JP2007164465A - Client security management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a client security management system for the purpose of improving the security level of the entire system. <P>SOLUTION: A security management information gathering instruction part 104 is periodically executed, and security management information such as a patch and a virus definition pattern is acquired from a client by an information acquisition part 116 and is stored in an asset management data base 124 as history information. On the basis of the acquired history information, the security measure conditions of the client in an analysis period set by a security application condition part 110 are statistically evaluated. Also, by performing the analysis of the factor of security measures relating to the client once infected by viruses in the past or the like by an analysis part 109, measures are taken beforehand for the user of client assets whose usual security conscious level is low. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a security management system and method characterized by detecting and analyzing client security problems using history information.

  The conventional client security management system collects the security countermeasure status of a plurality of client assets connected to the network, and performs security diagnosis based on the collected security countermeasure information and the vulnerability countermeasure policy. The security level state of the client asset and the entire security management system were evaluated by analyzing whether the security problem was improved from the diagnosis result (Patent Document 1).

  Japanese Patent Application Laid-Open No. 2004-228561 discloses quarantine information that has been attacked by a computer virus and provides virus countermeasure information, quarantine forced new information, virus information, device information confirmation information, and the like on a portal site.

JP 2002-278797 A JP 2003-303118 A

  Although the conventional system of the above-mentioned patent document 1 can evaluate whether the current countermeasure is sufficient based on the latest security countermeasure status of the client asset, as to whether the client asset normally takes a countermeasure against vulnerability. Cannot be evaluated. If you evaluate only with the latest security countermeasure status, the client assets that have been neglected to take vulnerability countermeasures will be evaluated as having sufficient countermeasures depending on the timing, and there may be a risk as a client security management system. There is sex.

  The computer virus countermeasure system of Patent Document 2 collects quarantine information including files that have been attacked by computer viruses, but ranks and displays the degree of vulnerability countermeasures for clients that have been attacked by these attacks. I can't do it.

  The object of the present invention is to provide a client security management system for the purpose of improving the security level of the entire system by managing and analyzing security countermeasure information acquired from individual client assets as a history. Features.

  Obtain security countermeasure information from client assets on a fixed schedule, calculate the number of days until countermeasures against published vulnerability information, and store it in the database as history information. It also acquires virus scan execution history information and client asset connection destination network history information, calculates execution intervals and connection times, and stores them in a database. The security level of the entire system by statistically evaluating the status of security measures for client assets over a certain period based on the acquired history information and received input conditions, and improving the security awareness level of individual administrators and users Improve.

  Based on historical information on vulnerability countermeasures for client assets, users of client assets who have a low level of security awareness are determined by statistically determining whether countermeasures are currently being taken, but are taking countermeasures on a regular basis. Can improve the security awareness level.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 shows the configuration of an asset management server, an asset management database, and client assets according to an embodiment of the present invention. The asset management server 101 includes a basic control unit 107 that controls program call, execution, network, and input / output devices, and a communication processing unit 108 that transmits data to the client 102 and receives data from the client 102. . The client 102 includes a basic control unit 126 that controls program call, execution, and network, and a communication processing unit 125 that transmits data to the asset management server 101 and receives data from the asset management server 101. The asset management database 124 is a database having tables to be described later used for storing security countermeasure information.

  In this embodiment, the asset management server 101 executes the security management information collection command unit 104 for the client 102. Here, the last collection time file 103 is a file holding time information last time the security management information collection command unit 104 was executed. In response to the command, the information collection unit 116 acquires security management information held by the operating system 117 and the anti-virus software 118. The difference extraction unit 120 compares the acquired information with the previous acquired information file 123 that stores the information acquired at the previous time, stores the difference information in the difference information file 122, and transmits it to the asset management server 101.

  The asset management server 101 receives the difference information file 122 of the client 102 and stores the difference information in the asset management database 124 by the difference information storage unit 112. The policy determination unit 111 determines the security countermeasure status of the client 102 based on the policy setting file 105. Here, the connection destination network of the client 102 is set in the connection destination network list file 106 based on the policy determination result. Based on the policy setting file 105, the security application status section 110 acquires client security countermeasure information for a certain period from the asset management database 124 and displays it as a list. The analysis unit 109 has a function of analyzing the information displayed above.

  The connection destination network monitoring unit 119 monitors the connection destination network of the client, stores the result in the network log file 121, and transmits it to the asset management server 101. The network log storage unit 113 stores the received network log file 121 in the asset management database 124. The input device 114 is a keyboard or a mouse, and the output device 115 is a display.

  FIG. 2 is a diagram showing a hardware configuration of the asset management server according to the present invention and a client to be inspected. Each of the asset management server 101 and the client 102 includes a CPU 201, a memory 202, external storage devices 203 and 204 such as a hard disk, a communication device 205 for connecting to a network, and a bus 206 that controls data transmission / reception between the components. .

  Here, the external storage device 203 includes a program for performing processing of the security information command unit 104, the analysis unit 109, the security application status unit 110, the policy determination unit 111, the difference information storage unit 112, and the network log storage unit 113. The previous collection time file 103, the policy setting file 105, the connection destination network list file 106, and the asset management database 124 are stored.

  Further, the external storage device 204 includes an operating system 117, anti-virus software 118, an information acquisition unit 116, a connection destination network monitoring unit 119, a program for performing each processing of the difference extraction unit 120, a network log file 121, difference information A file 122 and a previously acquired information file 123 are stored. The external storage devices 203 and 204 may be external storage devices connected to the outside of the management server, or may be internal storage devices stored in the management server.

  The memory 202 stores the respective programs and data, and the CPU 201 executes the programs stored in the memory 202, thereby performing various processes described later, thereby realizing the functions of the respective processing units in FIG. Each processing unit in FIG. 1 is assumed to be realized by software by executing a program in the memory 202 by the CPU 201. However, the processing unit is not limited to this, and hardware such as an IC chip that performs such processing is used. It can also be implemented with hardware.

  3, 4, 5, 6, and 7 are examples of the policy setting screen and the policy setting file 105.

  First, FIG. 3 is an example of a main screen for setting a policy. The administrator can set the security management information policy from the input device 114. The target patch name and version are set in the patch. In the virus definition pattern, a target anti-virus software name, software version, engine version, virus definition version, and resident / non-resident software are set. Set the target software name and version in the required software. In each setting, the policy to be quarantined is indicated by “*” mark. The client 102 to which the policy with the “*” mark is not applied is forcibly connected to the quarantine network. A virus scan execution interval policy that the client 102 needs to perform at least is set for the virus scan. In the collection interval, the execution interval of the security management information collection command unit 104 is set, and in the analysis period, the number of past security countermeasure history information to be analyzed is set.

  FIG. 4 shows an example of a patch policy addition screen displayed by pressing the add button in the patch item on the policy setting screen of FIG. 3, and the patch name and version are set to be unique. Also, by checking the check box, it is possible to set the policy to be quarantined.

  FIG. 5 shows an example of a virus definition pattern policy addition screen displayed by pressing the add button in the virus definition pattern item of the policy setting screen of FIG. 3, and the anti-virus software name, software version, engine version. , Virus definition version and software resident / non-resident respectively. Also, by checking the check box of each item, it is possible to set the checked item in the policy to be quarantined.

  FIG. 6 shows an example of a policy addition screen for essential software displayed by pressing the add button in the essential software item on the policy setting screen of FIG. 3, and is set so that the software name and version are unique. To do. Also, by checking the check box, it is possible to set the policy to be quarantined.

  FIG. 7 shows an example of the contents of the policy setting file 105, in which the information set in FIG. 3 is saved in a file. The asset management server 101 evaluates the client 102 based on the set policy.

  FIG. 8 is an asset list table in which the list information of the clients 102 to be subjected to security diagnosis in the asset management database 124 is stored. The column 801 stores an asset ID for uniquely identifying the target client 102. A column 802 stores a host name corresponding to the asset ID in the same row. A column 803 stores an IP address corresponding to the asset ID in the same row. Column 804 stores the MAC address corresponding to the asset ID in the same row.

  9, 10, and 11 show examples of tables regarding patches, virus definition patterns, and essential software provided to the client 102 in the asset management database 124.

  FIG. 9 shows a table in which information related to patches provided to the client 102 is stored. A column 901 stores a patch ID for uniquely identifying the type of patch provided. A column 902 stores patch names corresponding to patch IDs in the same row. A column 903 stores patch version information corresponding to the patch ID in the same row. The column 904 stores the patch provision start date and time corresponding to the patch ID in the same row. From the data stored in this table, it is possible to calculate the period from when the patch is provided until it is applied.

  FIG. 10 shows a table in which information regarding virus definition patterns provided to the client 102 is stored. A column 1001 stores virus definition IDs for uniquely identifying the types of provided virus definition patterns. A column 1002 stores the software names of the anti-virus software corresponding to the virus definition ID in the same row. Column 1003 stores version information of the antivirus software corresponding to the virus definition ID in the same row. Column 1004 stores virus definition version information of the anti-virus software corresponding to the virus definition ID in the same row. Column 1005 stores engine version information of the anti-virus software corresponding to the virus definition ID in the same row. The column 1006 stores the virus definition pattern provision start date and time corresponding to the virus definition ID in the same row. From the data stored in this table, it is possible to calculate the period from when the virus definition pattern is provided until it is applied.

  FIG. 11 shows a table in which information related to essential software provided to the client 102 is stored. A column 1101 stores software IDs for uniquely identifying the types of essential software provided. Column 1102 stores the names of essential software corresponding to the software IDs in the same row. Column 1103 stores version information of essential software corresponding to the software ID in the same row.

  FIG. 12 shows the processing of the security management information collection command unit 104. The security management information collection command unit 104 determines whether the collection interval set in the policy setting file 105 has elapsed from the time stored in the previous collection time file 103 (1201). An execution instruction is issued to the information acquisition unit 116 of 102 (1202). After that, the contents of the previous collection time file 103 are updated to the current time (1203), the processing is paused for the collection interval time set to reduce the load (1204), and the processing is resumed after the collection interval time has elapsed. Start. As a result, the security management information of the client 102 can be collected periodically.

  FIG. 13 shows the processing of the information acquisition unit 116. The information acquisition unit 116 is executed in response to a command from the security management information collection command unit 104. The information acquisition unit 116 acquires the security management information held by the operating system 117 and the anti-virus software 118 (1301).

  Here, the security management information refers to patch information applied to the client 102, virus definition pattern information, installed software information, virus scan execution history information, virus infection history information, host name, IP address, and MAC address. Network information.

  After the collection, the difference information extraction unit 120 is executed to extract the changed difference information (1302).

  FIG. 14 shows the processing of the difference information extraction unit 120. The difference information extraction unit 120 reads the previous acquisition information file 123 (1401) and compares it with the security management information acquired this time (1402). If there is a difference, a difference information file 122 is generated (1403), and the difference information file 122 is transmitted to the asset management server 101 (1404). Thereafter, the previously acquired information file 123 is updated to the one acquired this time (1405), and the difference information file 122 is deleted (1406).

  FIG. 15 is an example showing the contents of the difference information file 122. The difference information file 122 is divided into sections for each item of security management information, and the acquired difference information regarding each item is registered. In this example, an example in which a difference for one week is transmitted at a time is shown. When the difference is transmitted every day or every certain time, only the information that has changed at that time is transmitted, so the amount of information is reduced.

  FIG. 16 shows processing of the difference information storage unit 112. The difference information storage unit 112 receives the difference information file 122 from the client 102 (1601), and determines from the host name or IP address whether the transmitted client 102 is already registered in the asset list table of the asset management database 124 in FIG. (1602). If it has already been registered, the asset ID 801 is acquired (1603). If it has not been registered, a new asset ID 801 is created (1604).

  Next, the contents of the difference information file 122 are referred to (1605), and sections are selected one by one (1606). It is determined whether there is difference information regarding the section being referred to (1607), and if there is, the oldest date is stored in the asset management database 124 (1608). This is repeated until all the difference information of the section that refers to this is completed (1609). Of the stored difference information, the period from the last update, the period from the provision start date and time to application, and the period from the previous execution are calculated and stored in the asset management database 124 (1610). This process is performed for all sections of the difference information file 122 (1611), and when all of the sections are completed, the policy determination unit 111 is executed (1612).

  FIGS. 17, 18, 19, 20, and 21 show examples of tables related to security management information collected from the client 102 in the asset management database 124. FIG.

  FIG. 17 shows an applied patch table that stores a history of patch information applied by the client 102. A column 1701 stores the asset ID 801 of the client 102 to which the patch is applied. A column 1702 stores the applied patch ID 901 corresponding to the asset ID in the same row. A column 1703 stores the date and time when the patch is applied corresponding to the asset ID and the patch ID in the same row. In a column 1704, the asset ID in the same row stores the update interval from the previous patch application date and time. A column 1705 stores an application interval from when the patch ID in the same row is applied after the patch is provided.

  The data stored in the application patch table is necessary when it is desired to refer to information such as when each client has applied which patch and how much time has been spent before applying.

  FIG. 18 shows an applied virus definition pattern table in which a history of virus definition pattern information applied by the client 102 is stored. A column 1801 stores the asset ID 801 of the client 102 to which the virus definition pattern is applied. A column 1802 stores the applied virus definition pattern ID 1001 corresponding to the asset ID in the same row. A column 1803 stores the date and time when the virus definition pattern is applied corresponding to the asset ID and virus definition pattern ID in the same row. In a column 1804, the asset ID in the same row stores the update interval from the previous virus definition pattern application date. A column 1805 stores an application interval from when the virus definition ID in the same row is applied after the virus definition pattern is provided.

  The data stored in the applied virus definition pattern table is necessary when it is desired to refer to information such as when each virus has applied which virus definition pattern and how much time has been spent before applying.

  FIG. 19 shows an installed software table storing software information installed by the client 102. A column 1901 stores the asset ID 801 of the client 102 that has newly installed software. A column 1902 stores installed software IDs 1101 corresponding to asset IDs in the same row. A column 1903 stores the software installation date and time corresponding to the asset ID and software ID in the same row.

  The data stored in the installed software table is necessary when it is desired to refer to which software each client has applied.

  FIG. 20 shows a virus scan information table storing history information of virus scans executed by the client 102. A column 2001 stores the asset ID 801 of the client 102 that has executed the virus scan. A column 2002 stores the date and time when the virus scan corresponding to the asset ID in the same row is executed. In column 2003, the asset ID in the same row stores the execution interval since the last virus scan was completed. However, the execution interval is stored only when the status of the acquired scan information is complete. Column 2004 stores the execution status of the virus scan executed in the same row.

  The data stored in the virus scan information table is necessary when it is desired to refer to information such as how often each client is performing virus scan and the virus scan is being executed to the end.

  FIG. 21 shows a virus infection history information table in which history information about the infection of the client 102 with a virus is stored. A column 2101 stores the asset ID 801 of the client 102 infected with a virus. A column 2102 stores the date and time of virus infection corresponding to the asset ID in the same row. Column 2103 stores the countermeasure status for virus infection information in the same row. Column 2104 stores the date and time of countermeasures against virus infection information in the same row. A column 2105 stores a period until the countermeasure for the virus infection information in the same row is completed.

  The data stored in the virus infection history information table is necessary when it is desired to refer to whether each client has been infected with a virus in the past.

  22, FIG. 23, FIG. 24, FIG. 25, FIG. 26, FIG. 27, and FIG. 28 show the processing of the policy determination unit 111.

  First, FIG. 22 shows an overall processing procedure of the policy determination unit 111. When the security management information of the client 102 is updated or when the policy setting file 105 is changed (2201), the policy determination unit 111 selects one client 102 for policy determination from the asset management table 124 one by one ( 2202) and execute the patch policy judgment function (2203), virus definition pattern policy judgment function (2204), essential software policy judgment function (2205), virus scan policy judgment function (2206), and connection destination network list addition function (2207) Each determination result is stored in the policy determination result table of the asset management database 124 (2208). This process is performed for all clients 102 whose security management information has been updated, and for all clients 102 when the policy is changed (2209).

  FIG. 23 shows the patch policy determination (2203) process in FIG. The patch policy determination function (2203) determines whether a patch policy is set in the policy setting file 105 (2301), and if so, determines whether there is patch information for the next target client 102 ( 2302). If there is no patch information, the determination result is set to “not applied” (2312) and the process ends. If there is patch information, one of the set patch policies is selected (2303).

  Next, acquire one patch information of the target client 102 from the asset management database 124 (2304), determine whether the selected policy is satisfied (2305), and if it is satisfied, proceed to (2308). Transfer. If not, the next patch information of the target client 102 is acquired and a determination is made until all are completed (2306). If there is no patch information that satisfies the patch policy in the determination, a quarantine target determination function is executed to determine whether the selected policy is a quarantine target policy (2307). This process is performed until all patch policies are completed (2308).

  It is determined whether all the patch policies are satisfied in the policy determination result (2309), and if all are satisfied, the determination result is set to “Applied” (2310). "(2311).

  FIG. 24 shows the processing of the virus definition pattern policy determination function (2204) in FIG. The virus definition pattern policy judgment function (2204) judges whether the virus definition pattern policy is set in the policy setting file 105 (2401). If so, the virus definition pattern information of the next target client 102 is set. It is determined whether there is (2402). If there is no virus definition pattern information, the determination result is set to “not applied” (2406) and the process ends. If there is virus definition pattern information, the latest virus definition pattern of the client 102 is acquired (2403). Judgment is made whether the acquired virus definition pattern satisfies the policy (2404). If it is satisfied, the determination result is set to "Applied" (2405). If not, the determination result is set to "Not applied". Then, a quarantine target determination function is executed to determine whether the policy is a quarantine target policy (2407).

  FIG. 25 shows the processing of the essential software policy determination function (2205) in FIG. The mandatory software policy judgment function (2205) judges whether the mandatory software policy is set in the policy setting file 105 (2501), and if so, the installed software information of the next target client 102 It is determined whether there is (2502). If there is no software information, the determination result is set to “not applied” (2512) and the process ends. If there is software information, one of the set mandatory software policies is selected (2503).

  Next, one piece of installed software information of the target client 102 is acquired from the asset management database 124 (2504), it is judged whether the selected policy is satisfied (2505), and if it is satisfied, (2508 ) If not, the next installed software information of the target client 102 is acquired and a determination is made until all are completed (2506). If there is no patch information satisfying the essential software policy in the determination, a quarantine target determination function is executed to determine whether the selected policy is a quarantine target policy (2507). This process is repeated until all required software policies are completed (2508).

  Judgment is made as to whether all required software policies are satisfied in the judgment result (2509), and if all are met, the judgment result is set to “Applied” (2510). "(2511).

  FIG. 26 shows the processing of the virus scan policy determination function (2206) in FIG. The virus scan policy determination function (2206) determines whether a virus scan policy is set in the policy setting file 105 (2601), and if it is set, whether there is virus scan information of the next target client 102 or not. Determine (2602). If there is no virus scan information, the determination result is set to “not applied” (2606) and the process ends. If there is virus scan information, all data of the virus scan execution interval of the target client 102 is acquired from the asset management database 124, and the average value of the execution intervals is calculated (2603). It is determined whether the calculated average execution interval satisfies the policy (2604). If it is satisfied, the determination result is set to “Done” (2605), and if not, the determination result is set to “Not yet” (2606).

  FIG. 27 shows the processing of the quarantine target determination function in FIG. 23, FIG. 24, and FIG. The quarantine target determination function determines whether the selected policy has a quarantine target flag (2701). If the policy is a quarantine target policy, the quarantine network target flag is set to YES (2702).

  FIG. 28 shows the process of adding a connection destination network (2207) in FIG. The connection destination network addition function (2207) acquires the IP address 803 and MAC address 804 of the target client 102 from the asset management database 124 (2801), and determines whether the quarantine network target flag is YES (2802). If YES, the asset ID 801, IP address 803, and MAC address 804 of the client 102 are added to the quarantine network target list (2803). Otherwise, the asset ID 801, IP address 803, and MAC address 804 of the target client 102 are added. It is added to the business network target list (2804), and the connection destination network list file 106 is updated.

  FIG. 29 shows a policy determination result table storing the policy determination result of the client 102. A column 2901 stores the asset ID 801 of the client 102. Column 2902 shows the determination result of the patch policy corresponding to the asset ID of the same row, column 2903 shows the determination result of the virus definition pattern policy corresponding to the asset ID of the same row, and column 2904 shows the asset ID of the same row. The corresponding required software policy determination result is stored in column 2905, and the virus scan policy determination result corresponding to the asset ID in the same row is stored.

  The data stored in the policy determination result table is required when referring to the current security countermeasure status of each client 102 for the policy set by the administrator.

  FIG. 30 shows an example of the connection destination network list file 106 generated in FIG. The client 102 registered in the quarantine network target list is automatically connected to the quarantine network when network connection authentication is performed. The quarantine network is a network environment for taking countermeasures against the vulnerabilities discovered with respect to the client 102, and the client 102 is isolated from the normal network until the countermeasures are completed.

  FIG. 31 shows the processing of the connection destination network monitoring unit 119. First, it is determined whether there is data in the network log file 121 (3101), and if there is, the data is transmitted to the asset management server 124 (3102). Next, the client 102 monitors whether the shutdown process has been executed (3103). If the shutdown process is executed, the shutdown information and the current time are acquired and stored in the network log file 121 (3104). If not executed, it is next monitored whether the connection destination network has been changed (3105). If changed, the connection destination network information and the current time are acquired and saved in the network log file 121. In this way, the connection destination network monitoring unit 119 monitors the network connection state of the client 102 in real time.

  FIG. 32 shows the processing of the network log storage unit 123. The network log storage unit 123 receives the network log file 121 (3201), and acquires the asset ID 801 of the corresponding client 102 from the asset management database 124 (3202). Next, the network log file 121 is referred to (3203), and the shutdown information is identified (3204). If it is shutdown information, the connection time is calculated from the shutdown time saved in the network log file 121 and the date and time information of the latest connection destination network of the client 102 (3205). If it is not shutdown information, connection destination network information and date / time information are acquired from the network log file 121 and stored in the asset management database 124 (3206). After that, the connection time related to the network information connected last time is calculated from the date information of the network connected last time and the date information acquired this time (3207).

  FIG. 33 shows a connection destination network history table storing history information of the connection destination network of the client 102. A column 3301 stores the asset ID 801 of the client 102. A column 3302 stores the time of connection to the network corresponding to the asset ID in the same row. A column 3303 stores connection destination network names corresponding to asset IDs in the same row. Here, the business VLAN represents a business network, and the quarantine VLAN represents a quarantine network. Column 3304 stores the asset ID and connection time of the network corresponding to the connection network in the same row.

  FIG. 34 shows the processing of the security application status unit 110. The security application status unit 110 receives the input and is executed. First, the asset ID 801 of the client 102 is acquired from the asset list table of the asset management database 124 (3401), and all policy judgment results corresponding to the asset ID are acquired (3402). Next, all patch application intervals corresponding to the asset ID within the analysis period set in the policy setting file 105 are acquired, and an average value and a maximum value of the application intervals are calculated (3403). Similarly, all application intervals of the virus definition pattern corresponding to the asset ID in the analysis period are acquired, and an average value and a maximum value of the application intervals are calculated (3404). Also, all virus scan execution intervals corresponding to the asset ID in the analysis period are acquired, and the average value and maximum value of the execution intervals are calculated (3405). Next, a virus infection status acquisition function is executed (3406) to acquire the infection status. Also, a connection destination network acquisition function is executed (3407), the current connection destination network is acquired, and an operation rate indicating the ratio of being connected to the business network is calculated.

  It is determined whether each piece of acquired information satisfies the conditions of the received input information (3408). Only when the conditions are satisfied, the information is output to the security application status list screen via the output device 115 (3409). This process is performed until all clients 102 are completed (3410), and after completion, statistics of all clients 102 added to the security application status list are calculated (3411), and the statistical results are output to the security application status list screen. (3409).

  FIG. 35 shows processing of the virus infection status acquisition function (3406) in the security application status section 110 of FIG. The virus infection status acquisition function (3406) acquires (3501) all virus infection histories within the analysis period set in the policy setting file 105 corresponding to the asset ID 801 selected from the asset management database 124, and is infected. It is determined whether there is a history (3502). If there is an infection history, the determination result is set to “infected” (3503).

  FIG. 36 shows the processing of the connection destination network acquisition function (3407) in the security application status section 110 of FIG. The connection destination network acquisition function (3407) acquires (3601) the latest connection network information corresponding to the asset ID 801 selected from the asset management database 124. Next, all connection networks 3303 and connection times 3304 within the analysis period set in the policy setting file 105 are acquired (3602), and the percentage of time connected to the business network is calculated based on the acquired data. (3603).

  FIG. 37 shows an example of an input screen for receiving input information (3408) in the security application status section 110 of FIG. The administrator can input the conditions of the client 102 to be displayed on the security application status list screen on this screen from the input device 114.

  For example, an input example for outputting the security application status list result of FIG. 38 will be described. Since you want to display both applied and unapplied clients for patches, select “All” from the pull-down, and set the average patch application interval to display clients between 0 and 15 days. The maximum patch application interval is 0. Set to display clients between day 20 and day 20.

  For virus definition patterns, both applied and unapplied clients are displayed. Select "All" from the pull-down menu, and the virus definition pattern average application interval is set to display clients between 0 and 10 days. The definition pattern maximum application interval is set to display clients between 0 and 15 days.

  For virus scanning, you want to display both clients that meet the policy and clients that do not meet the policy. Select "All" from the pull-down menu, and the virus scan average execution interval is set to display clients between 0 and 10 days. The execution interval is set to display clients between 0 and 15 days.

  For essential software, since you want to display both applied and unapplied clients, select "All" from the pull-down menu, and for infection history, you want to display both clients that have been infected and those that have not been infected in the past. Select "All" from the pull-down. In addition, as for the connected network, we want to display both the client connected to the business network and the client connected to the quarantine network, so select "All" from the pull-down, and display the clients with an operating rate between 50% and 90% Set to

  All clients corresponding to the input example shown above are displayed as a security application status list screen as shown in FIG.

  FIG. 38 shows an example of a security application status list screen generated by the security application status unit 110 of FIG. In the security application status list screen, the asset ID of each client 102 and the current patch application status, the average patch application interval, the maximum patch application interval that indicates the time required to apply the patch, the current virus definition pattern Application status, virus definition pattern average application interval, virus definition pattern maximum application interval representing the time required to apply the virus definition pattern, current virus scan execution status, virus scan average execution interval, previous virus scan Maximum scan interval between virus scans, which indicates the most time required to run / complete the next virus scan after the scan has been completed / completed, current application status of required software, whether the virus has been infected within the analysis period Infection history that represents the current connected network and within the analysis period To display the operating rate.

  The operating rate is shown as a percentage (%) connected to the business network, but can also be displayed as it is as the business network connection time / the total operating time of the PC.

  From this screen, there is no vulnerability problem, whether the administrator is not only applying the current security countermeasure status of the client, but also applying patches and virus definition patterns immediately, and regularly performing virus scanning. You can also see information about how much of the time you have been connected to the network.

  For example, there is no problem with the current patch security countermeasure status, but referring to the average patch application interval, if there is a client who is spending a lot of time, the patch is applied to that client, but until it is applied Can be evaluated as a client that is slow and likely to cause vulnerability issues in the future.

  Also, by displaying the statistical results, it is possible to grasp the status of security measures in the entire client security management system. By regularly aggregating the transition of the statistical results, it is possible to grasp whether the security level of the entire client security management system is improving or decreasing, and it can be used as an index.

  FIG. 39 shows the processing of the analysis unit 109 for outputting detailed information related to the asset ID selected by the radio button on the security application status list screen of FIG. First, it is determined whether a patch column header has been selected (3901). If it has been selected, all patch information within the analysis period for the corresponding asset ID 801 is acquired (3902). Next, it is determined whether the header of the virus definition pattern column is selected (3903). If it is selected, all virus definition pattern information within the analysis period for the corresponding asset ID 801 is acquired (3904). Next, it is determined whether the header of the virus scan column is selected (3905). If it is selected, all virus scan information within the analysis period for the corresponding asset ID 801 is acquired (3906). Next, it is determined whether the header of the infection history column has been selected (3907). If it has been selected, all virus infection history information within the analysis period for the corresponding asset ID 801 is acquired (3908). Also, a factor analysis function is executed (3909) to analyze the infected factor related to the infected client 102. Next, it is determined whether or not the header of the operation rate column has been selected (3910), and if it has been selected, an operation status acquisition function (in order to acquire daily connection destination network information details within the analysis period for the corresponding asset ID 801) 3911). Finally, the information acquired and calculated via the output device 115 is output (3912).

  FIG. 40 shows the processing of the factor analysis function (3909) in the analysis unit 109 of FIG. The factor analysis function (3909) selects the client 102 that has been infected within the analysis period set in the policy setting file 105 (4001), and obtains the policy judgment result and the average application interval for the client 102 (4002). Similarly, the virus definition pattern policy judgment result and average application interval (4003), virus scan policy judgment result and average execution interval (4004), mandatory software policy judgment result (4005), and average countermeasure period for virus infection history Calculate (4006) and obtain. These processes are performed until all the clients 102 that have been infected are completed (4007). For each obtained policy determination result, the ratio of the client 102 that does not satisfy the policy is calculated (4008). Further, a ratio is calculated for each obtained application interval, execution interval, and countermeasure period in units of 10 days (4009), and is performed until the calculated ratio reaches 0% (4010).

  FIG. 41 shows the processing of the operation status acquisition function (3911) in the analysis unit 109 of FIG. The operation status acquisition function (3911) acquires all connection networks and connection times within the analysis period for the corresponding asset ID 801 (4101). The percentage of time connected to the business network is calculated by date from the acquired data (4102).

  FIG. 42 shows an example of a detailed list of applied patches for patch information in the analysis unit 109 of FIG. The administrator can refer to the patch application history through this screen. Here, from the history of the application interval, it is possible to grasp whether the target client 102 has improved or decreased security awareness regarding patch application, and whether all provided patches have been applied.

  The details of the virus definition pattern are the data within the analysis period of the client 102 that is the target of the table combination of FIGS. 10 and 18, and the details of the virus scan are the analysis period of the client 102 that is the target of FIG. As for the details of the virus infection history, the data within the analysis period of the target client 102 in FIG. 21 is output in the same manner as in the case of the detailed list of applied patches.

  FIG. 43 shows an example of a virus infection factor list generated by the factor analysis function (3909) in the analysis unit 109 of FIG. Through this screen, the administrator can grasp the main factors of virus infection by factor, and if there are many factors in the search conditions of FIG. 37, there is a risk of virus infection in the future. A list of clients 102 can be displayed, and countermeasures can be taken in advance.

  For example, the client 102 searches the asset management database 124 for a client 102 that corresponds to either the factor 1 unapplied patch of FIG. Notifying the users of the target client 102 of warning emails, listing client users as education participants and notifying management supervisors, and preventing clients from connecting to the business network It can also be blocked. By automating such a procedure, it is possible to urge the user of each client to improve security awareness.

  It is also possible to set a policy to prevent infection by using major factors. For example, using Factor 1 to Factor 3 in FIG. 43, “Patch has been applied” “Virus definition pattern has been applied” “Patch application interval must be less than 10 days” In addition, it can be used as an index for creating a policy for preventing virus infection, and it can be expected to operate a system that is less susceptible to virus infection.

  FIG. 44 shows an example of a connection destination network details list generated by the operation status acquisition function (3911) in the analysis unit 109 of FIG. Through this screen, the administrator can grasp the time and rate of connection to the business network of the target client 102 by date. When the ratio of connection to the business network is small, the administrator knows that the client 102 is not taking measures even though the client 102 is vulnerable. In addition, it is possible to grasp whether the client 102 is operating normally by connecting to the business network by taking vulnerability countermeasures from the daily history information. It can also be used for cost reduction measures such as forcibly removing a client 102 that has not been improved by judging that it is not used for business.

It is the figure which showed schematic structure of the client security management system. It is the figure which showed the network structure of the asset management server and the client. It is the figure which showed the whole policy setting screen. FIG. 6 is a diagram showing a policy setting screen for a patch. It is the figure which showed the policy setting screen of a virus definition pattern. It is a figure showing a policy setting screen of essential software. It is the figure which showed the data of the policy setting file. It is the figure which showed the structure of the database regarding the target client. It is the figure which showed the structure of the database regarding the patch provided with respect to the client. It is the figure which showed the structure of the database regarding the virus definition pattern provided with respect to the client. It is the figure which showed the structure of the database regarding the essential software provided with respect to the client. It is the figure which showed the processing system of the security management information collection command part. It is the figure which showed the processing system of the information acquisition part. It is the figure which showed the processing system of the difference extraction part. It is the figure which showed the data of the difference information file. It is the figure which showed the processing system of the difference information storage part. It is the figure which showed the structure of the database regarding the historical information of the patch which the client applied. It is the figure which showed the structure of the database regarding the historical information of the virus definition pattern which the client applied. It is the figure which showed the structure of the database regarding the historical information of the software which the client installed. It is the figure which showed the structure of the database regarding the historical information of the virus scan which the client performed. It is the figure which showed the structure of the database regarding the virus infection history information of a client. It is the figure which showed the processing system of the policy determination part. It is the figure which showed the processing system of a patch policy determination function. It is the figure which showed the processing method of the virus definition pattern policy determination function. It is the figure which showed the processing method of an essential software policy determination function. It is the figure which showed the processing method of the virus scan policy determination function. It is the figure which showed the processing system of the quarantine object determination function. It is the figure which showed the processing method of the connection destination network list addition function. It is the figure which showed the structure of the database regarding a policy determination result. It is the figure which showed the data of the connection destination network list file. It is the figure which showed the processing method of the connecting point network monitoring part. It is the figure which showed the processing system of the network log storage part. It is the figure which showed the structure of the database regarding the connection destination network history information of a client. It is the figure which showed the processing system of the security application condition part. It is the figure which showed the processing system of the virus infection status acquisition function. It is the figure which showed the processing method of the connection destination network acquisition function. It is the figure which showed the condition input screen of the client output to a security application status list screen. It is the figure which showed the security application status list screen. It is the figure which showed the processing system of the analysis part. It is the figure which showed the processing method of the factor analysis function. It is the figure which showed the processing method of the operation condition acquisition function. It is the figure which showed the applied patch details list screen. It is the figure which showed the virus infection factor list screen. It is the figure which showed the connected network details list screen.

Explanation of symbols

101 ... Asset management server, 102 ... Client, 103 ... Previous collection time file, 104 ... Security management information collection command part, 105 ... Policy setting file, 106 ... Connection destination network list file, 107 ... Basic control part, 108 ... Communication processing 109: Analysis unit, 110: Security application status unit, 111: Policy determination unit, 112 ... Difference information storage unit, 113 ... Network log storage unit, 114 ... Input device, 115 ... Output device, 116 ... Information acquisition unit, 117 ... Operating system, 118 ... Anti-virus software, 119 ... Destination network monitoring unit, 120 ... Difference extraction unit, 121 ... Network log file, 122 ... Differential information file, 123 ... Last acquired information file, 124 ... Asset management database, 125 ... Communication processing unit, 126 ... Basic control unit, 201 ... Network, 801 to 804 ... Asset list table, 901 to 903 ... Provided patch list table 1001 to 1006 ... provided virus definition pattern list table, 1101 to 1103 ... provided essential software list table, 1201 to 1204 ... security management information collection command part flowchart, 1301 to 1302 ... information acquisition part flowchart, 1401 to 1406 ... difference extraction part flowchart , 1601 to 1612 ... Difference information storage unit flowchart, 1701 to 1705 ... Applied patch table, 1801 to 1805 ... Virus definition pattern table, 1901 to 1903 ... Installed software table, 2001 to 2004 ... Virus scan information table, 2101 to 2105 ... Virus Infection history information table, 2201 to 2209 ... Policy judgment unit flowchart, 2301 to 2311 ... Patch policy judgment function flowchart, 2401 to 2407 ... Virus definition pattern policy judgment function flowchart, 2501 to 2511 ... Essential software policy judgment function flowchart, 2601 to 2606 ... we Loss scan policy determination function flowchart, 2701 to 2702 ... Quarantine target determination function flowchart, 2801 to 2804 ... Connection destination network list addition function flowchart, 2901 to 2905 ... Policy determination result table, 3101 to 3106 ... Connection destination network monitoring unit flowchart, 3201 3207 ... Network log storage unit flowchart, 3301 to 3304 ... Connection destination network history table, 3401 to 3411 ... Security application status section flowchart, 3501 to 3503 ... Virus infection status acquisition function flowchart, 3601 to 3603 ... Connection destination network acquisition function flowchart , 3901 to 3912... Analysis unit flowchart, 4001 to 4010... Factor analysis function flowchart, 4101 to 4102.

Claims (9)

  A client security management system comprising a database for storing security countermeasure information, a security management information collection command unit for instructing collection of security management information, and an information collection unit for collecting security management information Client security comprising: security information collection means; and security management information storage means comprising an information storage unit for calculating a period from previous information based on the collected security information and storing it in a database Management system.   A client security management method, comprising: collecting security management information from a client; calculating a period from previous information based on the collected security information; and storing the period in a database.   3. The client security management method according to claim 2, wherein the calculation period is any one of an application update interval from a previous application, an application interval from provision to application, and an execution interval from a previous execution. A client security management method characterized by being.   4. The client security management method according to claim 3, wherein information on the analysis period is acquired in response to an input of an analysis period, and an average value of an update interval, an application interval, and an execution interval is obtained. Method.   A client security management method, comprising collecting network connection information and client shutdown information from a client, and storing a connection network and a connection time in a database based on the collected information.   In the client security management method, collecting security management information from a client and storing it in a database, receiving input of an analysis period, obtaining information on the analysis period, and displaying a patch application status and an average application interval A client security management method.   In the client security management method, security management information is collected from a client and stored in a database, and an analysis period is input to obtain the analysis period information, and the virus definition pattern application status and average application interval, or virus A client security management method, characterized by displaying a scan execution status and an average execution interval.   In the client security management method, network connection information and client shutdown information are collected from a client and stored in a database, and an analysis period is received to obtain the analysis period information. A client security management method characterized by displaying an operation rate (ratio connected to a business network) within an analysis period. In the client security management method, security management information is collected from a client and stored in a database, receives an analysis period input, acquires information on a client infected with a virus in the analysis period, and obtains information from the acquired security management information. A client security management method characterized by analyzing factors of security measures of a client infected with a virus.

Images