JP2009020811A - Communication control system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication control system for analyzing an operation log of a client PC and automatically preventing information leakage caused by spyware or adware. <P>SOLUTION: A communication control apparatus 1 monitors a packet to an external network 17 from an internal network 16, and when the packet contains a character string designated in a communication check sheet 11, the apparatus reads the operation log 13 of a recipient client PC 7 included in the internal network 16 to determine whether the operation log 13 matches the condition of a control policy 12. When it matches the condition of the control policy 12, the apparatus performs processing for controlling the permission or denial of communication which is defined in the control policy 12. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a communication control system, and more particularly to a communication control system that analyzes an operation log of a client PC and automatically prevents information leakage by spyware / adware.

  There are two cases in which information assets are taken out of the company from outside the company: cases where people take out information assets as needed, and cases where viruses, spyware, adware, etc. are automatically leaked. Antivirus software is distributed and sufficient countermeasures have been taken for viruses. However, it is difficult to detect and determine spyware and adware because of the current situation. Currently, there are tools that control external communication using spyware, etc., but all of them require communication permission / rejection determination, and people mistakenly allow communication (without thinking). If there is a risk, important information may be leaked outside.

On the other hand, Patent Document 1 describes a system that prohibits the transfer of electronic mail by a virus program.
JP 2006-99430 A

  Therefore, there is a need for a device that automatically blocks only spyware and adware communications without any human judgment. When a person transmits information to the outside, for example, (a) a mail client is activated. (B) Specify the destination and the information to be attached. (C) Click the mail transmission button. A series of operation logs are recorded. However, when information is transmitted by spyware or the like, command operation by Telnet or the like is mainly different from the above-described operation by a person.

  The invention described in Patent Document 1 is a system that suppresses only transmission by e-mail, and the determination of suppression is determination by e-mail address.

  In view of the above problems, an object of the present invention is to provide a communication control system that analyzes an operation log of a client PC and automatically prevents information leakage due to spyware / adware.

  In order to achieve the above object, the communication control system of the present invention is installed between an internal network, one or more client PCs connected to the internal network, an external network, and the internal network and the external network. In a communication control system comprising a communication control device by a computer and a recording means connected to the communication control device, the client PC has an operation log database for each client PC, and each client PC has a client for each client PC. A process of recording the operation contents on the PC in the operation log database of each client PC is performed, and the storage means performs communication based on the communication check sheet data in which the character string to be checked is specified and the operation log. Control policy data that specifies permit / deny conditions The communication control device monitors a packet from the internal network to the external network, and when the packet includes a character string specified in the communication check sheet, the communication control device is connected to the internal network. Read the operation log of the source client PC, determine whether the operation log meets the conditions of the control policy, and if the conditions of the control policy are met, allow / reject communication specified in the control policy A process for performing control is performed. Furthermore, the communication control system of the present invention is characterized in that a condition of the control policy is specified according to a user authority, a user job title, or an importance level of information to be distributed.

  According to the present invention, in a communication control system, it is possible to analyze an operation log of a client PC and automatically prevent information leakage due to spyware / adware.

  The best mode for carrying out the present invention will be described.

  FIG. 1 is a system configuration diagram showing an embodiment of a communication control system of the present invention. The communication control apparatus 1 is provided between an internal network 16 such as an in-house network and an external network 17 such as an external Internet, and can control communication packets from the internal network 16 to the external network. The communication control apparatus 1 is connected to the recording unit 21, and the recording unit 21 has data of the communication check sheet 11 and data of the control policy 12.

  A client PC 7, an information asset management server 8, and a mail server 9 are connected to the internal network 16. One to a plurality of client PCs 7 can be connected to the internal network 16, and the present invention can be realized in any case. In FIG. 1, as an example, two units, a first client PC 7a and a second client PC 7b, are illustrated. Each client PC 7 includes a recording unit and a processing unit. The operation log 13 (13a, 13b) is recorded in the recording unit of each client PC 7. A data recording unit 14 is connected to the information asset management server 8, and an information asset file 15 is stored in the data recording unit 14.

  The communication control device 1 is a computer and has functions such as policy registration, communication monitoring, operation log analysis, communication control, and notification. These are processed by a processing unit included in the communication control device 1.

  FIG. 2 is a flowchart showing an embodiment of control policy setting in the present invention. The administrator 23 sets the communication check sheet 11 and the control policy 12 in advance. First, login to the policy registration function of the communication control apparatus 1 using an administrator account (S101). Next, a character string to be checked for a packet flowing through the network is designated in the “communication check sheet 11” by the policy registration function (S102). Next, a condition for permitting / rejecting communication is designated as “control policy 12” by the policy registration function (S103).

  FIG. 3 is a diagram illustrating an example of the communication check sheet 11. In the example of FIG. 3, a character string such as “Top Secret” is designated. These character strings are for detecting packets including these character strings (S302 described later). Note that various methods have already been established for detecting a packet including a specific character string from a communication packet, and thus will not be described here. FIG. 4 is a diagram illustrating an example of the control policy 12. In the example of FIG. 4, “communication means”, “condition”, and “control” are designated for each “No.”. FIG. 4 shows a control policy in which the control indicated by “control” is performed when the corresponding “communication means” applies to “condition”.

  FIG. 5 is a flowchart showing an embodiment of operation log recording according to the present invention. First, an agent program that records user operations is installed in each client PC 7 in advance (S201). The agent program (processing by the processing unit of the client PC 7) records all operations performed by the user 22 using the client PC 7 in the “operation log 13” (S202). This is performed for each client PC 7.

  FIG. 6 is a diagram illustrating an example of the operation log 13. In FIG. 6, “date and time”, “IP address”, “user ID”, and “operation content” are recorded as the operation log.

  FIG. 7 is a flowchart showing an embodiment of communication control based on a control policy in the present invention. These processes are performed by the processing unit of the communication control device 1. First, the communication monitoring function of the communication control device 1 monitors packets flowing on the network based on the communication check sheet 11 (S301).

  Next, a packet corresponding to the communication check sheet 11 is detected (S302). And when not detecting, the process of S308 is performed next. On the other hand, if detected, the operation log analysis function identifies the transmission source client PC 7 from the transmission source IP address of the corresponding packet, and reads the operation log 13 of the corresponding client PC 7 (S303). Next, the operation log analysis function analyzes the operation log 13 based on the control policy 12 (S304).

  Next, it is determined whether or not it is necessary to reject communication (S305). If it is determined that communication is required to be rejected, the communication control function discards the corresponding packet (S306). On the other hand, if it is determined that it is not necessary to refuse communication, the communication control function passes the corresponding packet (S307). Next, the notification function collectively notifies the administrator of the contents and control contents of the corresponding packet (S308).

  A case where it is determined whether or not to refuse communication in S305 will be described with reference to FIG. In the example of the control policy 12 shown in FIG. When any of the conditions corresponding to this “reject” is met, it is determined that it is necessary to reject the communication. On the other hand, if none of the “reject” conditions in the control policy 12 is satisfied, it is determined that it is not necessary to reject the communication. Further, even when the condition corresponding to “reject” is satisfied, if the condition of “permitted” is satisfied, it is determined that the communication need not be rejected.

  FIG. 8 is a diagram showing a specific example of communication control based on the control policy in the present invention. In FIG. 8, the communication packet has an IP address “10.x.x.1” between the header and the footer, a port “mail”, and data “... attached: top secret. Doc.・ ”. Communication control for this communication packet is performed.

  First, communication monitoring is performed (S401). This is processing for detecting a communication packet corresponding to the communication check sheet 11. This is processing corresponding to S301 and S302 in FIG. In FIG. 8, “confidential” and “* .Doc” are included as examples of the communication check sheet 11, so that a communication packet corresponding to the communication check sheet is detected here. The date and time here is 3/1, 9 o'clock.

  Next, operation log analysis is performed (S402). This is to confirm that the operation content that meets the conditions of the control policy 12 exists in the operation log 13 of the corresponding IP address. This is processing corresponding to S303 and S304 in FIG. In FIG. The communication means of “1” is “mail” and the condition is “<1>, corresponding file access, <2>, no mail client activation log within 1 hour from packet transmission time”. On the other hand, in FIG. 8, examples of the operation log 13 with IP “10.x.x.1” are “3/1 8:40 top secret. Doc access” and “3/1 8:50 mail client activation”. As a result, the “mail client activation log” exists in the operation log, and this operation log does not meet the above conditions.

  Next, communication control is performed (S403). This is processing corresponding to S305 to S307 in FIG. Here, since the condition of the control policy is not satisfied in S402, “rejection” that is the control of the control policy in FIG. 8 is not performed, and the passage of the communication packet is permitted.

  Next, a report is made (S404). This is a process corresponding to S308 in FIG. In this case, the manager is notified of the action content for the packet.

  As described above, according to the present invention, the communication control device 1 is installed between the external network 17 such as the Internet and the internal network 16 such as the in-house network, and the communication is controlled based on the control policy 12. The control policy 12 for blocking communication by spyware / adware is defined by the presence / absence of the operation log 13 of the client PC 7 (communication is permitted when there is an operation log, communication is denied when there is no operation log). The communication control device 1 analyzes the operation log 13 of the client PC 7 when a distribution request from the company (internal network 16) to the outside (external network 17) occurs, and there is a log for performing distribution outside the company. For example, it is regarded as an operation by the person 22 and distribution is permitted. Other than that, it is regarded as delivery by spyware / adware, and communication is blocked.

  Thus, the present invention prevents information leakage by spyware / adware without imposing a burden on the user. Furthermore, the present invention enables communication control according to the user, the authority / position of the user, the importance of the information to be distributed, etc. by defining the control policy 12 in detail. For example, if the importance of the information to be distributed is “Top Secret”, the distribution is impossible, and if the importance of distribution is “Externally Secret”, if the user's job title is “Manager” or higher, distribution is permitted. Furthermore, according to the present invention, when an outflow of information to the outside is detected, it is possible to distinguish between human and spyware, and the range of influence can be easily grasped.

It is a system configuration figure showing one embodiment of a communication control system of the present invention. It is a flowchart which shows one Embodiment of the control policy setting in this invention. It is a figure which shows an example of a communication check sheet. It is a figure which shows an example of a control policy. It is a flowchart which shows one Embodiment of the recording of the operation log in this invention. It is a figure which shows an example of an operation log. It is a flowchart which shows one Embodiment of the communication control based on the control policy in this invention. It is a figure which shows the specific example of the communication control based on the control policy in this invention.

Explanation of symbols

1 Communication control device 7 Client PC
7a First client PC
7b Second client PC
8 Information asset management server 9 Mail server 11 Communication check sheet 12 Control policy 13 Operation log 14 Data recording means 15 Information asset file 16 Internal network 17 External network 21 Recording means 22 Person 23 Manager

Claims (2)

Connected to an internal network, one or more client PCs connected to the internal network, an external network, a communication control device by a computer installed between the internal network and the external network, and the communication control device A communication control system comprising:
The client PC has an operation log database for each client PC, and for each client PC, performs a process of recording operation contents in each client PC in an operation log database of each client PC,
The storage means includes data of a communication check sheet in which a character string to be checked is specified, and data of a control policy in which a condition for permitting / denying communication based on an operation log is specified,
The communication control device monitors a packet from the internal network to the external network, and when the packet includes a character string specified in the communication check sheet, the communication control device of the transmission source client PC connected to the internal network. Processing that reads the operation log, determines whether the operation log meets the conditions of the control policy, and performs control of permission / denial of communication defined in the control policy when the conditions of the control policy are met. The communication control system characterized by performing. The communication control system according to claim 1,
The communication control system according to claim 1, wherein the control policy condition is specified in accordance with a user authority, a user job title, or an importance level of information to be distributed.

Images