JP2009017414A - Monitor system for information leakage - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a monitor system for information leakage which stores changes of output screens as still images, continuously reproduces them as screen images, and monitors the output screens, using a small storage capacity. <P>SOLUTION: The monitor system for information leakage has a differential data creation means for recording images displayed on a terminal full-screen at a specified time interval as full-screen still images, comparing a current image as a whole that is divided into a specified number of blocks with a previously recorded full-screen still image, determining whether there are changes in the image data in each block, and storing the image data contained in blocks that image data changes to create differential data; and an index data creation means, a compression means, an image record file creation means, an image record file update means, and a reproduction means. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an information leakage monitoring system used for a security system.

In recent years, in order to prevent information leakage, a system for monitoring transmission / reception of e-mails and the like and a system for monitoring an operation history are known (for example, see Patent Document 1). Patent Document 1 describes a method for protecting an operation history file that obtains an operation history of a user who has logged on to a network system until logging out and monitors intrusion or destruction of the system in real time to ensure security.
JP 2000-354036 A (second page, second column, lines 8 to 26, FIG. 16)

  However, the method described in the above document monitors the operation history performed by the user in a certain network system, and has a problem that the history is not known when the user is not logged in. In addition, the operation history is displayed as text, and it is necessary for the system administrator to follow the user's action with characters, which is difficult to understand at a glance.

  Therefore, the object of the present invention is to solve the above-mentioned problems, store the change of the output screen as a still image, can be continuously reproduced as a screen image, and requires only a small capacity for storage, and outputs The object is to provide an information leakage monitoring system capable of monitoring a screen.

A first aspect of the present invention is a system for remotely monitoring a plurality of terminals via a network by one monitoring device,
The terminal
Index data creation means for recording an image of the entire output screen of the terminal as a full-screen still image at each index creation time;
Record the image of the entire output screen of the terminal as a full-screen still image at each difference detection time, compare it with the full-screen still image recorded immediately before and divide the whole into a certain number of squares, and Whether there is a change in the image data, only the square where the image data has changed, all the squares in which the image data has changed, the difference data having the image data after the change of each square, the position information of the square, and the data acquisition time information Differential data creation means to create,
Compression means for compressing the index data and the differential data, respectively, and storing the compressed data as index compressed data and differential compressed data,
The monitoring device
A communication means for transmitting and receiving data and transmitting an operation request in only one direction from the monitoring device to the terminal;
Recording file creation means for creating a recording file for each index compressed data transmitted from the terminal to the monitoring device;
Recording file update means for updating the differential compressed data transmitted from the terminal to the monitoring device in addition to the recording file;
Replay means for opening the recording file and displaying the output screen image of the terminal continuously at any one of a plurality of display speeds by adjusting the display interval in the output screen of the monitoring device. And
The index data creating unit and the difference data creating unit start processing based on the operation request, and provide an information leakage monitoring system.

  In the present invention, the “recording file” includes a file having an image composed of one or a plurality of still images.

  According to the first aspect of the present invention, the change in the output screen of the terminal can be stored as a still image and can be continuously reproduced as the screen image in the output screen of the monitoring device, and the capacity required for storage is small. In addition, it is possible to monitor the output screen of the terminal with a monitoring device. Thereby, it is possible to easily monitor information leakage from the terminal. Information leakage can also be prevented by psychological effects on the user who uses the terminal.

  According to the present invention, the change of the output screen can be stored as a still image and can be continuously played back as a screen image, the capacity required for storage can be reduced, and the output screen can be monitored. .

  The information leakage monitoring system of the present invention will be specifically described below with reference to examples, but the present invention is not limited thereto.

[Example 1]
In the present embodiment, information is managed by remotely monitoring one or a plurality of terminals via a network by a monitoring device, and the terminal is controlled and remotely managed. It is effective for officers to monitor and manage the operation status of personal computers and information input / output status.

{Constitution}
In this embodiment, the communication means, index data creation means, difference data creation means, and compression means are in the user's terminal, and monitoring on the side monitored by the communication means, recorded file creation means, recorded file update means, and playback means This is a system for monitoring and managing a user terminal in the apparatus.

  FIG. 1 is a diagram illustrating an example of a network configuration according to the first embodiment of the information leakage monitoring system of the present invention. FIG. 2 is a configuration diagram of the monitoring apparatus according to the first embodiment of the information leakage monitoring system of the present invention. FIG. 3 is a block diagram of the terminal of Embodiment 1 of the information leakage monitoring system of the present invention. In this embodiment, each monitoring device 100 and each terminal 200 are connected via a computer network. Both the monitoring side and the monitored side are connected by a protocol called Ethernet. The monitoring device is not limited to the case where the terminal to be managed exists in the same LAN, and if connected to each other via a router, the monitoring device may be connected via a WAN in which the LANs are connected by a dedicated line. Furthermore, remote monitoring is possible even when connected via the Internet.

  FIG. 1 shows that the monitoring apparatus 100 can monitor not only the LAN but also terminals connected by other networks.

  The data transmitted from the monitored terminal 200 to the monitoring device 100 may be stored in the server 400 set to be inaccessible from the terminal 200, and the monitoring device 100 may extract the data as necessary.

  The monitoring device 100A, the terminals 200A, 200B, 200C, and the server 400A are connected via a LAN. This LAN is connected to the Internet via the router 300A. A terminal 200D is connected to the Internet via a router 300B, and terminals 200E and 200F are connected to another LAN connected to the Internet via a router 300C. Further, a monitoring device 100B is connected to the Internet via a router 300D, and a server 400B placed on the Internet via a router 300E exists.

  The monitoring device 100A can monitor the terminals 200A to 200F. Also, the monitoring device 100B can monitor the terminals 200A to 200F. The monitored computer is equipped with an output screen recording / control program, and the monitored computer is equipped with a monitoring program.

  In this embodiment, the information leakage monitoring system program includes an output screen recording / control program operating on a terminal used by a user and a monitoring program operating on a monitoring device used by an administrator.

  The above-mentioned output screen recording / control program records the index data by recording the image of the entire output screen of the terminal as a full-screen still image at a predetermined time interval in accordance with a request from the monitoring device, a function for connecting to the monitoring device in the computer. Functions to be created, according to the request from the monitoring device, record the entire output screen of the terminal as a full screen still image at a predetermined time interval, and compare the whole screen still image recorded immediately before and the whole by dividing it into a certain number of squares A function that determines whether image data has changed for each square A function that aggregates image data of only squares whose image data has changed, a function that creates difference data, a function that compresses and saves the created index data, and creation This is a program for realizing a function of compressing and storing the difference data and a function of transmitting the compressed data to the monitoring device.

  The above monitoring program has a function of connecting to a terminal to a computer, a function of transmitting an output screen recording request to the terminal, a function of receiving data from the terminal, a function of creating a recording file from index compressed data, and a difference to a recording file This is a program for realizing a function of updating by adding compressed data and a function of opening a recording file and continuously displaying recorded images on an output screen.

  In order to monitor, the monitoring device side needs access authority to the managed computer. Access authority authentication is performed using an ID and a password.

  The user who uses the terminal does not need to input a password or the like for connection with the monitoring apparatus, and can connect, record, and play all through operations on the monitoring apparatus side. Therefore, it is possible to monitor without knowing that the user is monitoring. It is also possible to notify the user of the monitoring status by displaying it on the output screen of the terminal.

  The managed computer is recognized by the IP address and port number of the router. When the managed computer is connected to the Internet via a LAN, the IP address of the router that connects the LAN network and the Internet network and the port number assigned to the computer in the LAN are used. When the managed side and the managed side are connected by the Internet or WAN, the port number of the router between the two is set to “valid” for monitoring. This is because it is necessary to pierce the router, that is, to allow a specific port.

  In the present embodiment, for example, the port numbers in the LAN of the terminals 200A, 200B, and 200C are 1001, 1002, and 1003, respectively. Assuming that the port number of the terminal 200D is 1001, the port numbers in the LAN of the terminals 200E and 200F are 1001, 1002, and the IP addresses of the routers 300A, 300B, 300C, 300D are (2xxx.xxx.01), respectively. ), (2xxx.xxx.02), (2xxx.xxx.03), (20xxx.xxx.04). Here, “x” is a predetermined number. Therefore, for example, when the managed computer is the terminal 200A, the computer is recognized by the IP address (2xxx.xxx.01) and the port number 1001.

  Further, one monitoring device may be composed of a plurality of PCs and servers connected to each other. In this embodiment, the monitoring devices 100A and 100B can directly monitor the terminals 200A to 200F, respectively. However, when the monitoring device 100B is connected to the monitoring device 100A via the Internet, the recorded files stored in the monitoring device 100A are recorded. It may be transmitted to the monitoring device 100B, the recording file is opened by the monitoring device 100B, and the recorded images are continuously displayed on the output screen. In such a case, the monitoring device 100A may not have a playback unit, and the monitoring device 100B may not have a recording file creation unit and a recording file update unit.

  The monitoring device 100 checks the IP address and port number of the managed computer every time connection is started, and obtains the computer name by connection using the IP address and port number. Even when a WAN is connected between the monitoring device and the terminal, if the router port number is set to “valid”, the router on the terminal side can be set from the monitoring device 100, and a global IP address or private address can be set. IP address assignment can be set. Therefore, even if the address of the PC in the LAN has been converted, the computer to be managed is recognized, so that monitoring is possible. There is no need to set global IP addresses and private IP addresses on the terminal side, and monitoring is possible even when the address of a PC in the LAN is converted using a broadband router, etc. Even if the PC operation capability is at a level where various settings cannot be made, monitoring is possible.

  When the managed computer is limited to the same LAN as the managed computer, recognition may be performed using the local IP address and port number of the managed computer.

  In this embodiment, both the monitoring device 100 and the terminal 200 are configured as personal computers, and have a clock function and the like that a normal personal computer has.

  The monitoring device 100 includes, as hardware, a control device including a CPU 101, a memory 102, a display 104, a keyboard 105, a mouse 106, an operating system 107, a device driver, etc., a secondary storage such as a magnetic disk 110, and a LAN board 103. Etc. are provided. The magnetic disk 110 stores a monitoring program 112, an image folder 111, an authentication database, and an environment setting folder. Recorded files are stored in the image folder 111. The authentication database stores IDs, passwords, port numbers and IP addresses of one or more terminals to be monitored. The environment setting folder stores setting conditions such as the index data creation interval and difference data creation interval of the output screen of the terminal, and the size of image division at the time of difference data creation. The monitoring apparatus 100 realizes the function of a computer capable of information leakage monitoring processing of the present invention by the CPU 101 loading the monitoring program 112 into the memory 102 and executing it. The CPU 101 is an arithmetic processing device mounted on a normal computer, executes various programs, and performs various controls.

  The terminal 200 includes, as hardware, a control device including a CPU 201, a memory 202, a display 204, a keyboard 205, a mouse 206, an operating system 207, a device driver, a secondary storage such as a magnetic disk 210, a LAN board 203, and the like. The communication control device is provided. The magnetic disk 210 stores an output screen recording / control program 213, an image folder 211, and an authentication database. The image folder 211 stores output screen images, index data, difference data, index compressed data, and difference compressed data. In the authentication database, the ID of the monitoring device that manages the terminal 200 is stored. The terminal 200 realizes the function of a computer capable of information leakage monitoring processing of the present invention by the CPU 201 loading the output screen recording / control program 213 into the memory 202 and executing it. The CPU 201 is an arithmetic processing device mounted on a normal computer, executes various programs, and performs various controls.

  The server 400 includes, as hardware, a control device including a CPU, a memory, an operating system, a device driver, etc., a secondary storage such as a magnetic disk, and a communication control device such as a LAN board. An image folder is stored on the magnetic disk. Recorded files are stored in the image folder. The server 400 serves as a file server.

  In this embodiment, (1) a transmission unit that transmits a communication request and data including an operation request to the terminal 200, and (2) reception that receives index compressed data and differentially compressed data of the terminal 200. Means, (3) recording file creation means for creating a recording file from the received index compressed data, (4) recording file update means for updating the received recording file by adding differential compression data, and (5) recording file. And a playback means for continuously displaying the output screen image of the terminal 200 on the output screen of the monitoring device 100. . The monitoring device 100 functions as means (1) to (5) by the hardware configuration and the monitoring program 112 described above.

  The recording file created by the monitoring apparatus 100 may be stored in the monitoring apparatus 100, or may be stored in the server 400 when the capacity of the monitoring apparatus 100 is insufficient. The monitoring apparatus 100 further includes (6) a recording file transmission unit that transmits the created recording file to the designated server 400, and (7) a recording file search reception unit that searches and receives the recording file stored in the server 400. It is preferable to have. The monitoring device 100 functions as these means by the hardware configuration and the monitoring program 112 described above.

  Further, the terminal 200 has (1) receiving means for receiving a communication request and data including an operation request from the monitoring device 100, and (2) an image of the entire output screen of the terminal 200 as a full-screen still image every predetermined time. (3) an image of the entire output screen of the terminal 200 is recorded as a full-screen still image every predetermined time, and the full-screen still image recorded immediately before and the whole are set to a fixed number of squares. (4) the index data, and difference data creating means for determining whether or not there is a change in image data for each square and summing the image data of only the square where the image data has changed to make difference data; And a compression means for compressing the difference data and storing the compressed data as index compressed data and differential compressed data, and (5) real-time according to an operation request from the monitoring device 100 It is provided with transmitting means for transmitting the said compressed index data and the compressed difference data to the monitoring apparatus 100. The terminal 200 functions as means (1) to (5) by the hardware configuration and the output screen recording / control program 213 described above.

{procedure}
Next, a recording procedure according to the first embodiment of the information leakage monitoring system of the present invention will be described. The monitoring device can simultaneously monitor a plurality of terminals. A case where the monitoring device 100A monitors the terminals 200A to 200F will be described as an example where the monitoring target is the terminal 200A. Further, the storage destination of the recording file can be stored in the server 400A or the server 400B. As an example, a case where the recording file is stored in the monitoring device 100A will be described.

(Starting procedure)
First, the control device of the monitoring device displays an authentication ID input request screen as an initial screen on the display 104 which is an output screen, and accepts an input from the administrator. When the administrator inputs an ID with the mouse 106 or the keyboard 105 as input means, the control device accesses the authentication database to check whether the ID is present. When the ID is confirmed, a password input screen is displayed and an input from the administrator is accepted. When the administrator inputs the password, the control device accesses the authentication database and confirms whether the password is correct.

  When the password is confirmed to be correct, the first menu screen for logging in and selecting <Change ID password> <Terminal list> <Preferences> <Logout> is displayed on the display 104, and an instruction from the administrator is given. Accept. When the administrator selects <ID password change>, a screen for changing the ID and password is displayed. When the administrator selects <environment setting>, a screen is displayed for confirming / changing settings such as the index data creation interval and difference data creation interval of the terminal output screen, and the size of image division at the time of difference data creation. When the administrator selects <Logout>, the process ends.

  Assume that the administrator selects <terminal list>, for example. The control device accesses the communication control device to acquire the connection status, accesses the authentication database, acquires a list of terminals to be monitored, and displays a list of terminal port numbers, IP addresses, and connection statuses. For example, the port number 1001 and the IP address 202.10.0.1 are displayed in the column of the terminal 200A. The IP addresses in the terminals 200B and 200C fields are also displayed in the same manner. In the terminal 200F column, a port number 1002 and an IP address 202.10.0.3 are displayed. The terminals 200D and 200E are displayed in a similar manner. The connection status column displays the connection status between each terminal and the monitoring device. When the terminal is not turned on or does not request connection, it is displayed that the terminal is not connected.

  Here, for example, it is assumed that the administrator selects the field of the terminal 200A. The control apparatus displays a second menu screen for selecting <log display> <recording start> <recording stop> on the display 104, and accepts an instruction from the administrator.

(Recording procedure)
Assume that the administrator selects <recording start>. Hereinafter, a description will be given with reference to the drawings. FIG. 4 is a flowchart showing the recording procedure of the information leakage monitoring system according to the first embodiment of the present invention. In the recording procedure, the communication means for transmitting and receiving data between the terminal and the monitoring device and the operation request from the monitoring device to the terminal connects the monitoring device and the terminal (S101, S102), the output screen of the terminal at a predetermined time interval Index data creating means for recording the entire image as a full-screen still image records and stores the image data of the entire output screen of the terminal at each index creation time (S103 to S105), and the index data and the difference data, respectively. A compression unit that compresses and stores the compressed data as index compressed data and differentially compressed data, the step of compressing and storing the index data (S106), and the step of transmitting the index compressed data from the terminal to the monitoring device (S107); The communication means causes the monitoring device to receive the index compressed data. The recording file creation means for creating the recording file from the index compressed data creates and stores the recording file (S108 to S110), the time judgment means determines whether the data acquisition time (S111 to S116), and the communication means Requesting a difference image from the terminal (S117), recording an image of the entire output screen of the terminal as a full-screen still image at a predetermined time interval, and dividing the full-screen still image recorded immediately before and the whole into a fixed number of squares The difference data creation means that determines whether or not there is a change in the image data for each square and aggregates the image data of only the square in which the image data has changed to obtain the difference data is the output screen of the terminal at each difference detection time Step (S118 to S120) for generating and storing the difference data, and step for compressing and storing the difference data by the compression means S121), a step in which the communication unit transmits differential compressed data from the terminal to the monitoring device (S122), and a recording file updating unit that causes the communication unit to receive the monitoring device and update the recorded file by adding the differential compressed data. And a step (S123 to S125) of updating and storing the recording file. An information leakage monitoring system program having an output screen recording / control program and a monitoring program causes a computer to execute these steps.

  The index creation time and the difference detection time can be input and set by the administrator in <environment setting>. For example, the index creation time can be set every hour and the difference detection time can be set every 3 seconds. The index creation interval is preferably in units of 1 minute, 1 hour or 2 hours. Since the index is the start screen for playback, if the interval is too short for the entire recording time, the processing becomes complicated, the amount of data becomes enormous, the load on the monitoring device and the communication network is increased, and the interval is too long. In this case, the convenience of playback becomes worse. The difference detection interval is preferably 1 to 3 seconds. If the interval is too short, the amount of data becomes enormous and a burden is placed on the monitoring device and the communication network. If the interval is too long, leakage tends to occur. For example, an index image may be created every hour, a difference image may be created every 3 seconds, and the computer may be constantly stored from start to stop. Or you may memorize | store only a fixed period, such as several hours, several minutes, and several seconds.

  Specifically, first, the control device of the monitoring device 100A requests the communication control device of the monitoring device 100A to connect to the terminal 200A (S101). The connection request includes ID data of the monitoring device 100A. When the communication control device of the terminal 200A receives the connection request, the control device of the terminal 200A accesses the authentication database and confirms by ID that the connection requester is the monitor of the terminal 200A. Is connected to the monitoring device 100A by the communication control device (S102). If connection is not possible, a connection request is made again. The connection request is always made during the recording time determined by the environment setting. Thereby, even when the connection is cut off or the terminal is turned off, the monitoring can be continued as soon as the connection is ready. After the start of recording, the current time can be acquired by the clock function in the monitoring device, the output screen of the terminal can be recorded from a certain time to a certain time, and the recording can be paused at other times.

  When the connection is made, the control device of the monitoring device 100A performs communication for requesting the image data of the entire output screen to the terminal 200A by the communication control device of the monitoring device 100A (S103). When the communication control device of the terminal 200A receives the request, the control device of the terminal 200A creates and records image data of the entire output screen of the terminal 200A in a bitmap format (S104). In the case of RGB display, one pixel is 3 bytes. When the output screen is 1024 pixels wide and 768 pixels long, the image data of the entire screen is 1024 × 768 × 3 bytes. Index data is created by attaching data acquisition time information to such data. Since it is created as a still image in the bitmap format, the data size is small and it is possible to avoid burdening the terminal.

  The control device of the terminal 200A accumulates the created index data in the image folder (S105). Next, the control device of the terminal 200A compresses the index data and stores it in the image folder as index compressed data (S106). The compression is performed by processing the data that repeatedly appears by adding the repetition count information to the position information and color information of the repetition start, and omitting the repeated data. Then, the control device of the terminal 200A transmits the index compressed data to the monitoring device 100A using the communication control device (S107). By compressing still images in the bitmap format, the data size can be further reduced, and it is possible to avoid burdening the communication network, terminal, and monitoring device.

  The control device of the monitoring device 100A receives the index compressed data from the terminal 200A by the communication control device of the monitoring device 100A (S108). The control device of the monitoring device 100A creates a recording file from the index compressed data (S109) and stores it in the image folder (S110).

  The control device of the monitoring device 100A acquires the current time using the clock function, accesses the environment setting folder, and determines whether it is the recording end time (S111). At the recording end time, the control device of the monitoring device 100A ends the recording and returns to the second menu screen. When the administrator selects the end of recording, the recording ends in the same manner, and the second menu screen is displayed again. If it is not the recording end time, it is next determined in the same manner whether it is a recording stop time (S112). When it is the recording pause time, the processing is paused until the recording resume time (S113), and when the recording resume time is reached, the process returns to the step (S103) for performing communication for requesting image data. If it is not the recording pause time, it is next determined in the same manner whether it is the index data creation time (S114). When the index data creation time is reached, the process returns to the step (S103) for performing communication for requesting image data. If it is not the index data creation time, it is similarly determined whether it is the difference data creation time (S115). When it is the difference data creation time, the communication control device of the monitoring device 100A performs communication requesting the difference data from the terminal 200A (S117). If it is not the difference data creation time, the process is suspended until the difference data creation time (S116), and such communication is performed. By suspending the processing other than the data creation time, the burden on the monitoring device can be reduced.

  When the communication control device of the terminal 200A receives the difference data request from the monitoring device, the control device of the terminal 200A creates and records image data of the entire output screen of the terminal 200A in the bitmap format (S118), and stores it in the image folder. Accumulate (S119). Then, the control device of the terminal 200A calculates difference data (S120).

  The difference data is calculated in comparison with the full-screen still image (including index data) recorded immediately before. The control device of the terminal 200A compares the full-screen still image recorded immediately before being stored in the image folder and the full-screen still image recorded this time by dividing the whole into a certain number of squares and comparing them. Whether or not there is a change in the image data is determined every time. The number of pixels in one square can be set by inputting by the administrator in <environment setting>, and one square can be set to 32 pixels or 64 pixels in both vertical and horizontal directions, for example. FIG. 5 is an explanatory diagram of an image recording method in Embodiment 1 of the information leakage monitoring system of the present invention. For example, when the output screen is 1024 pixels wide and 768 pixels high, if one cell is 64 pixels long and horizontally, it is divided into 16 cells horizontally and 12 cells vertically. One square has 64 × 64 pixels, and the image data of one pixel is composed of position data and color data. For example, in FIG. 5, in the third square from the left of the display and the twelfth square from the top, A case is shown in which the second pixel from the left and the first pixel from the top change from red (image data: 0x020y010xFF0x000x00) to white (image data: 0x020y010xFF0xFF0xFF). The image data after the change is stored only for the square having the pixels whose color data has changed. At the time of saving, all the squares having pixels whose color data have changed are collectively added to the square position information and difference data acquisition time information, and saved as difference data. The image data of the square that does not have the pixel whose color data has changed is not included in the difference data. That is, the image data of only the squares in which the image data has changed is totaled to obtain difference data.

  After the difference data is calculated, the full-screen still image recorded immediately before being stored in the image folder is discarded, and the full-screen still image recorded this time is stored in the image folder. This image is used for comparison with the next full-screen still image to be recorded, and is discarded after the difference data is calculated. When there is no change in the output screen of the terminal 200A, difference data is not created. In addition, for a certain area, it can be set that difference data is not created even if an image changes. For example, the clock display portion of the output screen is excluded from the difference calculation target, and the difference data is not acquired even if the image of the portion changes. As a result, changes unnecessary for information management can not be managed, the efficiency is improved, and the data capacity can be reduced.

  Next, the control device of the terminal 200A compresses the difference data by a normal compression method and saves the difference data in the image folder as the difference compressed data (S121). Then, the control device of the terminal 200A transmits the differentially compressed data to the monitoring device 100A using the communication control device (S122). By compressing only the data with the difference, the data size can be further reduced, and the communication network, terminal, and monitoring device can be prevented from being burdened.

  The control device of the monitoring device 100A receives the differentially compressed data from the terminal 200A by the communication control device of the monitoring device 100A (S123). The control device of the monitoring device 100A adds the differentially compressed data to the recording file stored in the image folder, updates the file (S124), and stores it (S125). Thereafter, the process returns to the step (S111) for determining whether it is the recording end time.

(Playback procedure)
The playback means for opening the recording file and continuously displaying the output screen image of the terminal on the output screen of the monitoring device decompresses the recording file composed of the index compressed data and the differential compressed data from any index creation time. Playback is performed by continuously displaying the output screen of the terminal up to an arbitrary time on the output screen of the monitoring device. Here, “decompression” is the reverse of compression.

  In detail, it carries out as follows. When the administrator selects <Log Display> on the second menu screen described above, the control device of the monitoring device 100A displays the index of the recorded image data on the display 104. The display may be performed in a window display or a full screen display. In window display, image data of a plurality of terminals may be displayed simultaneously. The index is displayed, for example, by date and time. When the index is selected, the control device of the monitoring device 100A searches the image folder for the recorded file including the corresponding index compressed data, decompresses the file, and continuously displays the recorded image data on the display 104. Then, the content displayed on the display 204 of the terminal 200A is reproduced. After the index data is displayed, images reflecting the difference data are continuously displayed at regular intervals. By changing the display interval, fast-forward playback such as 3 × speed or 5 × speed can be performed. For example, in the case of the triple speed, when the difference data is acquired every 3 seconds, the control apparatus of the monitoring apparatus 100A realizes the triple speed by displaying the difference data on the display 104 every second.

{effect}
Since the present embodiment has such a configuration, changes in the screen of the terminal are stored as still images, and the user's terminal usage history is monitored by a remote monitoring device, as if sitting in front of the terminal screen. It can be played back as a screen image. When information leaks from the terminal, it is possible to check when and how the information leaked. In addition, the introduction of such a system has an extremely great preventive effect against information leakage such as taking out data from a constantly monitored consciousness. In addition, since new data is taken in only when the display on the screen changes, the capacity for recording for 1 minute is 1 to 3 MB (megabytes), which is smaller than a moving image and less burden on the computer. Furthermore, the display screen of the terminal cannot display that recording / playback / searching is being performed, and there is no means for erasing the stored still image on the terminal side, and recording is stopped on the terminal side. The person who uses the terminal cannot control such a system. Therefore, monitoring and management can be performed reliably. According to this embodiment, the change of the output screen can be stored as a still image and can be continuously played back as a screen image, the capacity required for storage can be reduced, and the output screen can be monitored. is there. Further, since it is possible to investigate the history of information acquisition status, information outflow status, and the like in the terminal, information management of the terminal can be performed in more detail.

  It is preferable that encryption means for compressed data is mounted in the terminal, and decryption means is mounted in the monitoring device. Since it is encrypted, it cannot be played back by normal image playback means such as a media player, and it is safe in terms of security management. Further, the monitoring status may be displayed on the terminal. The user can grasp the monitoring status and psychologically prevent information leakage.

  The present invention is not limited to the above embodiment, and various modifications can be made without departing from the spirit of the invention. In addition, the constituent elements of the above embodiments can be arbitrarily combined without departing from the spirit of the invention.

It is a figure which shows an example of the network structure of Example 1 of the information leakage monitoring system of this invention. It is a block diagram of the monitoring apparatus of Example 1 of the information leakage monitoring system of this invention. It is a block diagram of the terminal of Example 1 of the information leakage monitoring system of this invention. It is a flowchart which shows the video recording procedure of Example 1 of the information leakage monitoring system of this invention. It is explanatory drawing of the image recording method in Example 1 of the information leakage monitoring system of this invention.

100 monitoring device 101 CPU
102 Memory 103 LAN board 104 Display 105 Keyboard 106 Mouse 107 Operating system 110 Magnetic disk 111 Image folder 112 Monitoring program 200 Terminal 201 CPU
202 Memory 203 LAN board 204 Display 205 Keyboard 206 Mouse 207 Operating system 210 Magnetic disk 211 Image folder 213 Output screen recording / control program 300 Router 400 Server

Claims (1)

A system for remotely monitoring a plurality of terminals via a network by one monitoring device,
The terminal
Index data creation means for recording an image of the entire output screen of the terminal as a full-screen still image at each index creation time;
Record the image of the entire output screen of the terminal as a full-screen still image at each difference detection time, compare it with the full-screen still image recorded immediately before and divide the whole into a certain number of squares, and Whether there is a change in the image data, only the square where the image data has changed, all the squares in which the image data has changed, the difference data having the image data after the change of each square, the position information of the square, and the data acquisition time information Differential data creation means to create,
Compression means for compressing the index data and the differential data, respectively, and storing the compressed data as index compressed data and differential compressed data,
The monitoring device
A communication means for transmitting and receiving data and transmitting an operation request in only one direction from the monitoring device to the terminal;
Recording file creation means for creating a recording file for each index compressed data transmitted from the terminal to the monitoring device;
Recording file update means for updating the differential compressed data transmitted from the terminal to the monitoring device in addition to the recording file;
Replay means for opening the recording file and displaying the output screen image of the terminal continuously at any one of a plurality of display speeds by adjusting the display interval in the output screen of the monitoring device. And
In addition, the information leakage monitoring system, wherein the index data creating unit and the difference data creating unit start processing based on the operation request.

Images