JP2008269420A - Risk management method and risk management program in computer, and risk management system for executing the method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a risk management technology for previously predicting that an inconvenient phenomenon which has occurred once diffuses to somewhere else or is repeated, and suppressing it. <P>SOLUTION: An event log described with event contents in each terminal with time is acquired, inconvenient phenomenon occurrence information showing that the inconvenient phenomenon has occurred in a specific terminal is acquired, an inconvenient phenomenon arrival event pattern prescribed from an event pattern group from an initial event causing the inconvenient phenomenon determined based on the inconvenient phenomenon occurrence information to a final event triggering final occurrence of the inconvenient phenomenon is generated, and an notice event pattern obtained by applying pattern matching processing to a notice event pattern taken out from the event log of the other terminal by use of the inconvenient phenomenon arrival event pattern outputs an inconvenient phenomenon countermeasure command according to an inconvenient phenomenon transition degree undergoing a transition to the inconvenient phenomenon arrival event pattern. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a risk management technique for suppressing the occurrence of an inconvenient phenomenon to be spread or repeated elsewhere.

  Various inconveniences occurring in a single computer or a network system constructed by a plurality of computers, for example, inappropriate operation due to user's operation error, malfunction due to computer virus, freeze due to mutual interference of programs, secret due to illegal operation There is a growing need to prevent information leaks and the downloading of prohibited information due to unauthorized operations. In order to prevent such an inconvenient phenomenon, it is preferable that an experienced supervisor monitors all the operations and operations of all computers, but the monitoring cost becomes enormous and is not practical.

  One technique for avoiding inconveniences caused by user operation errors is to determine whether the user using the service terminal is in trouble from the operation history. In order to present operation history information indicating what the user is in trouble and to provide support according to the situation in which the monitor is in trouble, a database of operation pattern data that the user is assumed to be in trouble is created in advance. When the above operation pattern data is detected from the user's operation history, an operation history presentation process for presenting the operation history and the detected operation pattern to the monitor is performed, and a support function database according to the operation status confirmed by the monitor There has been proposed a system for performing an operation support process using a computer (see, for example, Patent Document 1). Since such a system provides only a very limited function that can be operated only by a numeric keypad, inconvenient operations are limited, and if the prediction is easy, the user is in trouble. Expected operation pattern data can be stored in a database, so it can be used for a certain effect, but it can be used for general-purpose computers that provide various functions and network-connected computers that can acquire various information from external servers. However, it is difficult to apply as it is.

In addition, when a specific application program detects a risk occurrence source such as an unauthorized use user, a virus infection access source, a damaged file, etc., the cause of the risk, specifically, the user ID of the unauthorized use user, The file name of a computer virus infection source or the name of a damaged file is used as a threat code, and the contents of damage that the AP may suffer due to the risk, specifically, the unauthorized use of a user, virus infection, or a damaged file are accessed. This code is stored as a damage code, and the user ID of the user trying to start another application program or the file name of the file to be accessed is used as a confirmation code. There is a threat code with the same value as A risk information management system that verifies whether or not a threat code having the same value exists and considers the corresponding damage code as a possibility of occurrence of damage has been proposed (for example, see Patent Document 2). . In this system, the threat code matches the confirmation code using the user ID of the unauthorized user, the file name that is the source of the computer virus, the file name of the damaged file, etc. as the threat code that defines the cause of the risk. Therefore, there is no idea of predicting possible risks at the previous stage, and it is not sufficient for risk management.
JP 10-222467 (paragraph number 0017-0023, FIG. 1) JP 2001-142690 A (paragraph number 0007-0011, FIG. 4)

  In view of the above situation, an object of the present invention is to provide a risk management technique that predicts in advance that a once-occurring inconvenience phenomenon is diffused or repeated, and suppresses this.

  In order to suppress the spread of inconveniences occurring in one terminal, the risk management method according to the present invention includes the step of acquiring an event log that describes event contents in each terminal over time, and one of the terminals. The step of acquiring inconvenience phenomenon occurrence information indicating that an inconvenience phenomenon has occurred in a specific terminal, and the final occurrence of the inconvenience phenomenon from an initial event that causes the inconvenience phenomenon determined based on the inconvenience phenomenon occurrence information Generating an inconvenience phenomenon arrival event pattern defined from an event pattern group that reaches the final event that triggers the event, and pattern matching using the inconvenience phenomenon arrival event pattern for the event pattern of interest extracted from the event log in the terminal Performing the processing and the pattern matching A step of the target event pattern to determine inconvenience phenomenon transition of transitioning to the inconvenient phenomenon reaches event pattern based on the processing result, and a step of outputting a disadvantage phenomena countermeasures command in response to the adverse phenomena transition degree.

  In this risk management method, when an inconvenient phenomenon actually occurs, an inconvenient phenomenon defined from an event pattern group that extends from an initial event that causes the inconvenient phenomenon to a final event that triggers the final occurrence of the inconvenient phenomenon. Generate arrival event pattern. In other words, by the time an inconvenience occurs, there are several events (temporal operation units in the computer) that cause this inconvenience, that is, an event sequence that causes inconvenience. An inconvenience arrival event pattern can be generated. For example, one method for generating the inconvenience phenomenon arrival event pattern based on this event sequence is to extract the inconvenience phenomenon arrival event pattern from the last event in the event log of the specific terminal. Also, an appropriate inconvenience phenomenon event pattern may be created manually by judging from the inconvenience generated by the operator. Of course, an inconvenience phenomenon arrival event pattern may be generated by extracting an appropriate event from the event log of the specific terminal at the operator's discretion. In addition, since it is risk management for not reaching the final event, the final event does not need to be included in the inconvenience phenomenon arrival event pattern in terms of processing, but the final event is considered in consideration of visual checks by the operator and the like. May be included. In any case, when the inconvenience phenomenon arrival event pattern is generated, the attention event pattern to be monitored is sequentially extracted from the event log in the terminal other than the specific terminal that has caused the inconvenience, and this attention event pattern and inconvenience are obtained. Pattern matching is performed between the phenomenon arrival event patterns, and the inconvenience phenomenon transition degree indicating the possibility that the target event pattern will transition to the inconvenience phenomenon arrival event pattern is determined. When it is determined that the event pattern of interest changes to the inconvenience phenomenon arrival event pattern with a high possibility, an inconvenience phenomenon countermeasure command is output to the corresponding terminal in order to prevent the occurrence of this inconvenience in advance. When it is desired to express the inconvenience phenomenon transition degree as a clear numerical value, it is preferable to obtain the inconvenience phenomenon transition probability by calculation. Thereby, it is possible to suppress the inconvenience occurring in one terminal from spreading. In addition, as a target for preventing the spread of the inconvenience described here, the terminal that has recovered from the inconvenience is also included, and the inconvenience that occurred in one terminal is also spread to the terminal that has recovered from the inconvenience. It is naturally included in the risk management technique of the present invention to avoid this.

  Events that are constituent elements of event patterns are recorded as event logs over time, but the first cause of inconvenience occurring in terminals, that is, computers, is user error or intentional unauthorized operation. Therefore, in one preferred embodiment of the present invention, the event log includes key operation or mouse operation information by the user, and the inconvenience phenomenon arrival event pattern is expressed as a user operation pattern. As a result, the user operation pattern that has led to the inconvenience phenomenon is confirmed as the inconvenience phenomenon arrival event pattern, and the user operation to reach such an inconvenience phenomenon arrival event pattern at another terminal is avoided by one terminal. The inconvenience that has occurred is prevented from diffusing.

  Even with factors that are not directly related to user operations, the computer causes various inconveniences. For example, a crash due to mutual interference between programs. In order to cope with such a problem, it is preferable that the event log includes the interaction information of a plurality of programs that can be started on each terminal, and a program interaction pattern is set as the inconvenience phenomenon arrival event pattern. In other words, when an inconvenience such as a freeze state occurs because the process z and the program B are executed after the processes x and y of the program A are sequentially executed, the execution pattern of such a process, that is, the inconvenience phenomenon arrival event pattern is set. By avoiding this, it is possible to prevent the inconvenience occurring in one terminal from spreading.

  Furthermore, if the computer is networked, some inconveniences that occur on the computer can be caused by specific network communication. From this point of view, the event log includes network communication information, and it is also important to express the inconvenience phenomenon arrival event pattern as a network communication pattern.

  In addition, various operations and operation processes in the computer can be confirmed on each operation screen. If this is taken into consideration, an operation screen that changes from moment to moment can be regarded as an event in the computer and used for risk management in the computer. Accordingly, in one preferred embodiment of the present invention, the event log includes an operation screen capture image sequence generated by sequentially capturing operation screens of the terminal, and the inconvenience phenomenon arrival event pattern is Expressed as an operation screen pattern. That is, the operation screen pattern leading to the inconvenient phenomenon and the operation screen pattern to be checked are checked, and the spread of the inconvenient phenomenon occurring in one terminal is suppressed so that the operation screen pattern leading to the inconvenient phenomenon does not occur. Note that the meaning of the operation screen here may be the entire screen displayed on the monitor, or a part thereof, for example, a specific window screen, or an image such as a button or icon.

  As an inconvenience phenomenon countermeasure command that is output in order to avoid the inconvenience occurring in one terminal from spreading, an operation on the terminal is forcibly made so that the event pattern of interest does not match the inconvenience phenomenon arrival event pattern. The command to change to is suitable, but in order to leave the final decision to the user, a warning notification command is output as an inconvenience phenomenon countermeasure command, and the possibility of the inconvenience occurring to the user operating the corresponding terminal You may make it warn.

  In the present invention, a risk management system that implements the above-described risk management method is also included in the scope of rights. In such a risk management system, an event log acquisition unit that acquires an event log that describes event contents over time in each terminal in order to prevent the inconvenience occurring in one terminal from spreading, and the terminal An inconvenient phenomenon occurrence information acquisition unit that obtains inconvenient phenomenon occurrence information indicating that the inconvenient phenomenon has occurred in a specific terminal, and an initial event that causes the inconvenient phenomenon determined based on the inconvenient phenomenon occurrence information An inconvenience phenomenon arrival event pattern determining unit that generates an inconvenience phenomenon arrival event pattern defined from an event pattern group leading to a final event that triggers the final occurrence of the inconvenience, and an event of interest extracted from the event log in the terminal Using the inconvenience arrival event pattern for the pattern A pattern matching processing unit that performs turn matching processing; an inconvenience phenomenon transition degree determination unit that determines an inconvenience phenomenon transition degree in which the event pattern of interest transitions to the inconvenience event arrival event pattern based on the pattern matching processing result; An inconvenient phenomenon countermeasure command output unit for outputting an inconvenient phenomenon countermeasure command according to the degree of phenomenon transition is provided. The risk management system configured in this way also has the operational effects described in the previous risk management method, and can be provided with the various additional characteristic configurations described above.

  The risk management technique according to the present invention is not only applied to a network system that monitors a large number of terminals connected to a network by a terminal monitoring apparatus that is also connected to the network, but is also applied to a stand-alone computer. The Such a risk management method that operates within a closed range in one computer includes a step of obtaining an event log that describes event contents in the computer over time, and a disadvantage that an inconvenience has occurred in the computer. Specified from a step of obtaining phenomenon occurrence information and an event pattern group from an initial event that causes the inconvenience determined based on the inconvenience occurrence information to a final event that triggers the final occurrence of the inconvenience Generating an inconvenience phenomenon arrival event pattern, performing a pattern matching process on the event pattern of interest extracted from the event log using the inconvenience phenomenon arrival event pattern, and based on the pattern matching process result note A step of event pattern to determine the disadvantages phenomenon transition of transitioning to the inconvenient phenomenon reaches event pattern, and a step of outputting a disadvantage phenomena countermeasures command in response to the adverse phenomena transition degree. In this risk management method, the inconvenience phenomenon arrival event pattern determined for the inconvenience occurring in the computer is used to check the subsequent event pattern of the self to avoid repetition of the same inconvenience.

  Similarly, the risk management module according to the present invention, which operates only on the installed computer, has an event log acquisition unit that acquires an event log that describes event contents in this computer over time, and an inconvenience occurs in the computer. An inconvenience occurrence information acquisition unit for acquiring inconvenience occurrence occurrence information indicating the final event that triggers the final occurrence of the inconvenience from an initial event that causes the inconvenience determined based on the inconvenience occurrence information. An inconvenience event arrival event pattern determination unit that generates an inconvenience event arrival event pattern defined from an event pattern group leading to an event, and pattern matching using the inconvenience event arrival event pattern for the event pattern of interest extracted from the event log Process A turn matching processing unit, an inconvenience phenomenon transition degree determination unit that determines an inconvenience phenomenon transition degree in which the event pattern of interest transitions to the inconvenience phenomenon arrival event pattern based on the pattern matching processing result, and a degree of inconvenience phenomenon transition And an inconvenient phenomenon countermeasure command output unit for outputting an inconvenient phenomenon countermeasure command. Due to the above-described action, the repetition of inconvenient phenomena occurring on the computer is suppressed even in the computer on which the risk management module is mounted.

  Furthermore, in the present invention, a program that causes a computer to realize all the risk management techniques described above is also included in the scope of rights.

  The basic principle of a risk management method that suppresses the inconvenience occurring in one terminal from being repeated or spread will be described with reference to FIG. The inconvenience mentioned here is a general term for malfunctions that occur on computers and fraudulent acts that occur through computers. For example, malfunctions and crashes caused by computer viruses, crashes caused by mutual interference of programs, leakage of confidential information due to unauthorized operations, and fraud For example, download of prohibited information by operation.

  In FIG. 1, a plurality of terminals 1 that are general-purpose notebook computers and desk computers and a risk management device 3 that functions to prevent the inconvenience from spreading and repeating in these terminals 1 are shown in a network (an organization such as a LAN). 2 may be a network within the network, or may be a wide-area network that is open like the Internet).

  The risk management device 3 sequentially grasps the user's operation status and program operation status at each terminal 1, and when an inconvenient phenomenon occurs in any terminal 1, The operation status of the program is determined, and monitoring is performed so that the same inconvenience does not occur in the terminal 1, and the inconvenience is not diffused to other terminals 1. The procedure will be described below.

  User operations in the terminal 1, program activation and execution operations of various program processes are sequentially recorded as event logs and sent to the risk management apparatus 3 (# 01). In the risk management device 3, from the event log sequentially received from each terminal 1, “mouse click on application A icon”, “launch application A”, “open file 01”, “access to URL: abc”, The contents of a predetermined minimum unit relating to the operation and operation of the computer such as “download file xyz”, that is, the event is taken out and stored in the memory as an event sequence for each terminal 1 (# 02).

  When an inconvenience occurs in a specific terminal (here, the first terminal) and the occurrence of the inconvenience is detected, inconvenience occurrence information describing the type, content, time, etc. of the inconvenience is generated, It is sent to the risk management device 3 (# 03). In the risk management device 3, the type and content of the inconvenience such as malfunction due to computer virus or crash due to mutual interference of programs are identified from the inconvenience occurrence information received from the first terminal 1, and the inconvenient phenomenon identified. An extraction condition is created by limiting factors and time peculiar to the event, and based on this extraction condition, an event that seems to have led to this inconvenience is extracted from the event sequence stored in the memory of the first terminal 1 Then, an event sequence composed of the extracted events is registered as an inconvenience phenomenon arrival event pattern (# 04). The inconvenience phenomenon arrival event pattern registered in this way is a sample that causes a specific inconvenience when the computer is operated or operated in such a pattern. Note that in order to generate an inconvenience phenomenon arrival event pattern, when extracting related events from an event sequence stored in the memory, these extracted events do not necessarily have to be continuous over time. This is because there is a possibility that events that are completely irrelevant to the inconvenient original are mixed in a continuous event sequence, and omitting independent events that are irrelevant to such inconveniences increases the accuracy of the inconvenience arrival event pattern. It is. For example, the inconvenience phenomenon arrival event pattern in FIG. 1 is event R + O + P + Q, but if event O is an independent event that is irrelevant, event R + P + Q is used as the inconvenience phenomenon arrival event pattern. Of course, in order to simplify the control, events that are continuous over time may be extracted. Further, the inconvenience phenomenon arrival event pattern does not necessarily include the final event (event Q in FIG. 1) that triggers the final occurrence of the inconvenience. This is because it is necessary to avoid the occurrence of an inconvenient phenomenon before the final event, so it is not possible to wait until the final event occurs. Furthermore, there are cases where the inconvenience phenomenon arrival event pattern has been considerably elucidated depending on the inconvenience phenomenon. In such a case, the inconvenience phenomenon arrival event pattern is extracted from the event sequence stored in the memory of the first terminal 1. Instead, it can be manually created or selected by the operator.

  Therefore, pattern matching processing is performed on the latest event sequence stored based on the event log sequentially sent from each terminal 1 using the registered inconvenience phenomenon arrival event pattern as a standard pattern (# 05). As a result of pattern matching processing, when a high similarity is found, that is, when the possibility of transition to an inconvenience phenomenon arrival event pattern (transition degree) increases, for example, when the transition degree exceeds a predetermined threshold, Measures to prevent inconvenient phenomena that give a command to avoid the appearance of a specific event so as not to generate a remaining event in order to notify the warning at the terminal 1 that has become, and to make a transition to the inconvenient phenomenon arrival event pattern completely Is performed (# 06). Thereby, in this network system, it is suppressed that the inconvenient phenomenon which generate | occur | produced in the terminal 1 is repeated or spread | diffused to the other terminals 1. FIG.

  In the above description, the event log sent from each terminal 1 to the risk management device 3 includes the contents of user operations in the terminals, the activation of programs associated therewith, and the execution operation contents of various program processes. Instead of or in addition to these, a captured image obtained by capturing an operation screen (monitor screen) that is sequentially rewritten in accordance with a user operation or an execution operation of the program process may be included. As described above, it is possible to extract a captured image sequence as an inconvenience phenomenon arrival event pattern from a captured image stored for each terminal 1, and perform pattern matching processing using the inconvenience phenomenon arrival event pattern as an image as a standard pattern. By doing so, it is also possible to identify the terminal 1 that is likely to shift to the inconvenience phenomenon arrival event pattern.

  FIG. 2 is a functional block diagram showing functions required for the terminal 1 and the risk management device 3 in actually constructing the above-described principle risk management system. The terminal 1 is a general-purpose personal computer such as a notebook personal computer or a desktop personal computer. Among the functions created by these personal computers, the function block diagram of FIG. 2 mainly shows functions particularly related to the present invention. . The terminal 1 includes a monitor 51 such as a liquid crystal display, a keyboard and a mouse as the operation input device 52, an installed hard disk 53 storing various data, and a removable recording device (USB memory or the like) 54. Various operation commands input by the user through the operation screen displayed on the monitor 51 are executed by the GUI unit 10 created by the OS installed in the terminal 1 as an intermediary. Data processing based on user instructions including various file processing is performed by the program execution unit 11 with the start of the corresponding program. The contents of the user operation processed by the GUI unit 10 are linked to a time stamp in the form of enumerating operation execution program names, operation target data names (file names), operation command names, and the like by the operation information generation unit 12. Thus, the information on the execution process in the program execution unit 11 is linked to a time stamp in the form of enumerating program names and process names in the operation information generation unit 13 to become operation information.

  In order to display various operation screens on the monitor 51, these display data are temporarily stored in the video memory 14. The display data developed in the video memory 14, that is, the operation screens are displayed on the operation screen capture unit 15. It is captured as an operation screen capture image (hereinafter simply referred to as a capture image), and is linked with a time stamp to become captured image information.

  The operation information generated by the operation information generation unit 12, the operation information generated by the operation information generation unit 13, and the captured image information generated by the operation screen capture unit 15 are formatted to be mechanically readable by the event log generation unit 16. The event logs are combined and sent to the risk management apparatus 3 through the network IF 17. Since the network IF 17 manages and controls all the data communication with the outside, it is possible to judge the communication record here from the progress of the illegal data exchange. For this reason, the network IF 17 also has a function of generating the communication information and sending it to the event log generation unit 16. The event log generation unit 16 can incorporate the given communication information into the event log.

  Further, when an inconvenience such as a malfunction caused by a computer virus or a crash due to mutual interference between programs is detected in the terminal 1, inconvenience occurrence information describing the type, content, time, etc. of the inconvenience is generated. An inconvenient phenomenon detection unit 18 that is sent to the risk management device 3 is provided.

  The event log sent from the terminal 1 to the risk management device 3 can determine the transmission source by the terminal ID or the MAC address. If the terminal 1 is a multi-user type, the terminal 1 is operated by operating the terminal 1 It is also important to identify the users who are present. For this reason, in order to use such a terminal 1, it is necessary to first log in by inputting a user name and a password, and the user name obtained through this login process is stored in the login / logoff control unit 19. The user attribute information is converted into a user ID or the like as it is or as needed, and is sent to the risk management apparatus 3 and managed together with the terminal ID for identifying the terminal 1. Further, user attribute information may be described in the event log itself.

  The log-in / log-off control unit 19 notifies the warning information notification command or a specific type of event when the risk management device 3 determines that further operation or operation on the terminal 1 is likely to cause an inconvenience. The risk management device 3 sends an inconvenience countermeasure command such as a command for prohibiting linked operations or actions, or a command for forcibly logging off the user's login. When the log-in / log-off control unit 15 receives the warning information notification command, the log-in / log-off control unit 15 displays the warning information notification command on the monitor 51. When the log-in / log-off control unit 15 receives the command for prohibiting the operation or operation, the log-in / log-off control unit 15 The specified operation or action is written and the specific operation or action is prohibited thereafter. Also, when a forced logoff command is received, the forced logoff is immediately performed, and thereafter, login by the user is prohibited for at least a predetermined period.

  The risk management device 3 is also generally constituted by a general-purpose computer, and is attached with a monitoring monitor 61 such as a liquid crystal display and a data storage unit 64 constituted by a keyboard, a mouse, a hard disk or the like as an operation input device 62. The OS installed in the risk management device 3 manages the terminal 1 specified based on the user attribute information related to the terminal operation user sent from the GUI unit 30 or the terminal 1 and the user operating this terminal 1. Various basic functions are created starting with the terminal management unit 31 and the like. Further, most of the functions related to the present invention in the risk management device 3 are created in accordance with the execution of the risk management program installed in the risk management device 3. As typical examples, an event log acquisition unit 32, an event pattern extraction unit 33, an inconvenience phenomenon occurrence information acquisition unit 34, an inconvenience phenomenon arrival event pattern determination unit 35, a pattern matching processing unit 37, an inconvenience phenomenon transition degree determination unit 38, An inconvenient phenomenon countermeasure command output unit 39 and the like can be mentioned.

  The event log acquisition unit 32 captures the event log sent from each terminal 1 for each terminal, and classifies the event included in the event log as one of operation information, operation information, communication information, and captured image information. . Among them, since the operation information, the operation information, and the communication information are text information, they are managed by the operation / operation information management unit 32a, and since the captured image information is image information, it is managed by the capture image management unit 32b. The event pattern take-out unit 33 takes out each event managed by the operation / motion information management unit 32a and the captured image management unit 32b at any time, develops them in a memory in time series, and arranges these same events in time series. Create an event pattern consisting of different types of events as an event pattern.

  The inconvenient phenomenon occurrence information acquisition unit 34 acquires inconvenient phenomenon occurrence information indicating that an inconvenient phenomenon has occurred in a specific terminal 1. The inconvenience phenomenon arrival event pattern determination unit 35 determines the final occurrence of the inconvenience from the initial event that causes the inconvenience that is determined based on the inconvenience occurrence information acquired by the inconvenience occurrence information acquisition unit 34. The event sequence leading to the final event to be triggered is extracted from the event sequence created by the event pattern extracting unit 33 from the event log of the specific terminal 1 that has caused the occurrence of the inconvenient phenomenon and defined as an inconvenient event arrival event pattern. The defined inconvenience phenomenon arrival event pattern is registered in the inconvenience phenomenon arrival event pattern table 36 and used as a standard pattern in the pattern matching process. The pattern matching processing unit 37 is an event sequence extracted by the event pattern extracting unit 33 from the event log in the terminal 1 other than the terminal that has caused the inconvenient phenomenon, including the terminal 1 that has returned to normal after the occurrence of the inconvenient phenomenon. Pattern matching processing is performed on the target event pattern using one or more inconvenience phenomenon arrival event patterns registered in the inconvenience phenomenon arrival event pattern table 36. Note that the number of events included in the target event pattern to be subjected to the pattern matching process varies depending on the number of events in the inconvenient phenomenon arrival event pattern set as the standard pattern. In this pattern matching process, the order of the inconvenience phenomenon arrival event pattern as a standard pattern with respect to time is strict, and if the order with time is different, it is considered that no matching occurs. The inconvenience phenomenon transition degree determination unit determines the inconvenience phenomenon transition degree of transition to the inconvenience phenomenon arrival event pattern that is the target event pattern based on the pattern matching processing result by the pattern matching processing unit 37. In this embodiment, the inconvenience phenomenon transition degree determination unit 38 is configured to calculate the inconvenience phenomenon transition probability as the inconvenience phenomenon transition degree in order to express the transition degree as a numerical value easy to handle. As an example of an algorithm for calculating the inconvenience phenomenon transition probability, it can be created by using a relational expression obtained by statistical processing based on a large amount of sample data for each pattern type and the inconvenience phenomenon type.

  The inconvenience phenomenon countermeasure command output unit 39 sends an inconvenience phenomenon countermeasure command to the terminal 1 that is highly likely to cause the inconvenience phenomenon according to the inconvenience phenomenon probability (transition degree) in order to prevent the occurrence of the inconvenience phenomenon. . The inconvenience phenomenon countermeasure command includes a command for forcibly changing the operation of the terminal 1 so that the event pattern of interest does not match the inconvenience phenomenon arrival event pattern, and a warning for notifying the occurrence of the inconvenient phenomenon. A risk notification command for the terminal 1 such as a warning notification command for informing the user, a command for forcibly logging off the user of the terminal 1, and a request from the terminal 1 to the file server are prohibited. Examples include a command and a risk suppression command for an external server such as a command for prohibiting reception of a request from the terminal 1 for a DNS server, a proxy server, a mail server, or the like.

A very simplified example of the risk management procedure in the risk management system configured in this way is used. The inconvenience here is a case where a computer virus from the outside has entered a specific terminal 1 through the following process.
(1) Web browser activation (2) Access to site ABC (3) Top page display of site ABC (4) Click on specific area (5) Display of XYZ page (6) Click on specific button EXIT (7) Computer virus Including PPP. exe file download (8) PPP. Infection of computer virus by automatic start of exe file (9) Termination of Web browser When the above operation is performed, it is detected by the virus detection software resident that the specific terminal 1 is infected with the computer virus. Thus, the inconvenience detection unit 18 generates inconvenience occurrence information related to computer virus infection and sends it to the risk management device 3. Further, when the above operation is performed, the event pattern extraction unit 33 extracts an event sequence as schematically illustrated in FIG. 3A from the event log sent from the terminal 1 to the risk management device 3. be able to.

  The risk management device 3 that has received the inconvenience occurrence information performs the inconvenience prevention measure process shown in FIG. 4 so that the inconvenience does not spread to other terminals 1. In this inconvenience prevention measure processing, a registration routine for registering the inconvenience that has occurred and an avoidance execution routine for avoiding the diffusion of the inconvenience that has occurred are executed in parallel. In the registration routine, first, the inconvenience phenomenon occurrence information is decoded, and the inconvenience phenomenon attribute information such as the kind of inconvenience phenomenon (here, computer virus infection) is obtained (# 11). The inconvenience phenomenon arrival event pattern determination unit 35 uses the attribute information (such as infection history information in the case of a computer virus infection) from the initial event that causes the inconvenience to the final event that triggers the final occurrence of the inconvenience. The event sequence is searched and found as an inconvenience phenomenon arrival event pattern (# 12). For example, the event sequence shown in FIG. 3B is determined as the inconvenience phenomenon arrival event pattern from the event sequence shown in FIG. The determined inconvenience phenomenon arrival event pattern is registered in the inconvenience phenomenon arrival event pattern table 36 (# 13).

  In the avoidance execution routine, first, the terminal 1 to be monitored is designated (# 21). In general, this may be a method of sequentially designating the terminals 1 operating at that time. The pattern matching processing unit 37 sequentially sets all the inconvenience phenomenon arrival event patterns registered in the inconvenience phenomenon arrival event pattern table 36 as standard patterns for pattern matching processing (# 22). The event pattern extracting unit 33 extracts an event pattern from the event log of the designated monitoring target terminal 1 so as to have the number of events that matches the set standard pattern, and provides the event pattern to the pattern matching processing unit 37 (# 23). Note that the number of events included in the event pattern extracted by the event pattern extraction unit 33 need not be the same as the number of events included in the standard pattern. For example, if the events included in the extracted event pattern may include events that are not related to other consecutive events, the number of events included in the extracted event pattern is included in the set standard pattern It is more convenient to make it larger than the number of events. It is also preferable to perform pre-processing that excludes irrelevant events from the extracted event pattern, and if necessary, it is also possible to change the order of events included in the extracted event pattern. This is effective depending on the event pattern (standard pattern). Pattern matching processing is performed, and the similarity between the extracted event pattern and the set standard pattern (inconvenient phenomenon arrival event pattern), that is, the probability that the extracted event pattern is likely to transition to the standard pattern is calculated. (# 24). The obtained probability is compared with a preset threshold value (# 25). If the probability is greater than the threshold value (# 25 Yes branch), it is considered that there is a high possibility that an inconvenience will occur in the monitored terminal 1, and an operation or action is immediately performed according to the risk level or probability value of the inconvenience. Corresponding inconvenience phenomenon countermeasure command is determined (# 26). The determined inconvenience phenomenon countermeasure command is sent to the monitoring target terminal 1 through the network 2 (# 27). If the probability is smaller than the threshold value (# 25 No branch), it is considered that there is no problem with the extracted event pattern, and it is checked whether there is an event pattern to be extracted next, and if it exists (# 28 Yes branch). Returning to Step # 23, another next event pattern is given to the pattern matching processing unit 37, and if it does not exist (# 28 No branch), it is determined whether or not an inconvenience phenomenon arrival event pattern to be set as a standard pattern remains. Check (# 29). When the inconvenience phenomenon arrival event pattern to be set still remains (# 29 Yes branch), the process returns to step # 22 to set another inconvenience phenomenon arrival event pattern as a standard pattern. If there is no inconvenience phenomenon arrival event pattern to be set (# 29 No branch), the process returns to step # 21 to designate the next different terminal 1 as the monitoring target terminal. In this way, once an inconvenience that has occurred once is diffused or repeated, it is predicted by the inconvenience phenomenon arrival probability (inconvenience phenomenon arrival transition degree) using the event pattern, and measures are taken to prevent this. .

  In the example of FIG. 3 above, a text or coded event content sequence is defined as an event pattern as an event sequence, but a captured image that is an operation screen displayed on the monitor 51 for each such event. It is also possible to define the column as an event pattern and execute the above-described inconvenience prevention countermeasure processing. An example of an event pattern based on such a captured image is shown in FIG. Since this inconvenience prevention measure processing is based on the inconvenience phenomenon arrival probability (inconvenience phenomenon arrival transition degree) based on the pattern matching processing, it has high applicability to image-based event patterns. Note that the operation screens that are subject to pattern matching here include not only the entire screen displayed on the monitor, but also a part of it, for example, a specific window screen, and further images such as buttons and icons. It is what Such a partial area on the monitor screen can be cut out from the captured image of the entire monitor screen, or only the area may be captured from the beginning and handled as a limited operation screen.

  FIG. 6 shows another embodiment of the present invention. In the embodiment described above, event logs generated by a large number of terminals 1 and inconvenience occurrence information describing inconveniences occurring in a specific terminal 1 are sent to the risk management device 3 via the network 2. In the risk management device 3, measures have been taken to prevent such inconvenience from being repeated or diffused. However, if each functional unit required for executing the inconvenience phenomenon prevention measure processing in the risk management apparatus 3 is modularized and mounted on the computer of the terminal 1, the computer alone can perform the risk management function according to the present invention. Can be realized. A functional block diagram in such a form is shown in FIG. This differs from the network type risk management technology described above in that the event log, inconvenience occurrence information, and inconvenience countermeasure command transmission via the network are replaced by the computer data bus. Since the technical contents are the same, the description thereof will not be repeated here.

  In the description of the above embodiment, the inconvenience occurring in the terminal 1 is detected by the inconvenience detecting section 18 installed in the terminal 1, and the inconvenience occurrence information describing the type, content, time, etc. of the inconvenience is a risk. Although the configuration is such that it is sent to the management device 3, instead of this, there is an inconvenience detection unit that detects inconveniences occurring in the terminal 1 based on operation information, control information, etc. sent from the terminal 1. You may employ | adopt the structure mounted in the risk management apparatus 3 side. In this configuration, the inconvenient phenomenon detection unit does not need to be mounted on each terminal 1 and only needs to be mounted on the risk management device 3, so that maintenance and inspection management is facilitated and the cost is advantageous.

Schematic diagram explaining the basic principle of risk management technology according to the present invention Functional block diagram of a computer system to which risk management technology according to the present invention is applied Explanatory drawing of text-based event sequence that becomes event pattern Flow chart showing inconvenience prevention measures processing Illustration of the image-based event sequence that will be the event pattern Functional block diagram in a form in which the risk management technology according to the present invention is applied to a stand-alone type computer

Explanation of symbols

1: terminal 2: network 3: risk management device 12: operation information generation unit 13: operation information generation unit 15: operation screen capture unit 16: event log generation unit 18: inconvenient phenomenon detection unit 32: event log acquisition unit 33: event Pattern extraction unit 34: Inconvenient phenomenon occurrence information acquisition unit 35: Inconvenient phenomenon arrival event pattern determination unit 36: Inconvenient phenomenon arrival event pattern table 37: Pattern matching processing unit 38: Inconvenient phenomenon transition degree determination unit 39: Inconvenient phenomenon countermeasure command output unit

Claims (13)

In a risk management method that suppresses the spread of inconveniences occurring on one terminal,
A step of acquiring an event log that describes event contents in each terminal over time, a step of acquiring inconvenience occurrence information indicating that an inconvenient phenomenon has occurred in a specific terminal that is one of the terminals, and the occurrence of the inconvenient phenomenon Generating an inconvenience phenomenon reaching event pattern defined from an event pattern group ranging from an initial event that causes the inconvenient phenomenon determined based on information to a final event that triggers the final occurrence of the inconvenient phenomenon; Performing a pattern matching process using the inconvenience phenomenon arrival event pattern for the attention event pattern extracted from the event log in the terminal; and, based on the pattern matching process result, the attention event pattern is the inconvenience phenomenon arrival event pattern Transition to Steps and risk management method comprising the step of outputting a disadvantage phenomena countermeasures command in response to the adverse phenomena transition of determining the convenience phenomenon transition degree. The risk management method according to claim 1, wherein the inconvenience phenomenon arrival event pattern is extracted from an event log of the specific terminal. The risk management method according to claim 1, wherein the inconvenience phenomenon arrival event pattern is created manually. 4. The event log includes key operation or mouse operation information by a user, and the inconvenience phenomenon arrival event pattern can be expressed as a user operation pattern. The risk management method described. 5. The event log includes interaction information of a plurality of programs that can be started in each terminal, and the inconvenience phenomenon arrival event pattern can be expressed as a program interaction pattern. The risk management method according to any one of the above. The risk management method according to any one of claims 1 to 5, wherein the event log includes network communication information, and the inconvenience phenomenon arrival event pattern can be expressed as a network communication pattern. . The event log includes an operation screen capture image sequence generated by sequentially capturing operation screens of the terminal, and the inconvenience phenomenon arrival event pattern can be expressed as an operation screen pattern. Item 7. The risk management method according to any one of Items 1 to 6. The command for forcibly changing the operation at the terminal so that the event pattern of interest does not match the event pattern for reaching the inconvenience phenomenon is output as the inconvenience phenomenon countermeasure command. The risk management method according to claim 1. In a risk management program that suppresses the spread of inconveniences occurring on one terminal,
A function for acquiring event logs describing event contents over time in each terminal, a function for acquiring inconvenience phenomenon occurrence information indicating that an inconvenience has occurred in a specific terminal that is one of the terminals, and occurrence of the inconvenience A function of generating an inconvenience phenomenon arrival event pattern defined from an event pattern group that leads to a final event that triggers the final occurrence of the inconvenience from an initial event that causes the inconvenience determined based on information; A function of performing pattern matching processing on the event pattern of interest extracted from the event log in the terminal using the inconvenience phenomenon arrival event pattern, and the event event pattern of interest based on the pattern matching processing result is the inconvenience phenomenon arrival event pattern Inconvenient phenomenon transition to A function of determining the risk management program for realizing a function of outputting the disadvantages phenomena countermeasures command in response to the adverse phenomena transitions of the computer. In a risk management system that suppresses the spread of inconveniences occurring in one terminal,
An event log acquisition unit that acquires an event log that describes event contents in each terminal over time, and inconvenience occurrence information that acquires inconvenience occurrence information indicating that an inconvenience has occurred in a specific terminal that is one of the terminals Arrival of an inconvenience phenomenon defined by an acquisition unit and an event pattern group from an initial event that causes the inconvenience determined based on the inconvenience occurrence information to a final event that triggers the final occurrence of the inconvenience An inconvenience phenomenon arrival event pattern determination section that generates an event pattern, a pattern matching processing section that performs pattern matching processing on the event pattern of interest extracted from an event log in the terminal using the inconvenience phenomenon arrival event pattern, and the pattern Based on the matching process result An inconvenience phenomenon transition degree determination unit that determines an inconvenience phenomenon transition degree in which the noticeable event pattern transitions to the inconvenience phenomenon arrival event pattern, and an inconvenience phenomenon countermeasure command output section that outputs an inconvenience phenomenon countermeasure command according to the inconvenience phenomenon transition degree A risk management system consisting of In a risk management method that suppresses repeated inconveniences that occur on computers,
A step of acquiring an event log describing event contents in the computer over time, a step of acquiring inconvenience phenomenon occurrence information indicating that an inconvenience has occurred in the computer, and determination based on the inconvenience phenomenon occurrence information Generating an inconvenience reaching event pattern defined from an event pattern group from an initial event that causes the inconvenience to a final event that triggers the final occurrence of the inconvenience, and an attention extracted from the event log Performing a pattern matching process on the event pattern using the inconvenience phenomenon arrival event pattern, and an inconvenience phenomenon transition in which the event pattern of interest changes to the inconvenience phenomenon arrival event pattern based on the pattern matching process result Determining a risk management method comprising the step of outputting a disadvantage phenomena countermeasures command in response to the adverse phenomena transition degree. In a risk management program that suppresses repeated inconveniences that occur on computers,
It is determined based on the function of acquiring an event log describing the event contents over time in the computer, the function of acquiring inconvenience occurrence information indicating that an inconvenience has occurred in the computer, and the inconvenience occurrence information. A function for generating an inconvenience phenomenon arrival event pattern defined from an event pattern group ranging from an initial event that causes the inconvenience to a final event that triggers the final occurrence of the inconvenience, and an attention extracted from the event log A function for performing a pattern matching process on the event pattern using the inconvenience phenomenon arrival event pattern, and a degree of inconvenience phenomenon transition in which the target event pattern changes to the inconvenience phenomenon arrival event pattern based on the pattern matching process result Function Risk management program for implementing the function of outputting a disadvantage phenomena countermeasures command in response to the adverse phenomena transitions of the computer. In the risk management module that suppresses repeated inconveniences that occur on computers,
An event log acquisition unit that acquires an event log describing event contents in the computer over time, an inconvenience occurrence information acquisition unit that acquires inconvenience occurrence information indicating that an inconvenience has occurred in the computer, and the inconvenience An inconvenience phenomenon that generates an inconvenience phenomenon arrival event pattern defined from an event pattern group from an initial event that causes the inconvenience determined based on occurrence information to a final event that triggers the final occurrence of the inconvenience An arrival event pattern determination unit; a pattern matching processing unit that applies a pattern matching process to the attention event pattern extracted from the event log using the inconvenience phenomenon arrival event pattern; and the attention event based on the pattern matching process result An inconvenience phenomenon transition degree determination unit that determines an inconvenience phenomenon transition degree in which a pattern transitions to the inconvenience phenomenon arrival event pattern, and an inconvenience phenomenon countermeasure command output section that outputs an inconvenience phenomenon countermeasure command according to the inconvenience phenomenon transition degree. Risk management module.

Images