined that an unauthorized operation is performed, a warning is sent to the user who executed the operation, or the administrator of the computer or network. Also good.

  The basic flow of the fraud monitoring program according to the present invention will be described using the flowchart of FIG. First, the input / output data flowing through the network or the external connection bus and the ID of the operator who executed the operation related to the input / output data are acquired (S01). For the acquired ID, the user database storing the attribute information of the user is referred to (S02). If the ID does not exist in the user database (S03), it is determined that the operation is performed by a person without operation authority and the input is performed. Processing for canceling the operation related to the output data is executed (S08).

  When the ID exists in the user database (S03), the attribute information related to the ID is acquired from the user database (S04). Subsequently, referring to the rule database (S05), it is first determined whether the acquired attribute does not correspond to the rule defined for each attribute (S06). If applicable, it is determined that the operation is performed by a person who does not have the operation authority for the operation, and the operation for canceling the operation for the input / output data is executed (S08). If not, it is determined whether the acquired input / output data does not correspond to a general rule (S07). If applicable, it is determined that the operation is an unauthorized operation, and an operation cancellation process for the input / output data is executed (S08). If not, it is assumed that the operation is normal and the operation relating to the input / output data is executed as it is.

It is a figure which shows the example which uses the fraud monitoring system concerning this invention for the monitoring of a network. It is a figure which shows the example which uses the fraud monitoring system concerning this invention for the monitoring of a connection with an external device. It is a figure which shows the installation position of the fraud monitoring system concerning this invention. It is a block diagram which shows the 1st structure of the fraud monitoring system concerning this invention. It is a block diagram which shows the 2nd structure of the fraud monitoring system concerning this invention. It is a figure which shows an example of the user data storage part of the fraud monitoring system concerning this invention. It is a figure which shows an example of the fraud rule storage part of the fraud monitoring system concerning this invention. It is a flowchart which shows the flow of the fraud monitoring program concerning this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Fraud monitoring server 11 Fraud monitoring program 12 User data storage part 13 Fraud rule storage part 14 Data acquisition part 15 Unauthorized operation determination part 16 Interruption process execution part 17 User profile 18 Specific operation determination part 19 Profile creation part 20 User terminal 210 Processing apparatus 211 CPU
212 RAM
213 ROM
214 HDD
22 Driver program 23 External connection bus 24 Output device 25 External storage device 31 User terminal 32 User terminal 33 User terminal 41 External terminal 42 External terminal 43 External terminal

Claims (9)

A program for monitoring unauthorized data that causes a computer to perform unauthorized operations,
Obtaining input / output data input / output through an external connection bus connecting the computer and an external device;
Identifying identification information for identifying a user from the input / output data;
Obtaining at least a part of attribute information corresponding to the identification information from a user information storage unit storing attribute information of each user for users who have authority to use the computer;
Determining whether the input / output data is illegal data with reference to a determination rule storage unit that stores a rule for determining that the input / output data is illegal data;
If it is determined that the data is illegal in the step of determining whether the data is invalid data, the operation executed by the input / output data is stopped.
The determination rule storage unit stores determination rules corresponding to user attributes,
In the step of determining whether the data is illegal data, it is determined whether the data is illegal data with reference to the determination rule corresponding to the attribute information acquired in the step of acquiring at least a part of the attribute information. A featured fraud monitoring program. In the computer,
Determining whether a user corresponding to the identification information has authority to use the computer with reference to the user information storage unit;
If it is determined that there is no usage authority in the step of determining the usage authority, a step of stopping an operation executed by the input / output data is executed,
The step of determining the usage authority is executed prior to the step of determining the unauthorized data,
If it is determined that there is no usage authority in the step of determining the usage authority, at least one of the step of acquiring at least a part of the attribute information in the computer or the step of determining whether the data is unauthorized data The fraud monitoring program according to claim 1, wherein the step is not executed. In the computer,
With reference to a profile storage unit that stores log data related to the input / output data as a profile for each user, the input / output data acquired in the data acquisition step is compared with the tendency of daily operations of the user. The step of determining whether it is peculiar,
In the step of stopping the operation executed by the input / output data, the operation executed by the input / output data is stopped even when it is determined to be unique in the step of determining whether or not it is unique. The fraud monitoring program according to claim 1 or 2. The terminal device operated by the user or the administrator that the operation executed by the input / output data is an unauthorized operation when it is determined in the step of determining whether the data is unauthorized data The fraud monitoring program according to any one of claims 1 to 3, wherein a step of notifying the user is executed. A method for monitoring unauthorized data that causes a computer to perform unauthorized operations,
The computer obtains input / output data input / output through an external connection bus connecting the computer and an external device;
The computer specifying identification information for identifying a user from the input / output data;
The computer acquires at least a part of attribute information corresponding to the identification information from a user information storage unit that stores attribute information of each user for users who have authority to use the computer;
The computer refers to a determination rule storage that stores a rule for determining that the input / output data is illegal data, and determines whether the input / output data is illegal data;
A step of determining whether the computer is the unauthorized data in the step of determining whether the data is the unauthorized data, or a step of stopping the operation executed by the input / output data,
The determination rule storage unit stores determination rules corresponding to user attributes,
In the step of determining whether the data is illegal data, it is determined whether the data is illegal data with reference to the determination rule corresponding to the attribute information acquired in the step of acquiring at least a part of the attribute information. Characteristic fraud monitoring method. A system for monitoring unauthorized data that causes a computer to perform unauthorized operations,
Data acquisition means for acquiring input / output data input / output through an external connection bus connecting the computer and an external device;
Identification information specifying means for specifying identification information for identifying a user from the input / output data;
User information storage means for storing attribute information of each user for users who have authority to use the computer;
Attribute information acquisition means for acquiring at least a part of attribute information corresponding to the identification information from the user information storage means;
Determination rule storage means for storing a rule for determining that the input / output data is illegal data;
Referring to the determination rule storage means, illegal data determination means for determining whether the input / output data is illegal data; and
A stop means for stopping an operation executed by the input / output data when the illegal data determination means determines that the data is illegal data;
In the determination rule storage means, a determination rule corresponding to the attribute of the user is stored,
The fraud monitoring system characterized in that the fraudulent data determination means determines whether the data is fraudulent data with reference to the determination rule corresponding to the attribute information acquired by the attribute information acquisition means. With reference to the user information storage means, comprising a use authority determining means for determining whether a user corresponding to the identification information has use authority of the computer,
The stopping means stops the operation executed by the input / output data even when the usage authority determining means determines that there is no usage authority,
The usage authority determining means is activated prior to the unauthorized data determining means,
7. The fraud monitoring system according to claim 6, wherein when the use right judging means judges that there is no use right, at least one of the attribute information acquisition means or the illegal data judgment means is not activated. . Profile storage means for storing log data related to the input / output data as a profile for each user;
Singular operation determination means for determining whether the input / output data acquired by the data acquisition means is specific as compared to the daily operation tendency of the user with reference to the profile storage means. And
8. The fraud monitoring system according to claim 6, wherein the stopping unit stops an operation executed by the input / output data even when the specific operation determining unit determines that the specific operation is unique. Notification means for notifying the terminal device operated by the user or the administrator that the operation executed by the input / output data is an unauthorized operation when the unauthorized data determination means determines that the data is unauthorized data The fraud monitoring system according to any one of claims 6 to 8, further comprising: