JP2007172221A - Quarantine system, quarantine device, quarantine method, and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To confirm the terminal operation of a user, and to inhibit the user's access to intracompany resources when the user violates a rule determined by a manager. <P>SOLUTION: A quarantine device 20 is provided with: a log collection management part for receiving log data from a client terminal 10, and for writing the log data in a log DB 32; a log data reading part for reading log data from the log DB 32; a rule collation part for, when the read log data shows the execution of an operation shown by rule data stored in a result DB, determining that the log data are matched with a rule; a result transmission part for outputting result information showing the rule whose matching is determined by the rule collation part and result information showing information with a user identifier in the log data; and a communication control part for instructing communication control corresponding to the rule shown by the detection information to a client terminal 10 of a user specified by the user identifier shown by the result information. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a quarantine system, a quarantine apparatus, a quarantine method, and a computer program.

  In recent years, ensuring security in computer systems has become an important issue. A conventional general quarantine system used for security measures diagnoses the security level of a client PC (personal computer), and if security measures are insufficient, connect to internal resources such as business servers and internal networks. Is not allowed. Security level diagnosis includes checking whether a security patch has been applied, antivirus software definition file version, installation status of necessary / unnecessary applications, etc. This is a compliance check for client PCs. is there.

In addition to the quarantine system described above, user authentication, installation of application gateways, digital forensics products, and the like are used as security measures. User authentication is to authenticate whether the user who uses the system is a registered user. The basic ID and password give authority such as possession of a specific device, use of an application, and access to data. To check. There are various authentication methods such as authentication using ID and password, and biometric authentication such as fingerprint and vein. In addition, there are IPS (Intrusion Prevention System), IDS (Intrusion Detection System), mail filtering, web filtering, and the like as detection of unauthorized operations by installing an application gateway. These are systems that, in an application gateway installed on a network, analyze communication passing through the gateway and cut off communication when a problem is detected in the communication content. Digital forensics products are mainly intended to investigate the cause of security damage such as information leakage, and collect user operation logs and analyze the collected logs.
On the other hand, a security level management system using a status certificate is also known (see, for example, Patent Document 1). In this system, the status certification center creates a status certificate based on the security information of the computer and transmits it to the computer. The status transmission center stores information on virus definition files that satisfy the security requirements for connection to the network. Safety state information including OS patch information is created and transmitted to the state verifier. The state verifier performs a security check by comparing the state certificate of the computer with the safe state information.
JP 2005-128622 A

The conventional quarantine system as described above uses the state of the client PC as a basis for determining whether or not communication is possible, but this is sufficient for preventing information leakage and virus infection caused by an unauthorized operation by the user. Not what you want. In addition, recently, security measures for client PCs such as patch application automation and antivirus system automation have been strengthened, and compliance checks for client PCs that are focused on the current quarantine system are relatively important. The degree is expected to go down.
In addition, in the field of endpoint security and information leakage, there is a growing need for strengthening information leakage countermeasures by authorized humans in addition to information leakage countermeasures by unauthorized users who are not registered as usable. ing. Since the user authentication only checks that the user is a specific user, it is not possible to prevent the security damage caused by the unauthorized operation of the user having the authority that has been particularly problematic recently.

  When an application gateway is used, the objects that can be controlled for communication are limited to e-mail, web page browsing, and the like. In addition, since the check target is communication that passes through the application gateway, it is possible to check and limit only a part of user operations performed on the client PC. In addition, as described above, digital forensics products are generally used after the occurrence of security damage, and are aimed at preventing the occurrence of unauthorized operations by investigating the cause or collecting logs. For this reason, functions such as prohibition of unauthorized operation by a user, prevention of damage, and provision of a penalty due to communication control are weak. For some products, there is a product that can block the process against unauthorized program execution, but it only prohibits the execution of the program. It cannot be controlled.

  The present invention has been made to solve such a problem, and its purpose is not only to check the security level based on the state of the client PC (compliance check of the client PC) but also to confirm the terminal operation of the user (user operation). Compliance check) and providing a quarantine system, a quarantine apparatus, a quarantine method, and a computer program capable of prohibiting access to in-house resources when the rules determined by the administrator are violated.

  In order to solve the above-described problem, the present invention is a quarantine system including a terminal and a quarantine apparatus connected to the terminal via a network, and includes information executed on the terminal and information on a user identifier. Log storage means for storing log data, rule storage means for storing rule data indicating an operation to be detected, a log collection management unit for receiving log data from the terminal and writing it to the log storage means, and the log storage A log data reading unit that reads log data written by the log collection management unit from the means, and the log data read by the log data reading unit executes an operation indicated by the rule data in the rule storage unit A rule matching unit that determines that the rule matches with the rule matching unit, and the rule matching unit determines that the rule matches. A result transmitting unit that outputs information indicating a rule and information on the user identifier in the log data, and a communication that limits or expands a communication range corresponding to the rule indicated by the result information output by the result transmitting unit A quarantine system comprising: a communication control unit that instructs control to a user terminal specified by a user identifier indicated by the result information.

  The present invention also provides log storage means for storing log data including information on operations executed at the terminal and user identifiers, rule storage means for storing rule data indicating operations to be detected, and log storage means A log data reading unit that reads log data and the log data read by the log data reading unit match a rule when the execution indicates an operation indicated by the rule data in the rule storage unit. A rule matching unit that determines that the rule is matched, a rule that is determined to be matched by the rule matching unit, and a result transmission unit that outputs result information indicating information on a user identifier in the log data. It is a quarantine apparatus characterized by the above.

  Further, the present invention is the quarantine apparatus described above, wherein the rule storage unit further stores data associating a user identifier with the rule data, and the rule matching unit corresponds to the user identifier in the log data. The rule data is read from the rule storage means, and when the log data indicates execution of the operation indicated by the read rule data, it is determined that the rule data is matched.

  Further, the present invention is the above-described quarantine apparatus, wherein the rule data includes information on one or more detection target operations.

  Further, the present invention is the quarantine apparatus described above, wherein the rule data includes a plurality of operation information and threshold information, and the rule matching unit is indicated by the log data having the same user identifier. The operation includes an operation that matches the operation indicated by the rule data, and the ratio of the number of matching operations to the number of operations included in the rule data is a threshold value indicated by the rule data. If it is above, it is judged that the rule matches.

  Further, the present invention is the quarantine apparatus described above, wherein the rule data includes information on a plurality of operations and threshold information, and the rule storage unit further includes an operation similar to the operation indicated by the rule data. The rule matching unit reads an operation similar to the operation indicated by the rule data from the rule storage means, and reads the similar operation read to the operation indicated by the log data having the same user identifier. It is characterized in that if an operation is included and the sum of similarities of similar operations is equal to or greater than a threshold value indicated by the rule data, it is determined that the rule matches.

  Further, the present invention is the above-described quarantine apparatus, wherein the log data further includes operation time information, the rule data further includes threshold information, and the rule matching unit includes the same user identifier. And the number of log data indicating the execution of the operation indicated by the rule data among the log data whose operation time is within a predetermined period is indicated by the threshold value of the rule data When the number is more than the number, it is judged that the rule matches.

  Further, the present invention is the above-described quarantine apparatus, further comprising: a user state management unit that writes a rule determined to match the rule by the rule matching unit, a determination time, and rule result data to a result storage unit. The rule matching unit detects whether or not rule result data whose determination time is within a predetermined period is stored in the result storage means, and the communication control unit determines whether or not the determination time is predetermined by the rule matching unit. When it is detected that the rule result data within the period is stored in the result storage means, a communication control continuation instruction according to the output result information is output.

  Further, the present invention is the above-described quarantine apparatus, which corresponds to the result information, and includes information on a terminal subject to communication control, and a communication control profile that is data indicating a communication range in which transmission or reception is permitted or restricted. The communication control storage means for storing, the information of the communication control target terminal corresponding to the result information output from the result transmission section, and the communication control profile are read from the communication control storage means and sent to the communication control target terminal. And a communication control instruction unit for notifying the communication control profile.

  Further, the present invention provides a computer used in a quarantine apparatus that performs a quarantine inspection based on an operation log of a terminal, a log data reading unit that reads log data including information on an operation executed on the terminal and a user identifier from a log storage unit, Rule data indicating an operation to be detected is read from the rule storage unit, and the log data read by the log data reading unit matches the rule when the execution indicates the operation indicated by the read rule data. A rule matching unit that determines that the rule is matched, and a result transmission unit that outputs result information indicating information about the rule determined to be matched by the rule matching unit and the user identifier in the log data. Is a computer program characterized by

According to the present invention, endpoint security can be enhanced by performing a compliance check of user operations.
In other words, in addition to being able to perform two aspects of communication control: relaxing access restrictions by performing certain operations and restricting the access range by performing certain operations, access control from client PCs to internal resources In addition to this, multi-faceted defense is possible, such as controlling communication to client PCs that performed unauthorized operations to prevent virus infection and information leakage. In addition to obstructing the unauthorized operation that occurred, the result of the action is continuously imposed as a penalty, or a restriction is imposed on the user who repeats a certain action multiple times retroactively. It is also possible to limit the behavior of end users more strictly and flexibly.
It is possible to detect a user's fraud using the cumulative count of fraud as the basis for determining the compliance check. It is also possible to determine that there is a sign of fraud if a certain standard is exceeded before the fraud is performed.

Hereinafter, preferred embodiments of the present invention will be described with reference to the drawings.
FIG. 1 is a diagram showing an outline of a quarantine system according to an embodiment of the present invention. The quarantine system owned by a company is formed by connecting the client terminal 10 and the quarantine apparatus 20 via a network 70. The network 70 is connected to an in-house resource 80 such as a business network 81 or a business server 82 installed on the business network 81 via a VPN-GW (Virtual Private Network-Gateway) 90.

  An outline of the operation of the quarantine system shown in FIG. When the client terminal 10 is activated, first, the PC state of the client terminal 10 is inspected (step S1). This is a compliance check for the PC. For example, whether or not a security patch is applied, the version of a definition file of antivirus software, the installation status of necessary / unnecessary applications (AP), and the like are checked. When the compliance check for the PC is completed, the client terminal 10 collects operation logs such as an application usage log, a mail and its attached file transmission log, and a web browsing log. The quarantine apparatus 20 receives log data, which is operation log data collected from the client terminal 10, and writes it in a log database 32 (hereinafter, the database is referred to as “DB”) (step S2). The quarantine apparatus 20 inquires the detection rule managed in the quarantine apparatus 20 and the log data in the log DB 32 to perform a quarantine inspection of the operation log, that is, a compliance check of the user operation (step S3). By this check, an operation log indicating that the quarantine apparatus 20 has performed an unauthorized operation with fear of information leakage such as activation of a prohibited application, application of a specific file by e-mail, execution of an application by unauthorized download from the web, etc. When the quarantine apparatus 20 is found, the function unit that performs communication state management instructs the client terminal 10 to restrict communication (step S4). The client terminal 10 restricts communication in accordance with an instruction from the quarantine apparatus 20, blocks access to the in-house resource 80 in the instructed range, and accesses only the communicable in-house resource 80 for business communication (step S5). ).

The information used for the user operation compliance check in the present embodiment is an operation log of the client terminal 10. That is, the quarantine apparatus 20 collects and manages a log of user operations in the client terminal 10 and performs matching between the log and a rule defined by the administrator, that is, a compliance check, and determines whether the rule is met. To do.
Specific examples of logs include the subject of email transmission, keywords in the email text, email attachment file names, web page addresses (URL: Universal Resource Locator), keywords in web pages, user access / Name of the file on which the operation (creation, storage, rewriting, deletion, etc.) was performed, the storage location of the file, the contents of the file, the name of the started application / process, the name of the stopped application / process, connection / use of an external device, printing Document data, text data shown in the title of the screen window, and the like. These pieces of information are generally collected by a forensics product, which is an existing general-purpose log collection software application, and can also be realized in this system by cooperation with those products. Further, it can be combined with a quarantine system of an existing technology, a system for automatically distributing a communication control profile, or the like.

  The utility of the quarantine system according to the present embodiment is to improve the security of the client terminal 10. First, by performing a compliance check of the client terminal 10, the client terminal 10 that does not satisfy a certain security standard cannot access the internal resource 80. As a result, it is possible to eliminate illegal carry-in terminals and client terminals 10 with insufficient security measures. Further, even if the client terminal 10 has passed these checks, the usage range of the in-house resource 80 can be reduced when the user performs an operation that is outside the rules determined by the administrator.

  In addition to the method of restricting the communication range when the user is out of the rule, the user operation compliance check can be performed by expanding the communication range when an operation according to the rule is performed. For example, after a virus check operation is performed, access to the business server 82 that performs business application processing is permitted after browsing a web page that indicates precautions and communication items that permit access to the file server. Usage such as permitting is considered. This function makes it possible to impose a flexible restriction that even a user who has authority to access the in-house resource 80 cannot exercise his authority unless a specific operation is executed. In addition, a specific operation (work) can be forced on the user of the client terminal 10, and as a result, the certainty of performing the specific operation can be increased.

Furthermore, the same restriction can be imposed not only on communications originating from the client terminal 10 but also on incoming calls to the client terminal 10. That is, when there is a problem in the compliance check for the client terminal 10 or the user operation, communication from the outside to the client terminal 10 or from another client terminal 10 is restricted. Conversely, when a certain operation is performed, it is possible to expand the range in which communication from the outside or from another client terminal 10 can be received.
Furthermore, it is possible to limit not only incoming calls to the client terminal 10 that has detected the fraud but also incoming calls to other client terminals 10 around the client terminal 10. Thereby, for example, access to other client terminals 10 that execute data in association with data related to the client terminal 10 that detected the fraud or in cooperation with the client terminal 10 is also restricted.

  The quarantine apparatus 20 continues the compliance check result of the user operation for a certain period. In other words, by adding the duration information to the information of the compliance check result and holding it, an event at a certain point on the time axis that there was an illegal operation has been illegal operation within a certain past period Is converted into an event. In other words, this serves not only to deal with undesirable behaviors, but also to a penalty for future behaviors of users who have performed undesirable behaviors.

  There are two types of compliance check rules. One is a rule that uses one operation log as a basis for determining a compliance check. For example, communication is restricted when browsing a web page whose access is to be restricted or when an execution log of an application program that should not be executed is found. The other is a rule that uses a combination of a plurality of logs as a basis for determining a compliance check. Although there is no problem in each operation log, it can be applied to a case where a problem occurs due to execution in combination. A specific example is a combination of (1) reference to customer information and (2) screen capture. Each single log cannot be regarded as an operation that should impose a connection restriction, but it becomes clear that the operation is problematic by combining them. Also, by defining the timing of log generation for each combination, it is possible to check when a problem occurs when a series of operations are performed within a certain period or simultaneously.

  When combining a plurality of logs as the basis for determining the compliance check, it is possible to incorporate a viewpoint of similarity to the prohibited operation. Specifically, there are the following two methods of use. The first is to perform communication control when an operation that matches the operation set exceeds a certain ratio before the entire operation set to be prohibited is executed. Is to do. For example, when a rule is formed by combining five operations, it is judged that the rule is met when the fourth is executed, and the use of internal resources is prohibited, or each operation is weighted. When the sum of the numerical values of the weights corresponding to the matching operations (calculated by mathematical operation of the divergence degree, such as summation and addition of squares) exceeds 80% of the total weights when all operations are performed For example, communication is prohibited. Second, the points corresponding to the degree of similarity are totaled for operations similar to the specified prohibited operation, and when a certain standard is exceeded, it is determined that the rule is met. As a result, it is possible to provide a wide range of rules, and to detect signs of operations to be prohibited and to control communication in advance.

  There are two methods for determining the result of the compliance check. One is simply a result of whether a specified user operation (or combination of user operations) has occurred. When an undesired operation is executed even once, it is determined as NG at that time. The second is to determine NG when the specified operation is performed several times within a certain period. For example, it is determined as NG when a web page including the same prohibited keyword is accessed three times. In this case, the determination result can be changed according to the density of the log generation by holding the time for storing the occurrence of the log in the quarantine apparatus 20. In other words, communication control is performed when an erroneous operation is frequently performed (for example, three times in 10 minutes), but communication control is not performed if it is performed three times a week. This can also be used to identify whether a user operation is malicious or accidentally wrong.

Hereinafter, a specific configuration and operation of the quarantine system will be described.
FIG. 2 is a block diagram showing the configuration of the quarantine system.
The client terminal 10 is a computer terminal such as a personal computer (PC), for example, and includes a log collection agent 11 and a communication control agent 12. Each of these blocks is specifically composed of a CPU (central processing unit) and a peripheral LSI including a memory. The CPU reads the program recorded in the memory and executes it sequentially to realize the functions of that block. To do. The log collection agent 11 has a function of collecting log data indicating an operation log performed by the user at the client terminal 10 and transmitting the collected log data to the quarantine terminal 2. The communication control agent 12 receives from the quarantine terminal 2 a communication control profile that is data indicating restriction or permission of communication, and performs communication control based on the communication control profile. In addition, the communication control agent 12 transmits a quarantine inspection request to the quarantine apparatus 20. The communication control agent 12 can be realized by an existing application such as a personal firewall or VPN communication control.

  The quarantine apparatus 20 includes a log collection management unit 21, a log-based quarantine inspection unit 22, and a communication control unit 23. Each of these blocks is specifically composed of a peripheral LSI including a CPU and a memory. The CPU reads out and sequentially executes a program recorded in the memory, thereby realizing the functions of the block. The log collection management unit 21 can be realized by an existing general-purpose forensics product, and the communication control unit 23 can be realized by an existing system that automatically distributes a communication control profile.

  The log collection management unit 21 includes an information collection unit 31, a log DB 32, a log management unit 33, an asset information management unit 34, and a reporting unit 35. The information collection unit 31 receives log data from the client terminal 10 and writes it to the log DB 32. The log management unit 33 performs data management of log data in the log DB 32. The asset information management unit 34 manages information on the client terminal 10 connected to the network 70. The reporting unit 35 outputs log data in the log DB 32, information based on the log data, and the like.

  The communication control unit 23 includes a communication control DB 61, a communication control instruction unit 62, and a quarantine request reception unit 63. The communication control DB 61 stores communication control data in which a quarantine result is associated with a communication control profile. The communication control instruction unit 62 receives the quarantine result of the client terminal 10 from the log-based quarantine inspection unit 22 and transmits a communication control profile corresponding to the received quarantine result to the client terminal 10. The quarantine request receiving unit 63 receives a quarantine inspection request from the client terminal 10 and notifies the log-based quarantine inspection unit 22 of the request.

FIG. 3 is a block diagram showing a detailed configuration of the log-based quarantine inspection unit 22.
The log-based quarantine inspection unit 22 includes a rule DB 41, a result DB 42, a rule setting management unit 51, an inspection execution management unit 52, a log data reading unit 53, a rule matching unit 54, a user state management unit 55, a result determination unit 56, and a result transmission. Unit 57, quarantine request receiving unit 58, and result reference / inspection / result operation unit 59.
The rule DB 41 stores data indicating a rule for executing a log check for a quarantine inspection. The result DB 424 stores quarantine inspection result data such as condition achievement status and rule conformance status for each user. The rule setting management unit 51 realizes a user interface for performing data operations such as addition, change, and deletion with respect to rule data in the rule DB 41. The inspection execution management unit 52 manages the execution status of the quarantine inspection based on the quarantine inspection request. Further, the inspection execution management unit 52 receives a log generation notification from the log collection management unit 21, starts the quarantine inspection process, and manages the execution of the periodic quarantine inspection process. The log data reading unit 53 reads log data for each record from the log DB 32 in the log collection management unit 21. The rule matching unit 54 performs matching between log data and rules. The user status management unit 55 writes the matching result between the log data and the rule and the achievement status of each inspection condition constituting the rule in the result DB 42. The result determination unit 56 determines the final result of the quarantine inspection from the condition achievement status for each user. The result transmission unit 57 transmits the result of the quarantine inspection to the communication control unit 23. The quarantine request receiving unit 58 receives a quarantine inspection request from the communication control unit 23. The result reference / inspection result operation unit 59 refers to the result data of the quarantine inspection in the result DB. Further, the result reference / inspection result operation unit 59 instructs the re-execution of the quarantine inspection, and changes the result data of the quarantine inspection in the result DB 42 such as releasing the penalty.

FIG. 4 is a diagram showing a data conceptual model showing the relationship between each data.
The log data and the inspection target user have an n: 1 relationship, and the inspection target user and the log inspection rule (hereinafter simply referred to as “rule”) have an n: m relationship. A rule is composed of a single or a plurality of inspection conditions (hereinafter also simply referred to as “conditions”) for determining a pattern match with a specific log, and there is an n: m relationship between a rule and a condition. In the figure, logs 1, 2, and 6 are log data of user 1, log 3 is log data of user 2, and logs 4 and 5 are log data of user 3. Also, user 1 Is subjected to quarantine inspection according to rule 1, user 2 is subjected to quarantine inspection according to rule 2, and user 3 is subjected to quarantine inspection according to rules 1 and 2. Rule 1 includes conditions 1, 2, 3 and 4 From inspection conditions , Rule 2, consists of inspection conditions conditions 2, 5 and 6.

5 to 7 are diagrams illustrating specific examples of data held by the quarantine apparatus 20.
FIG. 5 is a diagram illustrating a specific example of a log category table stored in the log DB 32. In the figure, the log category-specific table is configured by log data including log category, user ID, occurrence time, and log content data. The log category indicates a log classification such as a log related to web access and a log related to mail. The user ID indicates a user management ID for identifying the user who generated the log. The occurrence time indicates the log occurrence time. Log contents include the contents of the event that occurred, for example, activation of the specified application, operation using the application and its target file, installation of the application, URL (Universal Resource Locator) of the referenced web page, etc. Include a keyword, a downloaded file, a mail transmission, a title of the transmitted mail, a file attached to the mail, a print operation and a file to be printed, a reference / copy operation and its target file, and the like.

FIG. 6 is a diagram illustrating a specific example of data stored in the rule DB 41. The rule DB 41 stores a user / rule correspondence table, a rule table, a rule / condition correspondence table, a condition table, and a similar condition definition table.
The user / rule correspondence table includes user / rule correspondence data including information of a user ID that identifies a user who is a quarantine target and a rule ID that is a management ID of a rule used for the quarantine inspection of the user.

  The rule table includes rule data including rule ID, rule type, cumulative reference value, density reference value, achievement reference value, similarity reference value, and penalty period data. The rule type indicates a classification related to a rule consisting of a single condition or a rule consisting of a compound condition. The cumulative reference value is a threshold when the result is determined based on the cumulative number of occurrences. The density reference value is a threshold value when the result is determined based on the generation density. The achievement reference value is a threshold for determining the result of how many of the conditions constituting the rule are met. For example, when the detection is performed when the operations are completely matched, 100% However, 80% is set when it is detected when 4 out of 5 operations are coincident. The similarity reference value indicates a threshold value in the case of performing a result determination that the rule matches with the rule of similarity. For example, the ratio of the total value of the similarity when all operations are similar to 100% Or, the total value of similarity is set. The penalty period indicates the duration of the result when the rule is achieved.

  The rule / condition correspondence table includes rule / condition correspondence data including data associating a rule ID with a condition ID that is a management ID of a condition belonging to the rule.

  The condition table includes a condition ID indicating a management ID of a condition for checking a log, a log category indicating a classification of a log to be checked according to the condition, and a condition content data indicating specific check contents. Consists of data. The condition contents include, for example, a startup prohibited application, a file operation, a file operation target, a browsing prohibited URL, a startup of a security tool for releasing access restrictions, a URL for browsing notes, and the like.

  The similar condition definition table includes a condition ID that is a condition management ID, a similar condition ID that indicates a management ID of a condition that is defined to be similar to the condition ID (hereinafter referred to as “similar condition”), and a condition ID. And similar condition definition data including similarity data quantitatively defining how similar the condition specified by the similar condition ID is.

FIG. 7 is a diagram illustrating a specific example of data stored in the result DB 42. The result DB 42 stores a user result table, a rule result table, and a condition result table.
The user result table includes a user ID that identifies a quarantine target user, a determination that indicates a final quarantine inspection result of the user, a determination time that indicates a time when the determination is made, and a rule ID that specifies a rule that is the basis for the determination. It consists of user result data including the following data. The determination is a notification content to the communication control unit 23, for example, a penalty state in which communication is restricted, an access permission state in which the communication range is expanded, and the like.

  The rule result table includes a rule ID that identifies a rule that has been inspected, a user ID that identifies a quarantine inspection target user according to the rule, a rule type of the rule, a cumulative number, a density, an achievement ratio, a similarity ratio, a determination, and , Comprising rule result data including determination data. The cumulative number indicates the cumulative number of occurrences of rule achievement at the present time. The density indicates the occurrence density of the rule achievement at the present time. The achievement ratio indicates the ratio of what percentage is currently achieved among all the series of conditions constituting the rule. The similarity ratio indicates the percentage of the degree of similarity achieved at the present time. The determination indicates a flag indicating whether or not all conditions set by the rule have been achieved. The determination time indicates a time when it is determined that the rule is achieved.

  The condition result table includes a condition ID for specifying a condition for performing a conformance check with a log, a rule ID for a rule that has been inspected by the condition, a user ID for specifying a user to be inspected by the condition, and determining the condition It consists of condition result data including determination time, similarity condition ID, and similarity ratio data. The determination indicates a result of whether the condition and the log are matched, and includes a determination result of the similar condition. The determination time indicates the time when the determination based on the condition is performed. Similar condition ID shows management ID which specifies the conditions matched as similar conditions. The similarity ratio indicates the degree of similarity with the matched similarity condition.

Next, the operation procedure of the quarantine system will be described.
8 and 9 are diagrams showing a quarantine inspection process flow in the quarantine apparatus 20. FIG.
In advance, the administrator inputs information about the rule by an input unit (not shown) of the quarantine apparatus 20. The input means is a keyboard, a mouse, or the like, but may read information from a computer-readable recording medium or receive information from a computer device connected via the network 70. The rule setting management unit 51 of the quarantine apparatus 20 registers, changes, and deletes various data in the rule DB 41 based on information about rules input by the input unit.
In addition, the log collection agent 11 of the client terminal 10 collects log data of operations performed by the user at the client terminal 10 and transmits the collected log data to the quarantine apparatus 20. The log collection agent 11 may be transmitted to the quarantine apparatus 20 every time new log data is generated, or may be transmitted at predetermined intervals.

FIG. 8 shows a flow when a quarantine inspection process is executed in response to a request from the log collection management unit 21.
In the figure, when the information collection unit 31 of the quarantine apparatus 20 writes the log data received from the client terminal 10 to the log DB 32, the information collection unit 31 transmits a log generation notification to the inspection execution management unit 52. The inspection execution management unit 52 receives the log generation notification from the information collection unit 31 and starts the following quarantine inspection process. Note that the quarantine inspection process may be executed periodically such as every predetermined interval.

  The log data reading unit 53 that has received the instruction to start the quarantine inspection from the inspection execution management unit 52 reads the log data collected by the log collection management unit 21 and newly written in the log category table from the log DB 32 (step S110). ). The rule matching unit 54 determines which user the log data belongs to from the user ID (hereinafter referred to as “inspection user ID”) in the read log data (step S120).

  Subsequently, the rule matching unit 54 checks whether or not the inspection target user is currently in a predetermined penalty period (step S130). Specifically, the rule matching unit 54 reads data of determination, determination time, and determination rule ID from the user result table in the result DB 42 using the inspection target user ID as a key. When it is determined from the determination data that the user to be inspected is in the penalty state, the rule matching unit 54 reads the penalty period data from the rule table in the rule DB 41 using the determination rule ID as a key. When the current time does not reach the time when the penalty period has elapsed from the time indicated by the determination time data, the rule matching unit 54 determines that the user is in the current penalty period.

  In step S130, when it is determined that the inspection target user is not in the penalty period (step S130: No), the rule matching unit 54 refers to the rule DB 41 and uses the inspection target user ID as a key from the user / rule correspondence table. The rule ID is read, and the condition ID is read from the rule / condition correspondence table using the read rule ID (hereinafter referred to as “inspection rule ID”) as a key (step S140).

  Subsequently, the rule matching unit 54 determines whether or not there is a need for a similar inspection for the rule applied to the inspection target user (step S150). This is determined, for example, by reading the data of the similar reference value from the rule table in the rule DB 41 using the inspection target rule ID read in step S140 as a key, and determining whether the similar reference value is NULL or 0. be able to.

  When it is determined that the similarity test is necessary (step S150: present), the rule matching unit 54 uses the condition ID read in step S140 as a key and the similar condition ID and the similar condition ID and the like from the similar condition definition table in the rule DB 41. Similarity data is read (step S160).

  Subsequently, the rule matching unit 54 selects one condition ID from the condition ID group read in step S140 (step S170). The rule matching unit 54 reads the data of the log category and condition contents from the condition table in the rule DB 41 using the selected condition ID as a key, compares it with the log data read in step S110, and selects the currently selected condition. (Matching determination) is performed (step S180). That is, the log category in the log data matches the log category read from the condition table, and the user operation indicated by the log content in the log data matches the check content indicated by the condition content data read from the condition table. Thus, it is determined whether or not the currently selected condition and the log data are compatible.

  Further, the rule matching unit 54 reads the log category and condition content data from the condition table in the rule DB 41 using the similar condition ID of the currently selected condition ID as a key, and compares it with the log data read in step S110. Thus, matching (satisfaction determination) with similar conditions is performed. That is, the log category in the log data matches the log category of the similar condition read from the condition table, and the user operation indicated by the log content in the log data is the check content indicated by the condition content data of the similar condition It is determined whether or not the similar condition and the log data are matched depending on whether or not they match.

  In step S180, when the rule matching unit 54 determines that the log data does not match the currently selected condition or a similar condition of the currently selected condition (step S180: No), the condition ID group read in step S140 One condition ID that has not yet been selected is selected (step S170), and the condition conformance determination process in step S180 is performed.

  On the other hand, if the rule matching unit 54 determines in step S180 that the log data matches the currently selected condition or a similar condition of the condition (step S180: Yes), the condition ID ( Hereinafter, described as “conformity condition ID”), a rule ID indicating an inspection target rule ID corresponding to the condition ID, an inspection target user ID, determination data indicating that the condition is satisfied, determination time data indicating the current time, The condition result data including the similarity condition ID and the similarity ratio data indicating the similarity of the similarity condition ID is added to the condition result table of the result DB 42 (step S190).

  Next, the rule matching unit 54 selects a rule ID corresponding to the matching condition ID from the inspection target rule IDs read in step S140, and further uses the selected rule ID as a key to set a rule in the rule DB 41. The rule type is read from the table to determine whether it is composite or single (step S200). When it is determined that the rule type is single (step S200: single), the processing after step S240 described later is performed.

  On the other hand, when the rule type is composite (step S200: plural), the rule matching unit 54 refers to the result DB 42 for the result of other conditions belonging to the same rule as the matched condition (step S210). That is, the rule matching unit 54 specifies an inspection target rule ID including the matching condition ID as a condition ID, and a condition result including any one of the condition IDs corresponding to the specified inspection target ID and the inspection target user ID Data is extracted from the condition result table in the result DB.

  Based on the extracted condition result data, the rule matching unit 54 checks the similarity with the inspection target rule (step S220). The rule matching unit 54 extracts condition result data at the time closest to the time in the condition result data written in step S190 for each rule to be inspected from the condition result data extracted in step S210. The latest similarity ratio is calculated by adding the similarity ratio in the data and the similarity in the condition result data written in step S190. The rule matching unit 54 reads the similarity reference value from the rule table in the rule DB 41 using the inspection target rule ID as a key, and determines whether or not the similarity ratio calculated this time exceeds the threshold value indicated by the read similarity criterion value. to decide. If the threshold is exceeded, the rule ID and a flag indicating that the similarity reference value has been exceeded are stored internally.

  Subsequently, the rule matching unit 54 checks the achievement level of how much the condition ID included in the extracted entry matches the condition ID belonging to the inspection target rule ID (step S230). That is, the rule matching unit 54 extracts condition result data that matches a series of condition IDs corresponding to each inspection target rule from the condition result data read out in step S210, and calculates a matching ratio. The rule matching unit 54 reads out the achievement reference value from the rule table in the rule DB 41 using the inspection target rule ID as a key, and determines whether or not the achievement ratio calculated this time exceeds the threshold value indicated by the read achievement reference value. To do. If the threshold is exceeded, the rule ID and a flag indicating that the achievement standard value has been exceeded are stored internally.

  In the case of a rule that considers the cumulative count, the rule matching unit 54 reads the rule result data from the rule result table of the result DB 42 using the inspection target rule ID corresponding to the matching condition ID as a key. Then, 1 is added to the accumulated number in each read rule result data to calculate the accumulated number. The rule matching unit 54 reads the cumulative reference value from the rule table in the rule DB 41 using the inspection target rule ID as a key, and determines whether or not the cumulative number calculated this time exceeds the threshold value indicated by the read cumulative reference value. (Step S240). If the threshold is exceeded, the rule ID and a flag indicating that the cumulative reference value has been exceeded are stored internally. Note that when the read cumulative reference value is NULL or 0, it may be determined that the cumulative count is not considered.

  Next, in the case of a rule considering the occurrence density, the rule matching unit 54 refers to the determination time in the rule result data extracted in step S240, and extracts rule result data generated within a predetermined time from the current time. To do. The rule matching unit 54 obtains the number of occurrences from the number of extracted rule result tables for each inspection target rule. The rule matching unit 54 reads the density data from the rule table in the rule DB 41 corresponding to the inspection target rule ID, and determines whether or not the number of occurrences in the predetermined time calculated this time exceeds the threshold value indicated by the read density data. (Step S250). If the threshold is exceeded, the rule ID and a flag indicating that the density reference value has been exceeded are stored internally. If the read density reference value is NULL or 0, it may be determined that the density is not considered.

  The result determination unit 56 comprehensively determines whether the cumulative number, occurrence density, similarity ratio, and achievement ratio exceed the threshold, and determines whether the rule is met (step S260). For example, for each rule ID, data indicating which of the cumulative number, occurrence density, similarity ratio, and achievement ratio threshold excess flag is set is judged to be stored internally. It can be determined by comparing with the data. If it is determined that the rule does not match (step S260: No), the rule matching unit 54 selects one condition ID that has not yet been selected from the condition ID group read in step S140 (step S170). ), The process after step S180 is performed.

  On the other hand, if it is determined that the rule is matched (step S260: Yes), the user state management unit 55 generates rule result data for the rule that is matched and adds it to the rule result table in the result DB42. (Step S270). The generated rule result data includes the rule ID of the matched rule, the user ID to be inspected, the rule type corresponding to the rule ID, the calculated cumulative number, the density, the achievement ratio, the similarity ratio, the determination indicating the conformity, the determination time Contains data. The result transmission unit 57 transmits the inspection target user ID and result data indicating the matched rule ID to the communication control unit 23 (step S280). The result data may include the cumulative number exceeding the threshold, the occurrence density, the similarity ratio, and the achievement ratio.

  When the communication control instruction unit 62 of the communication control unit 23 receives the result data, the inspection target user ID included in the result data, the rule ID of the rule that has been matched, and the cumulative number exceeding the threshold, the occurrence density, and the similarity ratio Based on the achievement ratio, communication control data indicating a range in which communication should be restricted or communication should be permitted is read from the communication control DB 61. The communication control data includes an address of the client terminal 10 subject to communication control and a communication control profile for each client terminal 10 subject to communication control. The address of the client terminal 10 subject to communication control may include the address of the client terminal 10 around the user's client terminal 10 in addition to the address of the client terminal 10 of the user indicated by the inspection target user ID. Communication control profile data includes personal firewall rules and VPN rules such as internal / external resource identifiers / addresses, port numbers used for applications, VPN numbers, etc. that restrict or permit outgoing or incoming calls. It is. The communication control instruction unit 62 transmits a communication control profile corresponding to the client terminal 10 to the client terminal 10 subject to communication control. The communication control agent 12 of the client terminal 10 that has received the communication control profile permits or restricts outgoing calls from the client terminal 10 and incoming calls to the client terminal 10 according to the communication control profile.

  On the other hand, the rule matching unit 54 determines the end depending on whether the processing after step S150 has been executed for all the condition IDs read in step S140 (step S290). When it is determined that the process is not finished (step S290: No), the process from step S130 is performed. When it is judged that the process is finished (step S290: Yes), the inspection process is finished.

  In step S130, when it is determined that the inspection target user is in the penalty period (step S130: Yes), the result transmission unit 57 stops the quarantine inspection and maintains the current inspection result. The ID and the result data indicating the penalty period are transmitted to the communication control unit 23 (step S280). The communication control instructing unit 62 of the communication control unit 23 transmits to the client terminal 10 a communication control profile similar to that previously notified to the client terminal 10 of the inspection target user ID indicated by the result data.

FIG. 9 shows a flow when a quarantine inspection process is executed in response to a request from the client terminal 10.
In the case of on-demand quarantine, the communication control unit 23 of the quarantine apparatus 20 receives a quarantine request message including user ID information from the communication control agent 12 of the client terminal 10. The quarantine request receiving unit 63 of the quarantine apparatus 20 notifies the log-based quarantine inspection unit 22 of the quarantine request message (step S310). The quarantine request receiving unit 58 of the log-based quarantine inspection unit 22 extracts the user ID from the quarantine request message and identifies which user the quarantine request is (step S320).

  The rule matching unit 54 checks whether or not the identified user is currently in a predetermined penalty period by the same process as step S130 in FIG. 8 (step S330). That is, the rule matching unit 54 sets the user ID extracted from the quarantine request message as the inspection target user ID, and determines the determination corresponding to the inspection target user ID, the determination time, and the determination rule ID from the user result table in the result DB 42. When data is read and it is determined that the user to be inspected is in a penalty state or in a penalty state, it is determined that the user is currently in the penalty period.

  If it is determined that it is not a penalty period (step S330: NO), the log data reading unit 53 reads log data that has not yet been subjected to the quarantine inspection from the log DB 32 using the user ID to be inspected as a key (step S340). ), The inspection process after step S140 in FIG. 8 is executed. If it is determined in step S330 that it is not a penalty period (step S330: Yes), the process from step S280 in FIG. 8 is executed to stop the quarantine inspection and maintain the current inspection result.

According to the present embodiment, endpoint security can be enhanced by performing a compliance check of the user's operation in addition to the compliance check of the client terminal 10.
In addition, two aspects of communication control are possible: relaxation of access restriction by performing a certain operation and limitation of an access range by performing a certain operation.
In addition to controlling access from the client terminal 10 to the in-house resource 80, control of communication to the client terminal 10 that has performed an unauthorized operation prevents virus infection and information leakage. Defense is possible.
In addition, a user operation check function can be added to the quarantine apparatus 20, and a user action restriction function can be added to the forensic product, and higher security can be realized than when both are used together. .
Moreover, not only the disturbance of the illegal operation which generate | occur | produced but the result of the action can be continuously imposed as a penalty. Further, it is possible to impose restrictions by going back to the past and repeating certain actions a plurality of times, and it is possible to more strictly and flexibly limit the actions of end users.
In addition, it is possible to determine that there is a sign of cheating if a certain standard is exceeded before the cheating is performed.
Moreover, it is possible to detect a user's fraud by using the accumulative count of fraud as the basis for determining the compliance check.

  The client terminal 10 and the quarantine apparatus 20 described above have a computer system inside. The log collection agent 11 and the communication control agent 12 of the client terminal 10 and the functions of the log collection management unit 21, the log-based quarantine inspection unit 22 and the communication control unit 23 of the quarantine apparatus 20 are realized. The program is recorded on a computer-readable recording medium, the program recorded on the recording medium is read into a computer system, and executed, thereby performing the various processes. The “computer system” here includes an OS and hardware such as peripheral devices. The “computer system” includes a WWW system provided with a homepage providing environment (or display environment). The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

It is a figure which shows the outline | summary of the quarantine system by one embodiment of this invention. It is a block diagram which shows the structure of the quarantine system by the embodiment. It is a block diagram which shows the detailed structure of the log-based quarantine inspection part by the embodiment. It is a figure which shows the data conceptual model which shows the relationship between each data by the embodiment. It is a figure which shows the specific data structure of the table classified by log category memorize | stored in log DB by the embodiment. It is a figure which shows the specific example of the data memorize | stored in rule DB by the embodiment. It is a figure which shows the specific example of the data memorize | stored in result DB by the embodiment. It is a figure which shows the quarantine inspection process flow of the quarantine apparatus by the same embodiment. It is a figure which shows the quarantine inspection process flow of the quarantine apparatus by the same embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Client terminal 11 ... Log collection agent 12 ... Communication control agent 20 ... Quarantine apparatus 21 ... Log collection management part 22 ... Log-based quarantine inspection part 23 ... Communication control part 31 ... Information collection part 32 ... Log DB
33 ... Log management unit 34 ... Asset information management unit 35 ... Reporting unit 41 ... Rule DB
42 ... Result DB
DESCRIPTION OF SYMBOLS 51 ... Rule setting management part 52 ... Examination execution management part 53 ... Log data reading part 54 ... Rule collation part 55 ... User state management part 56 ... Result judgment part 57 ... Result transmission part 58 ... Quarantine request reception part 59 ... Reference result / Inspection / result operation unit 61 ... communication control DB
62 ... Communication control instruction unit 63 ... Quarantine request receiving unit 70 ... Network 80 ... In-house resource 81 ... Business network 82 ... Business server 90 ... VPN-GW

Claims (10)

A quarantine system comprising a terminal and a quarantine apparatus connected to the terminal via a network,
Log storage means for storing log data including information on operations executed on the terminal and user identifiers;
Rule storage means for storing rule data indicating the operation to be detected;
A log collection management unit that receives log data from the terminal and writes the log data to the log storage unit;
A log data reading unit for reading log data written by the log collection management unit from the log storage unit;
A rule matching unit that determines that the log data read by the log data reading unit matches a rule when it indicates execution of an operation indicated by the rule data in the rule storage unit;
A result transmitting unit that outputs result information indicating information on the rule determined to be matched by the rule matching unit and the user identifier in the log data;
A communication control unit for instructing the user terminal specified by the user identifier indicated by the result information to perform communication control to limit or expand the communication range corresponding to the rule indicated by the result information output by the result transmission unit;
A quarantine system characterized by comprising: Log storage means for storing log data including information on operations executed at the terminal and user identifiers;
Rule storage means for storing rule data indicating the operation to be detected;
A log data reading unit for reading log data from the log storage means;
A rule matching unit that determines that the log data read by the log data reading unit matches a rule when it indicates execution of an operation indicated by the rule data in the rule storage unit;
A result transmitting unit that outputs result information indicating information on the rule determined to be matched by the rule matching unit and the user identifier in the log data;
A quarantine apparatus comprising: The rule storage means further stores data associating a user identifier with the rule data,
The rule matching unit reads rule data corresponding to a user identifier in the log data from the rule storage unit, and if the log data indicates execution of an operation indicated by the read rule data, Judge that it matches,
The quarantine apparatus according to claim 2.   The quarantine apparatus according to claim 2 or 3, wherein the rule data includes information of one or more detection target operations. The rule data includes a plurality of operation information and threshold information,
The rule matching unit includes an operation that matches the operation indicated by the rule data in the operation indicated by the log data having the same user identifier, and for the number of operations included in the rule data, When the ratio of the number of matching operations is equal to or greater than a threshold value indicated by the rule data, it is determined that the rule matches.
The quarantine apparatus according to claim 2 or claim 3, wherein The rule data includes a plurality of operation information and threshold information,
The rule storage means further stores operation data similar to the operation indicated by the rule data,
The rule matching unit reads an operation similar to the operation indicated by the rule data from the rule storage unit, and the operation indicated by the log data having the same user identifier includes the read similar operation. And, when the sum of the similarities of the similar operations is equal to or greater than the threshold value indicated by the rule data, it is determined that the rule matches.
The quarantine apparatus according to claim 2 or claim 3, wherein The log data further includes operation time information,
The rule data further includes threshold information,
The rule matching unit has the same user identifier and the number of log data indicating the execution of the operation indicated by the rule data among the log data whose operation time is within a predetermined period. , If the number is greater than or equal to the threshold value of the rule data, it is determined that the rule matches.
The quarantine apparatus according to claim 2 or claim 3, wherein A user status management unit that writes rule result data indicating a rule determined by the rule matching unit to match the rule and a determination time to a result storage unit;
The rule matching unit detects whether or not rule result data whose determination time is within a predetermined period is stored in the result storage unit,
When the rule control unit detects that rule result data whose determination time is within a predetermined period is stored in the result storage unit, the communication control unit performs communication control according to the output result information. Output continuation instructions,
The quarantine apparatus according to any one of claims 2 to 7, wherein Corresponding to the result information, communication control storage means for storing information on a terminal subject to communication control and a communication control profile that is data indicating a communication range in which transmission or reception is permitted or restricted;
Communication that reads out information on a communication control target terminal corresponding to the result information output from the result transmission unit and a communication control profile from the communication control storage unit, and notifies the communication control profile to the communication control target terminal A control instruction unit;
The quarantine apparatus according to any one of claims 2 to 8, wherein A computer used in a quarantine system that performs quarantine inspections based on the terminal operation log.
Log data reading means for reading log data including information on operations executed by the terminal and user identifiers from the log storage means;
Rule data indicating an operation to be detected is read from the rule storage unit, and the log data read by the log data reading unit matches the rule when the execution indicates the operation indicated by the read rule data. Rule matching means to determine that
A result transmitting means for outputting result information indicating information on the rule determined to be matched by the rule matching means and the user identifier in the log data;
A computer program that is executed as:

Images