JP2007109016A - Access policy creation system, method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To reduce a labor of access policy creation to the minimum by automatically sorting/generalizing access information collected by operating a program for a monitoring target and by automating the access policy creation based on previously created policy creation rules. <P>SOLUTION: Co-occurrence relation that does not rely on the target program is previously listed up of such co-occurrence relations of resource access that "the possibility of accessing certain another resource anytime in accessing a certain resource is high", and is described as the policy creation rules 110. A sorting means 106 creates an event set from access logs observed by an access auditing means 102 based on the policy creation rules 110. A generalization means 107 generalizes an event based on the event set. The policy creation means 108 generates the access policy based on the generalized event set. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an access policy generation system, an access policy generation method, and an access policy generation program for generating an access policy, and in particular, collects operation states of programs subject to policy enforcement (policy-based access control) to access policy. The present invention relates to an access policy generation system, an access policy generation method, and an access policy generation program.

  In recent years, information leakage and information falsification due to computer viruses and information leakage and information falsification due to unauthorized access to servers have become problems. Many of these information leakage and information falsification problems are caused by software vulnerabilities. That is, when a vulnerable part (for example, a security hole) is attacked, the program may execute processing according to an operation different from the operation originally assumed by the program. Unexpectedly readable files are read by the program (information leakage), files that are originally uneditable from outside are edited (information falsification), etc. Unauthorized resource access is made.

  In order to solve the information leakage and information falsification problems mentioned above, even if a software vulnerability is attacked, resources are accessed according to operations different from those originally assumed by the software. May be controlled so as to prevent the access. For example, in order to prevent unauthorized access to resources by software, various policy enforcement systems called secure OS, access control middleware, sandbox, unauthorized intrusion prevention system, and the like are used.

  These policy enforcement systems have a function of restricting a monitored program from accessing a specific resource in accordance with given requirements (conditions). Hereinafter, the requirement (condition) for restricting the monitoring target program from accessing a specific resource is referred to as “access policy” (or simply “policy”). An operation restricted according to the access policy is referred to as “access”.

  In the policy enforcement system, by setting the access policy correctly, damage caused by unauthorized access, cracking, computer viruses, and worms can be suppressed. For example, when using a policy enforcement system on a WWW server, if you set an access policy that the WWW content cannot be rewritten, even if an arbitrary code is executed by attacking the vulnerability of the WWW server, Tampering due to rewriting can be prevented.

  In general, there are two types of access policies, “permitted policy” and “prohibited policy”. The “permission policy” is a policy indicating a condition for permitting a program to access a specific resource. The “prohibited policy” is a policy indicating a condition for prohibiting the program from accessing a specific resource. In addition, there are three methods for specifying an access policy: a method of specifying only “permitted policy”, a method of specifying only “prohibited policy”, and a method of specifying both “permitted policy” and “prohibited policy”. .

  In the method of specifying only the permitted policy as the access policy specifying method, only the access permitted by the user is described (included) in the access policy. In this case, only access that matches the condition indicated in the access policy permission policy is permitted, and other access (that does not match the condition indicated in the permission policy) is prohibited.

  Further, in the method of specifying only the prohibited policy as the access policy specifying method, only the access prohibited by the user is described (included) in the access policy. In this case, only access that matches the condition indicated in the access policy prohibition policy is prohibited, and other access (that does not match the condition indicated in the prohibition policy) is permitted.

  In addition, in the method of specifying both the permission policy and the prohibition policy as the method for specifying the access policy, the “meta policy” that defines the processing to be executed when the permission policy and the prohibition policy conflict with each other is the permission policy and the prohibition policy. Separately, it is separately described (included) in the access policy by the user.

  Here, it is important to set the access policy correctly in order to appropriately limit the access. If the range of access permitted by the access policy is too narrow, the program cannot access resources that should be accessible, causing a malfunction of the program. This inability to access resources that should be accessible and the program malfunctioning is called “false detection”. If a malfunction of the program is caused, the operation of the entire system is hindered. Therefore, it is practically difficult to use the policy enforcement system unless false detection is suppressed to zero as much as possible.

  On the other hand, in order to eliminate the occurrence of erroneous detection, it is conceivable to widen the range of access permitted by the access policy. However, if the range of access permitted by the access policy is too wide, unauthorized operation of the program is permitted, and policy enforcement cannot be performed properly. Too widen the scope of access and allow unauthorized operation of the program is called “missing detection”. Therefore, in order to appropriately enforce policy enforcement, it is necessary to reduce false detections to zero as much as possible while reducing detection omissions as much as possible.

  However, if an access policy that takes into account the reduction of both detection omissions and false detections is described and created manually, it takes time and effort for the user, and errors in the access policy are likely to occur. Therefore, a method for automatically generating a permission policy by observing an actual operation state of a program has been proposed.

  For example, Patent Document 1 describes a method (also referred to as Prior Art 1) of adding a rule that allows a program to operate for a certain period of time and permit access observed while the program is operating as a permission policy. Has been. In addition, for example, in Patent Document 2, the program is operated for a certain period of time, and by analogy that a file in the same directory or the same type of file can be accessed for the observed resource access, Bayesian estimation is performed. A method (also referred to as Prior Art 2) for narrowing down access to be permitted is described.

  Further, for example, in Patent Document 3, the program is operated for a certain period of time, and the observed resource access is generalized by a path name pattern, or accesses having similar internal states of the program at the time of resource access are disclosed. Is described (also referred to as Prior Art 3). Further, for example, Patent Literature 4 describes a policy setting support tool that supports access policy creation.

Japanese Patent Laying-Open No. 2003-006027 (paragraphs 0009-0015, FIG. 1-5) JP 2005-044243 (paragraph 0059-0101, FIG. 2) Japanese Patent Laying-Open No. 2005-234661 (paragraphs 0044-0089, FIGS. 1-6) Japanese Patent Laying-Open No. 2004-192601 (paragraphs 0088-0108, FIGS. 1 and 7-9)

  According to the prior art 1 (method described in Patent Document 1), it is possible to add the observed access as a permission rule. However, even if the program is operated for a certain period of time, it is not always possible to observe all the access that the program can perform. Even if it is added as a permission rule as it is, there arises a problem that all access that should be permitted by the program to be monitored is not permitted (an erroneous detection occurs). In general, since the operations of the program are very diverse, it is difficult to observe all accesses, and even if the method according to the prior art 1 is used, such a malfunction cannot be excluded.

  According to Prior Art 2 (method described in Patent Document 2), instead of adding the observed access as a permission rule as it is, a file in the same directory as the target file of the observed file access or the same extension is used. The files you have are also considered to be allowed. Then, the file to be permitted is estimated and processed (access to the estimated permission target file is added as a permission rule). If the method described in Patent Document 2 is used, if the access target is the same type of file (mainly determined by the extension of the file), even if the access is not actually observed, the access policy Access control can be performed as a target. In other words, assuming that the same access policy can be applied to files of the same type and that the same access policy can be applied to files in the same directory, even access that is not actually observed Can be an access policy target.

  If the method described in Patent Document 2 is used, it is possible to solve to some extent the problem in the prior art 1 in which erroneous detection occurs when all accesses cannot be observed. However, in general, the above-mentioned properties (the property that it can be applied if it is the same type of file and the property that it can be applied if it is a file in the same directory) often do not hold. It is not always possible to create it. For example, even if a file has the same extension or a file in the same directory, a completely different access policy should actually be applied. For example, in Linux, there are many files with the extension ".conf" under the directory "/ etc /", but these are many files related to completely different functions, and the same access policy should not be applied. Absent. In such a case, if the same access policy is applied, detection failure will occur.

  Conversely, the same access policy is often applied even if the files have the same extension or are not in the same directory. For example, in general, the file server can access all files existing under the public directory. However, since files under these public directories cannot be distinguished by extension or directory, it is difficult to apply the same access policy even if the method according to the prior art 2 is used. In addition, when the files under the public directory cannot be distinguished, if the same access policy cannot be applied, a false detection will occur.

  According to Prior Art 3 (the method described in Patent Document 3), the same access policy can be applied in the case of resource access that is called from the same place in the program (having the same call stack). Assuming the nature, even access that has not actually been observed can be the target of the access policy. According to the method described in Patent Document 3, it is possible to generate an access policy with higher accuracy compared to a method of creating an access policy using an extension or a directory. However, compared to the method of determining whether access is permitted or not based on the extension or directory, the method of determining whether or not the program is called from the same location in the program has a high accuracy of the access policy to be generated, but the program to be monitored Depending on the condition, the judgment condition may be too strong or too weak. That is, even if the method described in Patent Document 3 is used, there are cases where erroneous detection occurs or detection omission occurs. For example, even if the method described in Patent Document 3 is used, an appropriate access policy cannot be generated if the number of events observed during access policy generation is small.

  As described above, the method according to the prior art 2 and the method according to the prior art 3 solve to some extent the problem in the prior art 1 in which false detection occurs when all accesses cannot be observed. However, even if the method according to the prior art 2 is used, if the property that it can be applied to files of the same type or the property that it can be applied to files in the same directory does not hold, it is not always appropriate access. It is not always possible to create a policy. In addition, the method according to the prior art 3 can generate an access policy with high accuracy, and solves the problems when the method according to the prior art 2 is used to some extent. However, even if the method according to the prior art 3 is used, depending on the program to be monitored, the determination condition based on the access policy is too strong or too weak, and there still remains a problem that erroneous detection or detection omission occurs.

  Note that the policy setting support tool described in Patent Document 4 is also a related art relating to the creation of an access policy. However, Patent Document 4 merely describes a support tool related to support for creating an access policy, and does not disclose creating an access policy for an unknown application. Even if the policy setting support tool described in Patent Document 4 is used, effective support for creating an access policy cannot be performed when the installation location or setting of the application is changed.

  Accordingly, an object of the present invention is to provide an access policy generation system, an access policy generation method, and an access policy generation program that can automate the generation of an access policy and reduce the effort for creating an access policy as much as possible. It is another object of the present invention to provide an access policy generation system, an access policy generation method, and an access policy generation program that can generate an access policy with high accuracy and reduce manual correction as much as possible.

  In the access policy generation system according to the present invention, a monitoring target program (for example, the target program 101) accesses a specific resource (for example, a file system for managing an access target file or data, or an access target file or data). An access policy generation system that generates an access policy for restricting the access, and detects an access to a resource by a monitored program and outputs access information indicating the content of the detected access (for example, The access policy is generated based on the access information output by the access detector according to the policy generation rule (for example, the policy generation rule 110) that is information indicating the access policy generation condition. Access Rishi generating means (e.g., the classification unit 106, the access policy generation means implemented by generalization means 107 and the policy generating unit 108) is characterized in that a.

  In addition, the access policy generation system detects a state of processing executed according to the monitored program when the access detecting unit detects the occurrence of access to the resource by the monitored program (for example, state observation). The state detection unit adds the detection result (for example, internal state information) of the state of the process executed according to the program to be monitored to the access information output by the access detection unit. The access policy generation unit may generate an access policy based on access information to which the state detection unit adds the detection result of the state of the process being executed according to the program to be monitored.

  Further, the access policy generation system includes policy generation rule storage means (for example, realized by the policy generation rule storage unit 109) that stores policy generation rules in advance, and the policy generation rule storage means stores the access policy generation means. The access policy may be generated according to the policy generation rule.

  In the access policy generation system, the policy generation rule storage means includes a classification rule (for example, a classification rule 111) indicating a predetermined classification condition for classifying the access information and a predetermined generalization for generalizing the access information. A policy generation rule including a generalization rule (for example, a generalization rule 112) indicating a generalization condition is stored in advance, and the access policy generation unit outputs the access information output by the access detection unit according to the classification rule included in the policy generation rule. Classification means for classifying (for example, realized by the classification means 106) and generalization means for generalizing the access information classified by the classification means in accordance with the generalization rules included in the policy generation rule (for example, realized by the generalization means 107) Policy that generates an access policy based on the access information generalized by the generalization means. Forming means (for example, implemented by the policy generating unit 108) and may include a. Note that “generalization” refers to, for example, calculating a larger set of events including a set of events based on a set of events (events detected at the time of access).

  In addition, the access policy generation system uses an access policy for restricting a monitored program from accessing a specific resource, which is used for policy enforcement performed based on an authorization policy indicating an authorization rule for permitting access to a resource. An access policy generation system for generating an access detection means for detecting access to a resource by a monitoring target program and outputting access information indicating the content of the detected access when the policy is forced, and an access detection means When the occurrence of access to the resource by the monitoring target program is detected, a state detecting means for detecting the state of processing executed in accordance with the monitoring target program and a plurality of access information output by the access detecting means are created in advance. Policy generation that shows the conditions for generating an access policy Classification means for classifying based on the classification rules included in the rules, generalization means for generalizing the access information classified by the classification means based on the generalization rules included in the policy generation rule, and A policy generation unit that generates an access policy based on the access information that has been converted, and the state detection unit adds the detection result of the state of the process being executed according to the monitored program to the corresponding access information It may be. Note that “policy enforcement” refers to, for example, determining whether to permit or prohibit access to a resource based on an access policy, accepting access determined to be permitted, and rejecting access determined to be prohibited .

  Further, in the access policy generation system, the classification means includes, as a classification rule, a selection classification rule indicating a condition for selecting only access information that matches a predetermined condition from a plurality of access information, and access information that matches a predetermined condition. The access information may be classified based on a policy generation rule including a division classification rule that indicates a condition for dividing a plurality of pieces of access information so that they belong to the same set.

  The access policy generation system also stores a status storage unit (for example, a status storage unit) that stores a status of a process that is being executed according to a monitoring target program detected by the status detection unit when an access permitted by the access policy occurs. When the access detecting means detects an access based on the access policy, the state of the processing executed according to the monitored program detected by the state detecting means is stored in the state storing means. Access is detected based on whether or not it matches the stored state, and the policy generation means performs access based on whether or not it matches the state of the process being executed according to the monitored program. An access policy for instructing whether or not to detect may be generated.

  Further, the access policy generation system detects the type and version of the platform (for example, the operating system (for example, Linux or Windows) used by the computer) on which the program to be monitored operates, and matches the detected platform type and version. A policy generation rule acquisition unit that acquires a policy generation rule (for example, realized by the policy generation rule acquisition unit 115) may be provided. Note that “obtain policy generation rule” means, for example, that the policy generation rule 110 is received via a network from a host other than the computer using the access policy generation system.

  An access policy generation method according to the present invention is an access policy generation method for generating an access policy for restricting a monitored program from accessing a specific resource, and detects access to a resource by a monitored program. And generating an access policy based on the access information output in the access detection step according to the access detection step for outputting the access information indicating the content of the detected access and the policy generation rule that is the information indicating the generation condition of the access policy. And an access policy generation step.

  The access policy generation method generates an access policy for restricting a monitored program from accessing a specific resource, which is used for policy enforcement performed based on an authorization policy indicating an authorization rule for permitting access to a resource. An access policy generation method that detects access to a resource by a monitored program when policy is forced, and outputs access information indicating the content of the detected access, and is monitored by the access detection step When the occurrence of access to a resource by a program is detected, the status of the process being executed according to the monitored program is detected, and the detection result of the status of the process being executed according to the monitored program is displayed as the corresponding access information. Status detection step and access A classification step for classifying a plurality of access information output in the output step based on a classification rule included in a policy generation rule indicating a pre-generated access policy generation condition, and a policy generation for the access information classified in the classification step A generalization step that generalizes based on a generalization rule included in the rule, and a policy generation step that generates an access policy based on the access information generalized in the generalization step may be included.

  An access policy generation program according to the present invention is an access policy generation program for generating an access policy for restricting access of a monitoring target program to a specific resource, and the monitoring target program is stored in the computer. Access based on the output access information according to the access detection process that detects access to the resource by and outputs the access information indicating the content of the detected access, and the policy generation rule that is the information indicating the access policy generation condition This is for executing an access policy generation process for generating a policy.

  The access policy generation program is an access policy for restricting a monitored program from accessing a specific resource, which is used for policy enforcement performed based on an authorization policy indicating an authorization rule for permitting access to a resource. An access policy generating program for generating an access policy that detects access to a resource by a monitored program and outputs access information indicating the content of the detected access when the policy is forced to the computer; When the occurrence of access to the resource by the monitored program is detected, the status of the process being executed according to the monitored program is detected, and the detection result of the status of the process being executed according to the monitored program is handled. State detection processing to be added to the access information to be A classification process for classifying a plurality of access information based on a classification rule included in a policy generation rule indicating an access policy generation condition created in advance, and a generalization included in the policy generation rule for the classified access information A generalization process for generalizing based on the rule and a policy generation process for generating an access policy based on the generalized access information may be executed.

  For example, the property that “the same access policy can be applied to resource access called from the same place in the program” used in the method according to the prior art 3 is only one of the properties of the program. . As long as the program is not written maliciously, there are other common properties between programs derived from the conventions on the platform on which the program runs and the nature of the platform.

  Among these common properties, there is a property that allows an analogy of resource access that “when a certain resource is accessed, there is a high possibility of accessing another certain resource”. This property is called “resource access co-occurrence relationship”. The property that “the same access policy can be applied to resource accesses called from the same place in the program” is one of the co-occurrence relationships of resource access.

  Resource access co-occurrence relationships can be enumerated in addition to common extensions, common parent directories, and the same internal state when accessing resources. . By using the co-occurrence relationships of the plurality of resource accesses in combination, an access policy with higher accuracy can be generated.

  For example, when UNIX (registered trademark) or Linux is used, a temporary file is often written in the “/ tmp” directory. Because of these characteristics, the resource access co-occurrence relationship that “the same access policy can be applied to a file written in the“ / tmp ”directory” derived from the convention on the UNIX and Linux platforms is derived. Can do. And if the number of events observed during access policy generation is small, for example, even if only `` write to /tmp/0001.tmp '' event can be observed, by using this co-occurrence relationship, It can be determined that writing to “/tmp/*.tmp” may be permitted.

  Similarly, when using UNIX or Linux, the configuration file placed in “/ etc”, the library file placed in “/ usr / lib”, etc., placed in “/ var / log” You can enumerate any number of resource access co-occurrence relationships between custom log files. These properties depend on the platform, such as the type and version of the OS, but do not depend on the application program. Therefore, the access policy of any program can be used.

  In the present invention, a higher-accuracy access policy is generated by using a combination of resource co-occurrence relationships common to these programs to be monitored. Also, as one of the problems of the method according to the prior art 3, since the access policy is generated by examining the internal state of the program at the time of accessing the resource only during the generation of the access policy, it is sufficient particularly when the number of observed events is small. There is a problem that it may not be possible to generate a simple authorization policy. In the second embodiment of the present invention, the internal state of the program at the time of resource access is checked not only during the generation of the access policy but also in the state where the operation of the program is monitored. Then, by providing an access policy generation means suitable for using a monitoring method for detecting an internal state even during program operation monitoring, access control with fewer false detections is realized.

  According to the present invention, an access policy is generated based on access information according to a policy generation rule. That is, the access policy is not generated based on only the observation result of the access during the predetermined period, but is generated according to the policy generation rule based on the co-occurrence relationship of events not depending on each program. Therefore, it is possible to automate the generation of the access policy and reduce the trouble of creating the access policy as much as possible. In addition, it is possible to generate an access policy with high accuracy and reduce manual labor as much as possible.

  Further, in the present invention, if the processing for classifying and generalizing the access information is executed in order according to the policy generation rule including the classification rule and the generalization rule, in terms of false detection and detection failure. However, it is possible to generate an access policy with higher accuracy.

  Further, in the present invention, a state storage unit that saves a state of a process being executed according to a program to be monitored is provided, and based on whether or not the detected state of the process matches a state stored in the state storage unit. Thus, it is possible to determine whether or not access is possible while taking into account the detected state. Therefore, even when the number of observed access events is insufficient or sufficient generalization cannot be performed, it is possible to more accurately determine whether access is possible.

  In the present invention, if a policy generation rule that matches the type and version of the platform is acquired, the access policy can be generated according to the policy generation rule suitable for the platform. Therefore, an optimal access policy can be generated even when the version of the operating system (OS) is updated.

Embodiment 1 FIG.
Hereinafter, a first embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing an example of the configuration of a system 100 using (operating) an access policy generation system according to the present invention. In this embodiment, the access policy generation system can be applied to, for example, a system that performs file access authority setting of a general operating system (OS), access authority setting of a secure OS, policy setting of access control middleware, and the like. . The access policy generation system can be applied to a system that performs policy setting for a host-based unauthorized intrusion detection system or host-based unauthorized intrusion prevention system, policy settings for a virtual machine having a sandbox model, and the like.

  As shown in FIG. 1, a system (for example, an information processing system) 100 using an access policy generation system is realized by, for example, a computer (central processing unit, processor, or data processing device) that operates under program control. The system 100 is realized by an information processing apparatus such as a workstation or a personal computer. As shown in FIG. 1, the system 100 is connected to an input device 120 for inputting various types of information. Note that the system 100 may include an input device 120. The input device 120 is specifically realized by an input device such as a keyboard and a mouse.

  As shown in FIG. 1, the system 100 includes a target program 101, an access audit unit 102, a resource 103, a state observation unit 113, an access log storage unit 105, a policy generation rule storage unit 109, and a classification unit 106. A generalization unit 107, a policy generation unit 108, and a policy storage unit 104. Further, as shown in FIG. 1, the policy generation rule storage unit 109 stores a plurality of policy generation rules 110 including a classification rule 111 and a generalization rule 112 in advance. That is, the policy generation rule storage unit 109 stores in advance a policy generation rule 110 based on a co-occurrence relationship of events that does not depend on individual programs in the form of a set of a classification rule 111 and a generalization rule 112.

  The target program 101 is a program that operates on the system 100 and is a target of access monitoring. For example, the target program 101 is various application software such as a WWW server and a word processor.

  Specifically, the access auditing unit 102 is realized by a computer that operates according to a program. The access audit unit 102 has a function of monitoring various accesses (for example, access to a file) performed by the target program 101 in accordance with an access policy for restricting the target program 101 from accessing a specific resource 103. In this case, the access auditing unit 102 permits access performed by the target program 101 in accordance with the conditions indicated in the access policy permission policy (for example, when the conditions are met). Further, the access auditing unit 102 prohibits access performed by the target program 101 in accordance with the conditions indicated in the access policy prohibition policy (for example, when the conditions are met).

  In the present embodiment, the access auditing means 102 operates in one of the “audit mode” and “rule generation mode”. In the present embodiment, the setting of whether the access auditing unit 102 is operated in the “audit mode” or the “rule generation mode” is performed by user input from the input device 110. For example, the access auditing unit 102 selects either “audit mode” or “rule generation mode” in accordance with setting information set in advance by user input. Then, the access audit means 102 executes processing according to the selected operation mode.

  When operating in the “audit mode”, the access audit unit 102 monitors access from the target program 101 to the resource 103. In this case, the access auditing unit 102 enforces policy based on the access policy stored in the policy storage unit 104.

  “Policy enforcement” refers to determining whether to permit or prohibit access to a resource based on the access policy stored in the policy storage unit 104, accepting access that is determined to be permitted, and access determined to be prohibited It is a process to refuse.

  Note that “access” is an instruction for a base program based on the target program 101 and is an operation instruction for various operations on the system resource 103. In the present embodiment, “access” may be used to mean various operations on the system resource 103. For example, when the base program is an operating system (OS), a system call for performing file reading, file writing, data transmission to the communication network, data reception from the communication network, and the like is “access”. Other system calls other than file input / output and data transmission / reception may be included in “access”. For example, a system call for executing a process, securing a heap memory, or the like may be included in “access”.

  Further, for example, when the base program is JavaVM (Java Virtual Machine, Java is a registered trademark), API (Application Programming Interface) calls for JavaVM such as object creation and method call of other objects are “access”.

  When operating in the “rule generation mode”, the access audit unit 102 monitors the access from the target program 101 to the resource 103, but stores the detected access contents (access information) in the access log without performing policy enforcement. Processing to be stored in the unit 105 is performed. At the same time, the state observing unit 113 checks (detects the internal state of the control unit (for example, the computer) that performs processing based on the target program 101 (for example, the contents of the stack, the register, and the heap memory included in the control unit). To do). Then, the state observation unit 113 stores information obtained by adding the detected internal state of the control unit to the access information detected by the access audit unit 102 in the access log storage unit 105.

  The state observing means 113 is specifically realized by a computer that operates according to a program. The state observation unit 113 has a function of detecting the state of a process being executed according to the target program 101 as the internal state of the control unit when the access audit unit 102 detects the occurrence of access to the resource 103 by the target program 101. Is provided. . Further, the state observation unit 113 has a function of adding the detected internal state of the control unit to the access information output by the access audit unit 102.

  Here, it is preferable that the internal state added to the information stored in the access log storage unit 105 is only a part of the internal state of the control means. This is because, in general, the amount of data indicating the internal state of the control means is large, and if information indicating all internal states is stored, a problem may occur in memory utilization efficiency (for example, the memory capacity may be insufficient). Because there is. Therefore, for example, only the contents of the stack and the call stack (particularly, the part storing the history of procedure calls in the stack) of the internal state of the control means may be saved. Information indicating the internal state of the control means detected by the state observation means 113 is also referred to as internal state information.

  The resource 103 is, for example, a file system that manages files and data to be accessed. The resource 103 is, for example, a file or data to be accessed. The resource 103 is stored in advance in a storage device such as a magnetic disk device, for example. In FIG. 1, one resource 103 is shown, but the storage device of the system 100 may store a plurality of resources 103 in advance.

  Specifically, the policy storage unit 104 is realized by a storage device such as a magnetic disk device. The policy storage unit 104 stores an access policy used by the access auditing unit 102 for access monitoring.

  Specifically, the access log storage unit 105 is realized by a storage device such as a magnetic disk device. The access log storage unit 105 temporarily stores the access information detected by the access audit unit 102 (access information based on access by the target program 101). The access log storage unit 105 temporarily stores information indicating the internal state detected by the state observation unit 113 (internal state information at the time of access by the target program 101). In the present embodiment, the access log storage unit 105 stores access information to which internal state information is added.

  The access information is information including the type of access and the access target. In the present embodiment, these access information and internal state information stored in the access log storage unit 105 are collectively referred to as an access log. In the access log storage unit 105, one access information and one internal state information are stored as an access log for one resource access. A set of access information and internal state information is called an event.

  Specifically, the classifying means 106 is realized by a computer that operates according to a program. The classification means 106 performs processing for extracting one or a plurality of subsets from the set of events stored in the access log storage unit 105 according to the contents of the classification rule 111 included (described) in the policy generation rule 110. It has a function to execute. In the present embodiment, as shown in FIG. 1, the policy generation rule storage unit 109 stores in advance a policy generation rule 110 including a classification rule 111 indicating a predetermined classification condition for classifying access information. Then, the classification unit 106 performs processing for classifying the access information output by the access audit unit 102 according to the classification rule 111 included in the policy generation rule 110.

  Specifically, the generalization unit 107 is realized by a computer that operates according to a program. Based on the set of events extracted by the classifying unit 106, the generalizing unit 107 executes a process of generalizing the event according to the contents of the generalization rule 112 included (described) in the policy generation rule 110. It has a function. In the present embodiment, as shown in FIG. 1, the policy generation rule storage unit 109 includes a generalization rule 112 indicating a predetermined generalization condition for generalizing access information (an event indicated in the access information). Policy generation rules 110 are stored in advance. Then, the generalization unit 107 performs a process of generalizing the access information classified by the classification unit 106 in accordance with the generalization rule 112 included in the policy generation rule 110.

  Here, event generalization refers to a process of calculating a larger set of events including the set of events based on the set of events. For example, if there is a set of events consisting of "read /tmp/01.tmp", "read /tmp/02.tmp", "read /tmp/03.tmp" Based on, the event set “read / tmp / *. Tmp” is calculated. Here, “*” included in “/tmp/*.tmp” is a notation called a wild card or GLOB, and means a sequence of zero or more characters (but not including “/”). To do. Since there are an infinite number of events represented by “read / tmp / *. Tmp”, the generalization means 107 executes the generalization process, and from the set of events including the three original events, This means that a process for calculating an infinite set including three events has been executed.

  Another example of generalization is the process of calculating a set of events consisting of "read /etc/hosts.conf" and "read / etc / hosts" from a set of events consisting of "read /etc/hosts.conf" It is. By executing this generalization process, the generalization unit 107 executes a process of calculating a set of two original events from a set of events of one original event.

  Specifically, the policy generation unit 108 is realized by a computer that operates according to a program. The policy generation unit 108 has a function of generating an access policy based on the access information generalized by the generalization unit 107. In the present embodiment, the policy generation unit 108 converts the set of events generated by the generalization unit 112 into a format (data format) that can be interpreted by the access auditing unit 102, and generates an access policy. Further, the policy generation unit 108 performs processing for storing the generated access policy in the policy storage unit 104.

  When the system 100 is operating in the “audit mode”, the operation for generating the access policy is not performed, and the access audit unit 102 does not output any event to the access log storage unit 105 (that is, The event is not stored in the access log storage unit 105). Therefore, when operating in the “audit mode”, the state observation unit 113, the classification unit 106, the generalization unit 107, and the policy generation unit 108 do not perform any operation.

  In the present embodiment, the access policy generation means is realized by the classification means 106, the generalization means 107, and the policy generation means 108. In addition, the classification unit 106, the generalization unit 107, and the policy generation unit 108 perform the operations described above, so that the access policy generation unit is based on the access information output by the access audit unit 102 according to the policy generation rule 110. Generate an access policy.

  Specifically, the policy generation rule storage unit 109 is realized by a storage device such as a magnetic disk device. The policy generation rule storage unit 109 stores in advance a plurality of policy generation rules 110 including generation rules for generating an access policy. The policy generation rule 110 includes a classification rule 111 and a generalization rule 112. The classification rule 111 is an extraction rule when the classification unit 106 extracts one or a plurality of subsets from a set of events. The generalization rule 112 is a generalization rule used when the generalization unit 107 generalizes an event based on a set of events.

  In this embodiment, the access policy generation system includes, for example, an access audit unit 102, a policy storage unit 104, an access log storage unit 105, a classification unit 106, a generalization unit 107, among the units included in the system 100. This is realized by the policy generation unit 108, the policy generation rule storage unit 109, and the state observation unit 113.

  In the present embodiment, the storage device of the system 100 stores various programs for generating an access policy. For example, the storage device of the system 100 detects access to a resource by a monitored program and outputs access information indicating the content of the detected access to the computer, and information indicating access policy generation conditions In accordance with the policy generation rule, an access policy generation program for executing an access policy generation process for generating an access policy based on the output access information is stored.

  Next, the operation will be described. In the present embodiment, the operation of the system 100 when the rule generation mode is set will be described. FIG. 2 is a flowchart illustrating an example of an access policy generation process executed by the system 100 using the access policy generation system when the rule generation mode is set.

  In the access policy generation process, the access audit unit 102 monitors resource access from the target program 101. Further, the access auditing unit 102 extracts access information including the type of access and the access target every time an access occurs. In addition, the state observation unit 113 acquires the internal state of the target program 101 at the time when the access occurs. For example, when resource access from the target program 101 occurs, the state observation unit 113 detects the internal state of the control unit (for example, a computer). The state observing unit 113 collects the detected internal state information and the access information detected by the access auditing unit 102 as events, and stores them as an access log in the access log storage unit 105 (step S101).

  Further, the access auditing unit 102 determines whether or not a predetermined monitoring end condition is satisfied (step S102). If it is determined that the monitoring end condition is not satisfied, the access auditing unit 102 returns to step S101 and repeatedly executes the processes of steps S101 and S102. That is, access monitoring is continuously executed until a predetermined monitoring end condition is satisfied. When an access occurs during monitoring, the process of step S101 is executed.

  The monitoring end condition is a condition for ending access monitoring by the access audit unit 102. For example, on the condition that the processing based on the target program 101 is completed, the monitoring end condition is satisfied, and the access auditing unit 102 ends the access monitoring. Further, for example, on the condition that the end of the rule generation mode is specified from the input device 110 (instructed by the user), the monitoring end condition is satisfied, and the access auditing unit 102 ends the access monitoring. Further, for example, on the condition that a predetermined period has elapsed, the monitoring end condition is satisfied, and the access auditing unit 102 ends the access monitoring. Further, for example, on condition that a predetermined number of pieces of access information are stored in the access log storage unit 105, the monitoring end condition is satisfied, and the access auditing unit 102 ends the access monitoring. Further, for example, when any combination of the above conditions is satisfied, the monitoring end condition is satisfied, and the access auditing unit 102 may end the access monitoring.

  In this embodiment, it is assumed that the monitoring end condition is predetermined. For example, the access auditing unit 102 determines whether or not the monitoring end condition is satisfied in step S <b> 102 based on setting information in which the monitoring end condition is set in advance.

  If it is determined in step S102 that the monitoring end condition is satisfied, the access auditing unit 102 ends the access monitoring. When the access monitoring is completed, the system 100 reads the policy generation rule stored in the policy generation rule storage unit 109 (step S103). Further, the classification means 106 of the system 100 executes a classification process for classifying the events stored in the access log storage unit 105 in accordance with the contents of the classification rule 111 included (described) in the policy generation rule (step S104). ).

  Further, the generalization unit 107 performs a generalization process on the set of one or more events extracted by the classification unit 106 according to the contents of the generalization rule 112 included (described) in the policy generation rule. (Step S105). The system 100 determines whether or not the processing has been completed for all policy generation rules 110 stored in the policy generation rule storage unit 109 (step S106). If it is determined that the processing has not been completed for all policy generation rules 110, the system 100 returns to step S103 and repeatedly executes the processing of steps S103 to S106. That is, the system 100 sequentially performs a series of processes of steps S103, S104, and S105 on all policy generation rules 110 stored in the policy generation rule storage unit 109.

  When it is determined that the processing has been completed for all policy generation rules 110, the policy generation unit 108 generates an access policy based on the set of events generated by the generalization unit 107 (step S107). Then, the policy generation unit 108 stores the generated access policy in the policy storage unit 104.

  Next, the operation of the classification unit 106 will be described. FIG. 3 is a flowchart showing an example of the classification process (step S104 in FIG. 2) in which the classification unit 106 classifies each event stored in the access log storage unit 105.

  First, the classification rule 111 used by the classification means 106 for classification processing will be described. In the present embodiment, there are two types of classification rules 111: “selected classification rules” and “divided classification rules”. “Selection classification rule” is information indicating a condition for extracting one subset from a set of events. The condition for extracting a subset is a condition that should be satisfied by an event belonging to the extracted subset.

  “Division classification rule” is information indicating a condition for dividing a set of events into a plurality of subsets. The condition for dividing into a plurality of subsets is a condition indicating which attributes of the event belong to the same subset when they are regarded as the same value. However, it is excluded when there is only one event included in the subset.

  Further, the classification rule 111 includes a flag (deletion flag) that specifies whether or not to delete the extracted event from the access log storage unit 105 after processing the event according to the division rule 111. For example, when it is set to delete an event in the deletion flag of the classification rule 111, the classification unit 106 deletes the processed event from the access log storage unit 105 when the event is processed.

  In the classification process, the classification unit 106 first determines whether or not the classification rule 111 read in step S103 is a selection classification rule (step S201). That is, the classification unit 106 determines whether the classification rule 111 is a selection classification rule or a division classification rule.

  If it is determined that the read classification rule 111 is a selection classification rule, the classification unit 106 extracts an event that matches the condition specified in the selection classification rule from the set of events stored in the access log storage unit 105. (Step S202). If the event deletion flag of the classification rule 111 specifies that the event is to be deleted, the classification unit 106 deletes the extracted event from the access log storage unit 105 (step 205). Further, the classification unit 206 passes the extracted event to the generalization unit 107.

  If it is determined that the read classification rule 111 is a division classification rule, the classification unit 106 sets the event set stored in the access log storage unit 105 to the same attribute that matches the condition specified in the division classification rule. Divide into event sets with values. Then, the classification unit 106 extracts a set of events having two or more elements after the division (step S203). Next, the classification unit 206 checks the event deletion flag of the classification rule 111 and deletes the event included in the extracted event set from the access log storage unit 105 if the deletion flag specifies that the event is deleted. (Step 205). Further, the classification unit 206 passes the extracted set of events to the generalization unit 107.

  In this embodiment, the case where the classification rule 111 is composed of only one of the “selected classification rule” or the “division classification rule” will be described. May be combined with AND or OR. For example, the classification rule 111 may include a selection classification rule A, a selection classification rule B, and a division classification rule C, and these rules A, B, and C may be combined with AND. In this case, the classification means 106 further applies the selection classification rule B to the event set extracted from the event set according to the selection classification rule A, and extracts the event set. Then, the classification means 106 may further extract the event set by applying the division classification rule C to the extracted event set.

  Next, the operation of the generalization unit 107 will be described. FIG. 4 is a flowchart illustrating an example of a generalization process (step S105 in FIG. 2) in which the generalization unit 107 generalizes an event. The generalization rule 112 is applied to the set of events extracted by the classification unit 106. For example, when the classification rule 111 is a division classification rule, the classification unit 106 extracts a plurality of event sets. In this case, the generalization processing by the generalization means 107 is sequentially applied to each set of events extracted by the classification means 106. The processing content of the generalization means 107 is included (described) in the generalization rule 112.

  First, the generalization rule 112 used by the generalization unit 107 for the generalization process will be described. In the present embodiment, there are two types of generalization rules 112: “direct generalization rules” and “GLOB generalization rules”. The “direct generalization rule” is information that specifies a processing method for directly replacing an attribute of each event included in the set of events with a specified value. Information indicating which attribute of the event is to be replaced is directly described in the condition part of the generalization rule. When a plurality of values are specified, the generalization unit 107 generates a copy of the event to be generalized, and replaces the value of each event attribute with the specified value for a plurality of events including the copy.

  The “GLOB generalization rule” is information that specifies a processing method for replacing an attribute of each event included in the set of events with one or more GLOB patterns. Information indicating which attribute of the event is to be replaced is described in the condition part of the GLOB generalization rule. Further, when replacing with a plurality of patterns, the generalization unit 107 generates a copy of the event to be generalized, and replaces the attribute value of each event with each pattern for the plurality of events including the copy.

  In the generalization process, the generalization unit 107 first determines whether or not the generalization rule 112 read in step S103 is a direct generalization rule (step S301). That is, the generalization unit 107 determines whether the generalization rule 112 is a direct generalization rule or a GLOB generalization rule.

  If it is determined that the read generalization rule 112 is a direct generalization rule, the generalization unit 107 matches the conditions described in the direct generalization rule for each event included in the event set to be processed. The attribute to be replaced is replaced with the attribute value specified by the direct generalization rule (step S302). If it is determined that the read generalization rule 112 is a GLOB generalization rule, the generalization unit 107 determines that the condition described in the GLOB generalization rule is the attribute of each event included in the event set to be processed. A GLOB pattern is generated from attribute values that match Then, the generalization unit 107 replaces the attribute value that matches the condition with the generated GLOB pattern (step S303).

  The generalization unit 107 determines whether there is an unprocessed event set among the event sets extracted by the classification unit 106 (step S304). When determining that there is an unprocessed event set, the generalization unit 107 returns to step S301 and repeatedly executes the processes of steps S301 to S304. That is, when a plurality of event sets are extracted by the classifying unit 106, the generalization unit 107 repeats the processes of steps S301 to S304 described above for all event sets. In addition, the generalization unit 107 passes the event generated according to the above processing to the policy generation unit 108.

  Next, the operation of the generalization unit 107 when a GLOB generalization rule is given will be described. FIG. 5 is a flowchart showing an example of the conversion process (step S303 in FIG. 4) performed by the generalization means 107 when a GLOB generalization rule is given. First, the generalization unit 107 counts the number of path separators (for example, “/” in the case of UNIX or Linux) included in a plurality of given character strings for the event set extracted by the classification unit 106, and determines each path. The depth of is calculated. The generalization unit 107 extracts a set of paths having the same depth based on the calculated path depth (step S401).

  Further, the generalization unit 107 tokenizes the file name / directory name part (referred to as a path component) of each path included in the extracted set of paths having the same depth with “.” As a delimiter (step S402). ). The reason for tokenizing “.” As a delimiter is to treat the extension specially. Note that the generalization unit 107 may use a tokenization rule other than the method using “.” As a delimiter. For example, the generalization unit 107 may tokenize the pass component using a rule in which numbers and alphabetic characters are different tokens. For example, the generalization unit 107 may tokenize the path component by adding “-” or “_” as a delimiter. Further, the generalization unit 107 may calculate the longest common subsequence directly for the character string without dare to tokenize the path component.

  After tokenizing the pass component, the generalization unit 107 calculates the longest common partial sequence from the token sequence, and examines the common portion and the non-common portion of the token sequence (step S403). The generalization unit 107 replaces the extracted non-common part with “*” (step S404).

  Further, the generalization unit 107 determines whether or not the processing has been completed for all components (step S405). If it is determined that the processing has not been completed for all components, the generalization unit 107 returns to step S402 and repeatedly executes the processing of steps S402 to S405. That is, the generalization unit 107 repeats the processing from step S402 to step S404 for all path components.

  Further, the generalization unit 107 determines whether or not the processing has been completed for all paths (step S406). If it is determined that the processing has not been completed for all the paths, the generalization unit 107 returns to step S401 and repeatedly executes the processes of steps S401 to S406. That is, the generalization unit 107 repeats the processing from step S401 to step S405 for all the paths having the same depth.

  Note that the generalization unit 107 may use, for example, an LCS (Longest Common Substring) algorithm in order to extract the longest subsequence from the token sequence in step S403.

  Further, in the present embodiment, a case has been described in which two types of rules, the generalization rule and the GLOB generalization rule, are defined and used as the generalization rule 112, but other than the direct generalization rule and the GLOB generalization rule You may define and use these rules. For example, a rule for generalizing an event with a regular expression instead of GlOB may be defined and used. Further, any rule can be used as the generalization rule 112 as long as it is a rule (rule) that can associate a set of events with another set of events including the set of events.

  Next, the operation of the policy generation unit 108 will be described. The policy generation unit 108 first removes duplicate events from the set of events generated by the generalization unit 107. That is, when there are a plurality of events having the same attribute, the policy generation unit 108 leaves one event and deletes events other than the left event. Here, the policy generation unit 108 does not consider an attribute (for example, an attribute indicating the internal state) that is not reflected in the access policy when determining whether or not they are the same. After performing the above processing, the generalization unit 107 converts the event left without being deleted into an access policy permission rule.

  Next, operations of the classification unit 106, the generalization unit 107, and the policy generation unit 108 will be described using more specific examples. FIG. 6 is an explanatory diagram illustrating an example of a set of events stored in the access log storage unit 105. In the present embodiment, as shown in FIG. 6, the access log storage unit 105 displays an event including an access type (access name), an access target, and an internal state of the program at the time of access in a table format. Store.

  “Access type (access name)” is information indicating a method of accessing the resource 103 based on the target program 101. For example, the event includes a file read (“read”), a file write (“write”), and the like as the access type. “Access target” is information indicating a resource 103 such as a file that is an operation target by access based on the target program 101.

  “Internal state” is information indicating the internal state of the program at the time of access. Here, the internal state of the program at the time of access is generally represented by a long character string or numerical value string. However, in this embodiment, the internal state is replaced with a single numerical value for easy viewing. In FIG. 6, if the numerical values are the same, it is assumed that they have the same internal state for those accesses.

  FIG. 7 is an explanatory diagram illustrating an example of the policy generation rule 110 stored in the policy generation rule storage unit 109. In the present embodiment, as shown in FIG. 7, a case will be described in which three policy generation rules 110 of rule R01, rule R02, and rule R03 are defined.

  First, the case where the process is executed using the rule R01 among the three policy generation rules 110 will be specifically described. FIG. 8 is an explanatory diagram showing an example in which processing is executed using the policy generation rule R01.

  As shown in FIG. 7, the policy generation rule R01 describes a selection classification rule (first access target = “/ tmp /”) as a classification rule. This means that the policy generation rule R01 is a rule indicating a condition that an event whose “access target” starts with “/ tmp /” is extracted from a set of events. Therefore, as shown in FIG. 8, when the classification process by the classification means 106 is applied to the event set C01 to be classified, an event set C02 including the event E02 is extracted as a result of the classification process.

  Further, as shown in FIG. 7, the policy generation rule R01 describes a direct generalization rule (access target => “/ tmp / *”) as a generalization rule. This means that the policy generation rule R01 is a rule that specifies that “access target” is replaced with “/ tmp / *” for each element of the event set extracted by the classifying unit 106. ing. Therefore, as shown in FIG. 8, when the generalization process by the generalization means 107 is applied to the subset C02 extracted by the classification means 06, the event set C03 including the event E11 is obtained as a result of the generalization process. Is generated and output to the policy generation means 108.

  In the example shown in FIG. 7, a deletion flag for deleting an event is set in the policy generation rule R01 (in this example, the deletion flag is set to ◯). Therefore, the generalization unit 107 deletes the event E02 extracted by the dividing unit 106 from the access log storage unit 105 when executing the processing described above.

  Next, the case where the process is executed using the rule R02 among the three policy generation rules 110 will be specifically described. FIG. 9 is an explanatory diagram illustrating an example in which processing is executed using the policy generation rule R02.

  As shown in FIG. 7, the policy generation rule R02 describes a division classification rule that uses (internal state) as a classification rule. This means that the policy generation rule R02 divides a set of events to be classified by paying attention to whether the “internal state” is the same (however, after the division, a subset having only one element) Is a rule). Therefore, as shown in FIG. 9, when the classification processing is performed by applying the policy classification rule R02 division classification rule to the event set C11, the event set C12a composed of events E03 and 0E04 is obtained as a result of the classification processing. And two event sets, an event set C12 composed of events E06, E07, E08, and E09, are extracted.

  Further, as shown in FIG. 7, the policy generation rule R02 describes a GLOB generalization rule that uses (access target) as a generalization rule. This means that the policy generation rule R02 is a rule that specifies that the access target of each event included in the event set extracted by the classifying unit 106 is replaced with the GLOB pattern. Therefore, as shown in FIG. 9, when the GLOB generalization process shown in FIG. 5 is applied to the access target of the event included in the event set C12a, the generalization means 107 generates the event E12. Similarly, when the GLOB generalization process is applied to the event set C12b, the generalization unit 107 generates events E13 and E14. These events E12, E13, E14 are output to the policy generation unit 108 by the generalization unit 107.

  In the example shown in FIG. 7, a deletion flag for deleting an event is set in the policy generation rule R02. Therefore, the generalization unit 107 deletes the events E03, E04, E06, E07, E08, E09 extracted by the division unit 106 from the access log storage unit 105 when executing the processing described above.

  Next, the case where the process is executed using the rule R03 among the three policy generation rules 110 will be specifically described. FIG. 10 is an explanatory diagram showing an example in which processing is executed using the policy generation rule R03.

  As shown in FIG. 7, the policy generation rule R03 describes a selection classification rule having a condition of (TRUE) as a classification rule. This means that the policy generation rule R03 is a rule indicating that an event is unconditionally extracted from a set of events to be classified. That is, it means that the policy generation rule R03 is a rule for extracting all events currently stored in the access log storage unit 105 by the classification means 106 (see event set C22 shown in FIG. 10).

  Further, as shown in FIG. 7, the policy generation rule R03 describes a direct generalization rule () as a generalization rule. This means that the policy generation rule R03 is a rule that does not perform any generalization processing. Therefore, when using the policy generation rule R03, the generalization unit 107 outputs all events (see the event set C23 shown in FIG. 10) stored in the access log storage unit 105 to the policy generation unit 108 as they are. To do.

  Through the above processing, the event shown in FIG. 11 is finally input to the policy generation unit 108. The policy generation unit 108 removes duplication from the input event. The policy generating unit 108 generates an access policy that permits access indicated by the input event and prohibits access other than the access indicated by the input event. FIG. 12 is an explanatory diagram illustrating an example of an access policy generated and output by the policy generation unit 108. As shown in FIG. 12, in this example, the policy generation means 108 permits access that matches the policies P01, P02, P03, P04, P05, and P06, and allows the policies P01, P02, P03, P04, P05, and P06. An access policy that prohibits access other than matching access is generated.

  As described above, the following effects can be obtained by the access policy generation system shown in the present embodiment. First, according to the present embodiment, an access policy with fewer false detections can be generated. For example, even when only one event E02 “write to /tmp/0001.tmp” shown in FIG. 6 can be observed, “write to / tmp / *” shown in FIG. 12 is permitted. An access policy has been generated. For example, even if the event “write to /tmp/0001.tmp” is observed, “write to /tmp/0001.tmp” is an event for writing a temporary file. There is a high possibility that an event of writing to another file such as ".tmp" will occur. By giving a policy generation rule R01 which is a rule derived from the convention on the platform, it can be seen that the rule P01 permitting this file access can be generated. Note that the effect that an access policy with few false detections can be generated cannot be realized even if the methods of the prior art 1, the prior art 2 and the prior art 3 are used.

  Further, according to the present embodiment, by using the policy generation rule R02 which is a rule derived from the property that “the same access policy can be applied to resource access called from the same place in the program”, An access policy with few false positives can be generated even for resource access depending on applications. Specifically, as shown in FIG. 8, events E13 and E14 are generated from the event sets E06, E07, E08, E09, and an access policy can be generated. These events are likely to be accesses to Web contents placed (stored) in “/ var / www”, and eventually a file such as “/var/www/doc/result.xls” Access to is likely to occur. According to the present embodiment, it is understood that the rule P04 that permits this file access can be generated by providing the policy generation rule R02. The effect of generating an access policy with few false detections even for resource access depending on the application can be realized when the method according to the prior art 3 is used, but the method according to the prior art 1 and the prior art 2 Even if is used, it cannot be realized.

  In other words, in the present embodiment, the policy generation rule 110 describing (including) the common program knowledge (information common to the program) derived from customs on the platform, etc., while taking advantage of the method of the prior art 3 is used. Use. By using such a policy generation rule 110, there is an increased possibility of generating an access policy that permits unobserved legitimate resource access (low possibility of false detection) from a limited observation event.

  In addition, by describing knowledge common to programs derived from customs on the platform as the policy generation rule 110, the possibility of generating an access policy with few detection omissions increases.

  For example, assume that events E01 and E02 shown in FIG. 6 have the same internal state. As already described, although the probability of occurrence is low, depending on how the target program 101 is implemented, a plurality of events may have the same internal state. In this case, if the rule R01 is not defined as the policy generation rule 101, “write / var / run / httpd.pid” and “write / tmp / 0001.tmp” are obtained by classification processing and generalization processing using the rule R02. "Becomes a target of GLOB generalization. According to the present embodiment, when the horiishi generation rule R01 is defined, the event set C11 does not include the event E02 at the stage of processing shown in FIG. Sex can be suppressed. Note that the effect of suppressing the possibility of detection omission due to this excessive generalization cannot be realized even if the methods of the prior art 1, the prior art 2 and the prior art 3 are used.

  As described above, according to the present embodiment, an access policy is generated based on the access information output by the access auditing means 102 according to the policy generation rule 110. That is, according to the present embodiment, the access policy is not generated based on only the observation result of the access for a predetermined period, but is accessed according to the policy generation rule 110 based on the co-occurrence relationship of events not depending on each program. Generate a policy. Therefore, it is possible to automate the generation of the access policy and reduce the trouble of creating the access policy as much as possible. In addition, it is possible to generate an access policy with high accuracy and reduce manual labor as much as possible.

  Further, according to the present embodiment, the access policy generation rule (policy generation rule 110) based on the co-occurrence relationship of events that does not depend on individual programs is described in advance in the form of a set of classification rules and generalization rules. . Then, according to the access policy generation rule 110, the classification unit 106 and the generalization unit 107 are sequentially applied and processed, so that compared with the case where the method according to the prior art is used, the detection omission is also detected. Also in this point, a more accurate access policy can be generated.

Embodiment 2. FIG.
Next, a second embodiment of the present invention will be described with reference to the drawings. FIG. 13 is a block diagram illustrating another configuration example of the system 100 using the access policy generation system. In the present embodiment, system 100 is different from the first embodiment in that it includes a state storage unit 114 in addition to the components shown in FIG. The functions of the constituent elements other than the state storage unit 114 of the system 100 are the same as those functions described in the first embodiment.

  The state storage unit 114 is a main memory mounted on the system 100, for example. For example, the state storage unit 11 is realized by a memory of an information processing apparatus that implements the system 100.

  In this embodiment, when the system 100 is operating in the “audit mode”, the system 100 does not perform an operation for generating a policy, and no event is generated from the access audit unit 102 to the access log storage unit 105. Not output. Therefore, when operating in the “audit mode”, the classification unit 106, the generalization unit 107, and the policy generation unit 108 perform no operation. However, in the present embodiment, unlike the first embodiment, the state observation unit 113 performs an operation of acquiring (detecting) the internal state of the system 100 at the time when resource access occurs.

  Also, in the present embodiment, unlike the first embodiment, the access auditing means 102 determines whether or not access is possible in consideration of not only the access name and access target during resource access but also the internal state during access. Do. Specifically, in this embodiment, for example, the access policy shown in FIG. 14 is given. That is, in the access policy, not only the access name and the access target but also a flag (state flag) indicating whether or not the determination is made in consideration of the state is specified. Then, the access auditing unit 102 determines whether or not access is possible using an access policy including a status flag.

  Next, the operation will be described. FIG. 15 is a flowchart illustrating an example of an access audit process performed by the access audit unit 102 according to this embodiment. When the access auditing unit 102 observes (detects) the access, the access auditing unit 102 examines the top rule of the access policy and extracts the top rule (step S501). Further, the access auditing unit 102 determines whether or not the access name of the extracted rule matches the access target (step S502). If the access name matches the access target, the access auditing means 102 checks whether or not a status flag is set in the extracted rule (step S503). When the state flag is set, the access auditing unit 102 displays the observation contents of the state observation unit 113 at that time (that is, the current internal state of the system 100 detected by the state observation unit 113) and the extracted rule. Whether the status flag shown in FIG. 4 indicates “permitted” or “rejected” is stored in the status storage unit 114 (step S504).

  Then, the access audit unit 102 “permits” or “denies” access according to the description of the extracted rule (step S505). If the status flag is not set in step S503, the access auditing unit 102 does not save the status in the status storage unit 114 and proceeds to step S505 as it is.

  If it is determined in step S502 that the access name does not match the access target, the access auditing unit 102 checks whether a status flag is set in the extracted rule (step S506). When the state flag is set, the access auditing unit 102 indicates the same state as the content observed by the state observation unit 113 at that time (that is, the current internal state of the system 100 detected by the state observation unit 113). It is checked whether or not the indicated information is already stored in the state storage unit 114 (steps S507 and S508). When information indicating the same state is stored, the access auditing unit 102 indicates whether the state flag stored together with the information indicating the same state indicates “rejected” or “permitted”. Access control is performed according to the information (step S505).

  If not stored, the access auditing unit 102 repeatedly executes the processing in step S502 and subsequent steps for the next rule included in the access policy. In this case, the access auditing unit 102 determines whether or not an unprocessed rule is included in the access policy (step S509). If there is an unprocessed rule, the access audit unit 102 reads the next rule from the access policy (step S510). Then, the access auditing unit 102 returns to the process of step S102. If there is no next rule (unprocessed rule), the access auditing means 102 determines that the state of the system 100 does not match any rule, and ends the process as it is.

  Next, the operation of the access audit unit 102 described above will be described using a specific example. In the present embodiment, as shown in FIG. 16, a case will be described in which resource access occurs sequentially in the system 100. If the resource access E206 shown in FIG. 16 occurs, this access matches the condition shown in the access rule P15 (see FIG. 14). In addition, since the status flag is set in the access rule P15, the access auditing means 102 executes a process of step S504, and thereby sets a set of information (status 5, permission) in the status storage unit 114. save.

  If the resource access E210 occurs thereafter, this resource access does not match the condition shown in the access rule P15. However, since the status flag is set in the access rule P15, the access auditing unit 102 It is searched from 114 whether or not the same state as the state 5 of the resource access E210 is stored (see step S507). As a result of the search, the access audit means 102 searches for and extracts information having the same state (state 5, permission), and determines that access E210 is permitted based on the extracted information (see step S505). ).

  Further, in the present embodiment, the policy generation unit 108 applies to the access permission rule corresponding to the event generated using the division classification rule based on the internal state, in addition to the operation described in the first embodiment. The process of setting the status flag is performed. By doing so, the policy generation means 108 can generate the access policy illustrated in FIG.

  Note that a status flag may be set in advance for the policy generation rule 110 (see FIG. 17). In this case, in addition to the operation described in the first embodiment, the policy generation unit 108 determines the status for the access permission rule corresponding to the event generated using the policy generation rule in which the status flag is set. Processing to set a flag is performed.

  As described above, according to the present embodiment, even when the system 100 is operating in the audit mode, the state observation unit 113 observes the state of the system 100. Further, the access auditing unit 102 determines whether or not access is possible while considering the state detected by the state observation unit 113. Further, the policy generation unit 108 generates an access policy having a status flag in advance. By doing so, even if the number of events observed in the rule generation mode is insufficient or sufficient generalization cannot be performed by the GLOB generalization process, it is possible to realize more accurate accessibility. Become.

  For example, in the contents of the access policy (see FIG. 12) generated in the first embodiment, the access auditing means 102 does not permit “read to /var/www/copyright.txt” access. However, as the operation of the WWW server, since access to “/var/www/index.html” is permitted, access to txt files under “/ var / www /” is also permitted. Is natural. In the first embodiment, the access policy shown in FIG. 12 is generated because the access auditing means 102 is “.html” in “/ var / www” while operating in the rule generation mode. The reason is that sufficient generalization processing could not be performed because only the access to the file with the extension “.” Was observed (see events E06 and E07 shown in FIG. 6).

  According to the present embodiment, for example, even if the event content observed in the rule generation mode is the same as the event shown in FIG. , “Read” access to “/var/www/copyright.txt”. That is, access control with fewer false detections can be realized as compared with the first embodiment.

Embodiment 3 FIG.
Next, a third embodiment of the present invention will be described with reference to the drawings. FIG. 18 is a block diagram showing still another configuration example of the system 100 using the access policy generation system. In the present embodiment, the system 100 is different from the first embodiment in that it includes a policy generation rule acquisition unit 115 in addition to the components shown in FIG. Further, in the present embodiment, the policy generation rule storage unit 109 does not necessarily need to be in the system 100, but another host (for example, an information processing apparatus such as a workstation or a personal computer) via a network such as the Internet. May be included. Then, the other host may manage the policy generation rule 110 stored in the policy generation rule storage unit 109.

  The functions of the components other than the policy generation rule acquisition unit 115 and the policy generation rule storage unit 109 of the system 100 are the same as those functions described in the first embodiment.

  In the present embodiment, the policy generation rule storage unit 109 indicates the type and version of the operating system (OS) used by the system 100 in addition to the attributes (classification rule, generalization rule, and deletion flag) shown in FIG. A policy generation rule 110 including an identifier is stored.

  Specifically, the policy generation rule acquisition unit 115 is realized by a computer and a network interface unit that operate according to a program. The policy generation rule acquisition unit 115 has a function of detecting the type and version of the OS running on the computer of the system 100. Further, the policy generation rule acquisition unit 115 has a function of inquiring the policy generation rule storage unit 109 for a policy generation rule 110 that matches the detected OS type and version. Further, the policy generation rule acquisition unit 115 has a function of referring to the version identifier set in the policy generation rule 110 and acquiring only the policy generation rule whose version matches.

  In this case, for example, the policy generation rule acquisition unit 115 transmits a search request for the policy generation rule 110 and information indicating the type and version of the OS to the host including the policy generation rule storage unit 109 via the network. Then, the host extracts from the policy generation rule storage unit 109 the policy generation rule 110 that matches the type and version of the OS indicated in the received information. Then, the host transmits the extracted policy generation rule 110 to the system 100 via the network.

  FIG. 19 is an explanatory diagram showing an example of the policy generation rule 110 that additionally includes the OS type. For example, consider a case where the system 100 operates using Linux as an OS. In this case, the policy generation rule acquisition unit 115 acquires the policy generation rules R201, R203, and R204 from the policy generation rule storage unit 109 and passes them to the classification unit 106 and the generalization unit 107.

  Also, consider a case where the system 100 is operating using Windows (registered trademark) as an OS. In this case, the policy generation rule acquisition unit 115 acquires the policy generation rules R202, R203, and R204 from the policy generation rule storage unit 109 and passes them to the classification unit 106 and the generalization unit 107.

  In the present embodiment, the classification unit 106 performs a classification process based on the policy generation rule 110 acquired by the policy generation rule acquisition unit 115, and generates an event set that matches the OS used by the system 100. The generalization unit 107 performs generalization processing based on the policy generation rule 110 acquired by the policy generation rule acquisition unit 115, and generates an event set that matches the OS used by the system 100. The policy generation unit 108 generates an access policy that matches the OS used by the system 100 based on the event set.

  As described above, according to the present embodiment, the access policy is generated by referring to the policy generation rule 100 suitable for the platform of the system 100 (using the rule that matches the OS used by the system 100). Therefore, even when the OS version is updated, an optimal access policy can be generated.

  For example, traditionally, Linux often writes temporary files to “/ tmp”, and Windows often writes to the Temp directory in the “Local Settings” directory in the user's profile directory. Therefore, when the OS version is updated, there is a possibility that access control cannot be performed appropriately. In the present embodiment, the access policy is generated using the policy generation rule 110 that matches the OS used by the system. Therefore, an appropriate access policy can be generated according to the platform operating on the system 100.

Embodiment 4 FIG.
Next, a fourth embodiment of the present invention will be described with reference to the drawings. FIG. 20 is a block diagram illustrating another configuration example of the system 100 using the access policy generation system. In the present embodiment, the system 100 differs from the first embodiment in that it does not include the state observation unit 113 among the components shown in FIG. The functions of the components other than the state observation unit 113 of the system 100 are the same as those functions described in the first embodiment.

  According to the present embodiment, since the system 100 does not have the state observation unit 113, the accuracy of the access policy to be generated is likely to be lower than that of the access policy generated in the first embodiment. There is an advantage that the configuration of the system 100 can be simplified.

  FIG. 21 is an explanatory diagram showing an example of the policy generation rule 110 in the present embodiment. As shown in FIG. 21, unlike the rule shown in FIG. 7, the system 100 divides the event set by determining whether the extension to be accessed is the same as the policy generation rule R302 instead of the internal state. Use rules to In the present embodiment, as a result of performing processing using the rule shown in FIG. 21, the system 100 generates the access policy shown in FIG. 22 from the event shown in FIG. Therefore, the possibility of erroneous detection is higher than the access policy shown in FIG. 12 generated in the first embodiment. However, since the state observing means 113 is not required and the system configuration is simplified, there is an advantage that introduction into an existing system becomes easier.

  Next, specific examples of the present invention will be described. Note that this example corresponds to a specific implementation of the system 100 using the access policy generation system described in the first exemplary embodiment.

  FIG. 23 is a block diagram illustrating a computer 200 including an access policy generation system according to the present embodiment. The computer 200 is installed with Linux as an OS, and has a function as a WWW server operating on Linux.

  As shown in FIG. 23, a computer 200 including an access policy generation system includes a WWW server 201, a system call audit unit 202, a file system 203, a policy storage unit 204, a classification unit 206, a generalization unit 207, , A policy generation unit 208, an access log storage unit 205, a policy generation rule storage unit 209, and a stack inspection unit 213.

  A WWW server 201 illustrated in FIG. 23 is a specific example of the monitoring target program 101, and is a server program that operates on Linux.

  The system call inspection unit 202 is a specific example of the access audit unit 102. The system call inspecting unit 202 uses a Linux ptrace system call so that a system call name (an example of an access name) and an argument (an example of an access target) are generated by a software interrupt each time a system call based on the target program occurs. Confirm the contents of. Alternatively, the computer 200 may directly mount the system call inspection unit 202 as a kernel module (driver) and directly acquire the system call call to acquire the information (system call name and argument) shown above. .

  The file system 203 is a specific example of the resource 103 and is a file system managed by Linux.

  When operating in the rule generation mode, the system call inspection unit 202 stores the observed access information in the access log storage unit 205. The system call inspection unit 202 performs processing for notifying the stack inspection unit 213 that a system call by the target program has occurred.

  The stack inspection unit 213 is a specific example of the state observation unit 113. The stack checking unit 213 checks the call stack of the WWW server 201 at the time when the system call is called.

  The stack checking means 213 checks the call stack to check what procedure in the program calls the system call by going back up the procedure call hierarchy. Then, the stack inspection unit 213 performs processing for acquiring (extracting) information (call stack information described later) indicating the inspection result. Note that, by examining the call stack and examining the procedure call hierarchy at that point in time, this is a process that can be realized by a debugger program such as a gdb (GNU debugger) program.

  The access log storage unit 205 is a main memory or a fixed disk (for example, a magnetic disk device) on the computer 200 that stores files, and is a specific example of the access storage unit 106. The access storage unit 206 combines the access information indicating the system call invocation detected by the system call inspecting unit 202 and the call stack information at the time of invoking the system call inspected by the stack inspecting unit 213 to obtain an event. Save as.

  The classification unit 206, the generalization unit 207, and the policy generation unit 208 are specific examples of the classification unit 106, the generalization unit 107, and the policy generation unit 108, respectively, and are implemented as programs that run on Linux.

  The policy storage unit 204 is a specific example of the policy storage unit 104, and is a main memory or a fixed disk (for example, a magnetic disk device) on the computer 200 that stores files.

  The policy generation rule storage unit 209 is a specific example of the policy storage unit 109, and is a main memory or a fixed disk (for example, a magnetic disk device) on the computer 200 that stores files.

  FIG. 24 is an explanatory diagram showing a specific example of the access log stored in the access log storage unit 205. In this embodiment, the access log is stored as XML format data. As shown in FIG. 24, in the access log, each event is represented by an event element, a syscall element as a child element of the event element represents access information, and a name attribute of the syscall element is an access name. The syscall element can have one or more arg elements as child elements, and the arg element corresponds to an argument of the system call. The arg element has a value attribute, and the value attribute corresponds to the value of the argument of the system call. In this example, there is always one argument, and the only argument corresponds to the access target.

  In addition, the value attribute of the callstack element of the child element of the event element represents the contents of the call stack at the time of resource access invocation. The callstack attribute is represented by a string in which a character string representing an address in hexadecimal notation is separated by “:”. In the example shown in FIG. 15, for simplicity of explanation, the case where all events have a call stack composed of two addresses is shown. However, in practice, the call stack has a longer data length and a longer length. It is a town.

  For example, the event E21 shown in FIG. 24 is a write system call call for accessing “/var/run/httpd.pid”, and the call stack at the time of the call is “40008080: 80008a5a”.

  In the present embodiment, as described above, the case where XML format data is used as the access log has been described, but data in another format may be used as the access log. The access log may be data such as table data stored in a database.

  FIG. 25 is an explanatory diagram of a specific example of the policy generation rule 210 stored in the policy generation rule storage unit 209. In this embodiment, as with the access log, the policy generation rule 210 is also stored as XML format data.

  As shown in FIG. 25, each policy generation rule 210 is represented by a rule element. In the rule element, the delete attribute can be specified, and when the value of the delete attribute is “yes”, it indicates that the deletion flag is set. The rule element has a classify element and a generalize element as child elements, and corresponds to a classification rule and a generalization rule, respectively. Further, when the value of the method attribute of the classify element is “choice”, it indicates a selection classification rule, and when the value of the method attribute is “divide”, it indicates a division classification rule. The select attribute indicates a classification condition and is described in XPath. XPath is a notation for designating nodes (elements, attributes, etc.) in an XML document, and is published as a W3C recommendation.

  Further, when the value of the method attribute of the generalize element is “direct”, this indicates a direct generalization rule, and the value of the value attribute of a child element of the generalize element indicates a replacement value. When the value of the method attribute is “GLOB”, it indicates that the rule is a GLOB generalization rule. In either case, the node that replaces the value described in the XPath format is specified in the select attribute.

  Hereinafter, specific procedures of the classification unit 206, the generalization unit 207, and the policy generation unit 208 will be described using specific examples.

  In this embodiment, the value of the select attribute of the selection classification rule R12 included in the policy generation rule R11 is “the arg element of the first child of the syscall element, and the value attribute value starts with“ / tmp / ”. This is a conditional expression for selecting the “node”. Further, the value of the select attribute of the direct generalization rule R13 included in the policy generation rule R11 represents “the value attribute of the first arg element of the syscall element”, and a value having a value of “/ tmp / *” as a child element. The attribute is defined.

  Specific processing procedures of the classification unit 206, the generalization unit 207, and the policy generation unit 208 when the policy generation rule R11 is used are as follows. The classification unit 206 evaluates the value of the XPath format indicated by the select attribute of the selection classification rule R12 for each event element of the XML document (see FIG. 24) indicating the event set, and determines the node specified in the XPath format. Select the event element that contains it. As a result of the processing, the classification unit 206 selects the event element E22.

  Next, the generalization unit 207 directly evaluates the value of the XPath format indicated by the select attribute of the generalization rule R13 with respect to the set of events (only the event E22) selected by the classification unit 206, and the XPath format Replace the value of the node indicated in with "/ tmp / *". By performing such processing, the generalization unit 207 converts the value of the value attribute of the first arg element of the syscall element that is a child of the event element E22 to “/ tmp / *”. Since the delete flag is set in the policy generation rule R11, the classification unit 206 deletes the event E22 from the access log storage unit 205 after passing the contents of the event E22 to the policy generation unit 208.

  Next, the processing of the classification unit 206, the generalization unit 207, and the policy generation unit 208 when the policy generation rule R14 is used will be specifically described. The value of the select attribute of the selection classification rule R15 included in the policy generation rule R14 is a conditional expression indicating “syscall element whose name attribute value is“ read ””. The value of the select attribute of the division classification rule R16 is an expression indicating “value attribute of child callstack element”. Further, the value of the select attribute of the GLOB generalization rule R17 indicates “the value attribute of the first arg element of the syscall element”.

  In the present embodiment, a case will be described in which a plurality of classification rules can be specified and these classification rules are evaluated by AND combination.

  Specific processing procedures of the classification unit 206, the generalization unit 207, and the policy generation unit 208 when the policy generation rule R14 is used are as follows. The classification unit 206 evaluates the value of the XPath format indicated by the select attribute of the GLOB generalization rule R17 for each event element of the XML document (see FIG. 26) indicating the event set after the processing of the policy generation rule R11. , Select the event element containing the node indicated in the XPath format. As a result of the processing, the classification unit 206 selects the event elements E23 and E24. Next, the classifying unit 206 determines that an event whose node value indicated by the XPath format indicated by the select attribute of the division classification rule R16 matches each event element of the event set including the events E23 and E24, Split to belong to the same subset. In the case of this example, since the “value attribute of child callstack element” of the events E23 and E24 is the same value, the classifying means 206 also uses the events E23 and E24 after the classification processing using the division classification rule R16. Leave a set of events consisting of.

  Next, the generalization means 207 evaluates the value of the XPath format indicated by the select attribute of the GLOB generalization rule R17 for the set of events (consisting of events E23 and E24) generated by the classification means 206 described above. Then, the GLOB generalization process is applied (executed) to the value of the selected node. Since the XPath format indicated by the select attribute of the GLOB generalization rule R17 indicates “the value attribute of the first arg element of the syscall element”, the generalization means 207 uses “/ usr / lib / libc” as the node value. Select ".so" and "/usr/lib/libutil.so".

  The generalization means 207 applies (executes) the GLOB generalization process shown in FIG. 5 to the two selected character strings to generate a character string “/usr/lib/*.so”. . Further, the generalization unit 207 substitutes the generated value (character string) for the value attribute of the first arg element of the syscall element of the events E23 and E24. Since the delete flag is set in the policy generation rule R14, the contents of the events E23 and E24 are transferred to the policy generation unit 208, and then the classification unit 206 deletes them from the access log storage unit 205.

  Even when the policy generation rule R18 is used, the classification unit 206, the generalization unit 207, and the policy generation unit 208 execute processing according to the same processing procedure as that when the policy generation rules R11 and R14 are used.

  As a result of the processing described above, the generalization unit 207 passes the XML data (event set) shown in FIG. 27 to the policy generation unit 208. The policy generation unit 207 generates and outputs an access policy that permits access by the events E21, E22, and E23 and prohibits access by events other than the events E21, E22, and E23 based on the event set shown in FIG.

  As described above, according to this embodiment, it can be understood that the access policy generation system shown in the first embodiment can be implemented on a specific computer system. Further, according to the present embodiment, it is possible to generate an access policy with higher accuracy (less erroneous detection and fewer detection omissions) than the conventional method.

  INDUSTRIAL APPLICABILITY The present invention can be applied to a purpose of generating an access policy used for access control by a system that performs file access authority setting for a general operating system (OS), access authority setting for a secure OS, policy setting for access control middleware, and the like. . In addition, a system that performs policy setting of a host-based intrusion detection system or host-based intrusion prevention system, policy setting of a virtual machine having a sandbox model, and the like can be applied to the use of generating an access policy used for access control. Further, the present invention can also be applied to server devices and network devices (for example, routers) equipped with software for realizing these access authority settings and unauthorized intrusion detection / prevention systems.

It is a block diagram which shows the example of a structure of the system 100 using the access policy production | generation system by this invention. It is a flowchart which shows an example of the access policy production | generation process which the system 100 using an access policy production | generation system performs. 5 is a flowchart illustrating an example of a classification process in which a classification unit 106 classifies each event stored in an access log storage unit 105. It is a flowchart which shows an example of the generalization process in which the generalization means 107 generalizes an event. It is a flowchart which shows an example of the conversion process which the generalization means 107 performs when a GLOB generalization rule is given. 6 is an explanatory diagram illustrating an example of a set of events stored in an access log storage unit 105. It is explanatory drawing which shows the example of the policy production | generation rule 110 stored in the policy production | generation rule memory | storage part 109. FIG. It is explanatory drawing which shows the example in the case of performing a process using policy production | generation rule R01. It is explanatory drawing which shows the example in the case of performing a process using policy production | generation rule R02. It is explanatory drawing which shows the example in the case of performing a process using policy production | generation rule R03. It is explanatory drawing which shows the example of the event input into the policy production | generation means. It is explanatory drawing which shows the example of the access policy which the policy production | generation means 108 produces | generates and outputs. It is a block diagram which shows the other structural example of the system 100 using the access policy production | generation system. It is explanatory drawing which shows the example of the access policy in 2nd Embodiment. It is a flowchart which shows an example of the access audit process which the access audit means 102 in 2nd Embodiment performs. It is explanatory drawing which shows the example of the resource access in 2nd Embodiment. It is explanatory drawing which shows the example of the policy production | generation rule 110 in 2nd Embodiment. It is a block diagram which shows the further another structural example of the system 100 using the access policy generation system. It is explanatory drawing which shows the example of the policy production | generation rule 110 which additionally includes the kind of OS. It is a block diagram which shows the other structural example of the system 100 using the access policy production | generation system. It is explanatory drawing which shows the example of the policy production | generation rule 110 in 3rd Embodiment. It is explanatory drawing which shows the example of the access policy in 3rd Embodiment. It is a block diagram which shows the computer 200 containing an access policy production | generation system. It is explanatory drawing which shows the specific example of the access log which the access log memory | storage part 205 stores. It is explanatory drawing which shows the specific example of the policy production | generation rule 210 which the policy production | generation rule memory | storage part 209 stores. It is explanatory drawing which shows the example of the XML document which shows the event set after the process of policy production | generation rule R11. It is explanatory drawing which shows the example of the XML data which shows the event set after a generalization process.

Explanation of symbols

100 System 101 Target Program 102 Access Auditing Unit 103 Resource 104 Policy Storage Unit 105 Access Log Storage Unit 106 Classification Unit 107 Generalization Unit 108 Policy Generation Unit 109 Policy Generation Rule Storage Unit 110 Policy Generation Rule 111 Classification Rule 112 Generalization Rule 113 State Observation means 120 Input device

Claims (12)

An access policy generation system for generating an access policy for restricting a monitored program from accessing a specific resource,
Access detection means for detecting access to the resource by the monitored program and outputting access information indicating the content of the detected access;
An access policy generation system comprising: access policy generation means for generating an access policy based on the access information output by the access detection means in accordance with a policy generation rule that is information indicating an access policy generation condition . When the access detection unit detects the occurrence of access to the resource by the monitoring target program, the access detection unit includes a state detection unit that detects the state of the process being executed according to the monitoring target program,
The state detection unit adds the detection result of the state of the process being executed according to the monitored program to the access information output by the access detection unit,
The access policy generation system according to claim 1, wherein the access policy generation unit generates an access policy based on access information to which a detection result of a state of processing executed by the state detection unit according to the monitoring target program is added. . A policy generation rule storage means for storing the policy generation rule in advance;
The access policy generation system according to claim 1 or 2, wherein the access policy generation unit generates an access policy in accordance with a policy generation rule stored in the policy generation rule storage unit. The policy generation rule storage means stores in advance a policy generation rule including a classification rule indicating a predetermined classification condition for classifying access information and a generalization rule indicating a predetermined generalization condition for generalizing access information. Remember,
The access policy generation means
Classification means for classifying the access information output by the access detection means according to the classification rule included in the policy generation rule;
Generalization means for generalizing the access information classified by the classification means according to the generalization rule included in the policy generation rule;
The access policy generation system according to claim 3, further comprising policy generation means for generating an access policy based on the access information generalized by the generalization means. This is an access policy generation system that generates an access policy for restricting access of a monitored program to a specific resource, which is used for policy enforcement based on an authorization policy indicating an authorization rule for permitting access to a resource. And
Access detection means for detecting access to the resource by the monitored program at the time of policy enforcement, and outputting access information indicating the content of the detected access;
When the access detection unit detects the occurrence of access to the resource by the monitoring target program, the state detection unit detects the state of the process being executed according to the monitoring target program;
Classification means for classifying the plurality of access information output by the access detection means based on a classification rule included in a policy generation rule indicating a generation condition of an access policy created in advance,
Generalization means for generalizing the access information classified by the classification means based on a generalization rule included in the policy generation rule;
Policy generating means for generating an access policy based on the access information generalized by the generalization means,
The status detection unit adds a detection result of a status of a process executed in accordance with the monitored program to corresponding access information.   The classification means includes a selection classification rule indicating a condition for selecting only access information that matches a predetermined condition from a plurality of access information as a classification rule, and the access information that satisfies the predetermined condition belongs to the same set. 6. The access policy generation system according to claim 5, wherein the access information is classified based on a policy generation rule including a division classification rule indicating a condition for dividing the plurality of access information. A state storage unit that stores a state of a process executed in accordance with a monitoring target program detected by the state detection unit when an access permitted by the access policy occurs;
When the access detection means detects an access based on the access policy, the state of the process executed in accordance with the monitored program detected by the state detection means matches the state stored in the state storage means. Based on whether or not
7. The policy generation unit generates an access policy that instructs whether to detect access based on whether or not the state of the process being executed according to the monitored program matches. Access policy generation system.   8. The policy generation rule acquisition means for detecting the type and version of the platform on which the program to be monitored operates, and acquiring a policy generation rule that matches the detected type and version of the platform. The access policy generation system according to any one of the above. An access policy generation method for generating an access policy for restricting a monitored program from accessing a specific resource,
An access detection step of detecting access to the resource by the monitored program and outputting access information indicating the content of the detected access;
An access policy generation method, comprising: an access policy generation step of generating an access policy based on the access information output in the access detection step according to a policy generation rule which is information indicating an access policy generation condition. This is an access policy generation method that generates an access policy for restricting a monitored program from accessing a specific resource, which is used for policy enforcement performed based on an authorization policy indicating an authorization rule for permitting access to a resource. And
An access detection step of detecting access to the resource by the monitored program at the time of policy enforcement and outputting access information indicating the content of the detected access;
When the occurrence of access to the resource by the monitored program is detected in the access detecting step, the status of the process being executed according to the monitored program is detected, and the process being executed according to the monitored program is detected. A state detection step of adding a state detection result to the corresponding access information;
A classification step for classifying the plurality of access information output in the access detection step based on a classification rule included in a policy generation rule indicating a generation condition of an access policy created in advance,
A generalization step of generalizing the access information classified in the classification step based on a generalization rule included in the policy generation rule;
A policy generation step of generating an access policy based on the access information generalized in the generalization step. An access policy generation program for generating an access policy for restricting a monitored program from accessing a specific resource,
On the computer,
An access detection process for detecting access to a resource by the monitored program and outputting access information indicating the content of the detected access;
An access policy generation program for executing an access policy generation process for generating an access policy based on the output access information in accordance with a policy generation rule which is information indicating an access policy generation condition. This is an access policy generation program that generates an access policy for restricting the monitored program from accessing a specific resource, which is used for policy enforcement performed based on an authorization policy indicating an authorization rule for permitting access to a resource. There,
On the computer,
An access detection process for detecting access to the resource by the monitored program at the time of policy enforcement and outputting access information indicating the content of the detected access;
When the occurrence of access to the resource by the monitored program is detected, the status of the process being executed according to the monitored program is detected, and the detection result of the status of the process being executed according to the monitored program is displayed. State detection processing to be added to the corresponding access information,
A classification process for classifying the plurality of output access information based on a classification rule included in a policy generation rule indicating a generation condition of an access policy created in advance;
A generalization process for generalizing the classified access information based on a generalization rule included in the policy generation rule;
An access policy generation program for executing a policy generation process for generating an access policy based on the generalized access information.

Images