JP2009053824A - Information processor, message authentication method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To inspect whether a mobile PC temporarily withdrawing from an internal network is properly secured. <P>SOLUTION: In a terminal PC1, an agent program storage part 102 stores an agent program 107 operating on an OS106, and transmits an agent key and an agent program 107 to be used for authenticating a message to the OS106. A message authentication part 108 acquires an agent key from the agent program storage part 102. When receiving a message, the message authentication part 108 authenticates the received message by using the agent key, and confirms whether or not the received message is transmitted from the agent program 107 operating on the OS106. An inspection report generation part 105 generates inspection report information showing the authentication result by the message authentication part 108, and transmits it to an inspection server 2. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a security countermeasure technique for an information processing apparatus connected to an intra-organization network.

As a security measure for companies and public offices, a “quarantine network system” is known as a means for thoroughly implementing security measures for a terminal PC (Personal Computer) connected to an in-house network.
The quarantine network system is a combination of network connection authentication technology and terminal PC audit technology. Monitoring software is installed on the terminal PC connected to the in-house network, and the security countermeasure status of the terminal PC is inspected. The inspection result is used as authentication data at the time of network connection.
Connection is permitted to terminal PCs that meet the security management standards stipulated by the operation manager of the in-house network, and terminal PCs that are detected to be incompatible with the security management standards are isolated from the in-house network, and the safety of the in-house network (For example, Patent Document 1 and Patent Document 2).
In addition, a terminal PC that has already been allowed to connect is regularly re-inspected and reported to the quarantine server to maintain the latest security measures, and an extension that supports various inspection items and network connection methods A configuration method of a system having a property has also been proposed (for example, Patent Document 1).
JP 2005-318615 A JP 2006-148200 A

The conventional quarantine network technology described above is used when a terminal PC is connected to an in-house network or for the purpose of thorough security measures for the terminal PC and prevention of inappropriate PC connection to the in-house network. It provides a solution for the ongoing time.
For this reason, the techniques described in Patent Document 1 and Patent Document 2 have a problem that security measures cannot be maintained on a mobile PC that temporarily leaves the intra-organization network due to a business trip or the like.

  The main object of the present invention is to solve the above-described problems when the conventional quarantine network technology is applied to a mobile PC, and the mobile that temporarily leaves the intra-organization network due to a business trip or the like Even on PCs, it is continuously inspected that appropriate security measures are always maintained. Also, mobile PCs can be used without passing the inspection, and mobile PCs can be used by avoiding inspections. It is a main object to provide a method for preventing reconnection from being taken back to the intra-organization network by concealing the fact that the inspection has been performed or the inspection has been avoided.

In addition, security measures in the terminal PC include, for example, the introduction of virus detection software, the introduction of file encryption software, the prohibition of installation and use of software unnecessary for business, the recording of user operation histories, the recording on removable storage media, etc. Although there are access restrictions and the like, these management measures sometimes restrict the performance and functions of the terminal PC and prohibit the user's selfish use. The motivation to invalidate the inspection function introduced by is generated.
Therefore, an object of the present invention is to prevent inappropriate or unauthorized use by a user having such a motivation.

Similarly, when a mobile PC is stolen or when it encounters damage such as a computer virus, invalidation of management measures and inspections is often attempted.
Therefore, an object of the present invention is to prevent such attacks.

An information processing apparatus according to the present invention includes:
An information processing apparatus having an OS (Operating System),
An agent program storage section that stores an agent program that operates on the OS and transmits a message, and that transmits an agent key used for message authentication and the agent program to the OS;
The agent program that acquires the agent key from the agent program storage unit and authenticates the received message using the agent key when the message is received, and the received message is operating on the OS And a message authenticating unit for determining whether the message is a message transmitted from.

According to the present invention, it is possible to surely confirm that the agent program maintains normal operation by eliminating spoofing and replay attacks by malicious software or the like, and according to a message from the authentic agent program, Since security inspection result records can be recorded reliably, it is possible to inspect that appropriate security measures are always maintained even for information processing devices that temporarily leave the internal network due to business trips, etc. .
In addition, using the information processing device without passing the inspection, using the information processing device while avoiding the inspection, or concealing the avoidance of the inspection, It is possible to prevent reconnecting to the home.

Embodiment 1 FIG.
FIG. 1 shows a configuration diagram of an example of a mobile PC monitoring system according to the present embodiment.
First, the configuration of this system will be described.
This system includes a terminal PC1 to be inspected, an inspection server 2 that receives an inspection report from the terminal PC1, and a quarantine gateway 3 that controls access authority of the terminal PC1 to the intra-organization network 4 according to instructions from the inspection server 2.

Further, the terminal PC1 is implemented as a hardware module, for example, so as to prevent unauthorized access from an OS (Operating System) 106 on the terminal, an agent program 107 operating on the OS, and software on the OS 106. An inspection control device 101 is provided.
Although FIG. 1 shows a state in which the agent program 107 is operating on the OS 106, as will be described later, the agent program 107 is initially stored in the agent program storage unit 102, and the agent program storage unit 102 stores the OS 106. And is started by the OS 106.
The terminal PC1 is an example of an information processing device.

In the terminal PC 1, the agent program storage unit 102 stores an agent program 107 that operates on the OS 106 and transmits a message, and transmits an agent key used for message authentication and the agent program 107 to the OS 106.
When the message authentication unit 108 acquires an agent key from the agent program storage unit 102 and receives the message, the message authentication unit 108 authenticates the received message using the agent key, and the received message is operating on the OS 106. It is determined whether the message is transmitted from the agent program 107.
The message authentication unit 108 includes an agent operation monitoring unit 103 and an inspection record storage unit 104.
The message authentication unit 108 receives a heartbeat notification as a message and, when receiving the heartbeat notification, authenticates the received heartbeat notification using an agent key, and the received heartbeat notification operates on the OS 106. It is determined whether or not the heartbeat notification is transmitted from the agent program 107 that is running.
The inspection record storage unit 104 receives at least one of an event log and a security inspection result notification as a message, and receives the event log or the security inspection using the agent key when the event log or the security inspection result notification is received. The result notification is authenticated, and it is determined whether the received event log or security inspection result notification is an event log or security inspection result notification transmitted from the agent program 107 operating on the OS 106.
The inspection report generation unit 105 receives an inspection report generation request from the agent program 107 and generates inspection report information to be transmitted to the inspection server 2. Message authentication information for verification by the inspection server 2 using the terminal-specific secret key 110 concealed in the inspection control device 101 is added to the inspection report information.

  In the above example, the agent program storage unit 102, the message authentication unit 108 (the agent operation monitoring unit 103, the inspection record storage unit 104), and the inspection report generation unit 105 are realized by the inspection control device 101 that is a hardware device. As described later, at least the agent key generation process in the agent program storage unit 102, the agent program and agent key transmission process to the OS 106, the agent key transmission process to the message authentication unit 108, the message authentication Message (heartbeat notification, event log, and security inspection result notification) authentication processing in the unit 108 (agent operation monitoring unit 103, inspection record storage unit 104) may be realized by a program. In this case, the program is stored in a secondary storage device such as a magnetic disk device in the terminal PC1 and loaded into a memory at the time of execution so that a CPU (Central Processing Unit) executes the program (magnetic disk device). The memory and CPU are not shown in FIG.

Next, the operation of this system will be described.
First, the basic roles of the terminal PC1, the inspection server 2, and the quarantine gateway 3 are the same as those of the conventional quarantine network system. These roles are not in principle the claims of the present invention, but the basic flow of operations will be briefly described with reference to FIG.

The terminal PC1 transmits a packet such as an ARP (Address Resolution Protocol) advertisement at the time of activation (S201). This is a normal operation of the terminal OS.
The quarantine gateway 3 that has detected this detects that the terminal PC1 is connected as an unconnected terminal based on a MAC (Media Access Control) address included in the packet (S202).
Next, the quarantine gateway 3 instructs the terminal PC1 to start a connection procedure (S203).
The terminal PC1 generates an inspection report and transmits a connection request including the inspection report to the quarantine gateway 3 (S204 to S205).
Upon receiving the connection request, the quarantine gateway 3 requests the inspection server 2 to authenticate the requested content (S206). The inspection server 2 examines the content of the inspection report in addition to the authentication of the terminal and the user, and establishes connection OK / NG. The determination is made (S207), and the result is notified to the terminal PC1 via the quarantine gateway 3 (S208 to S210). The quarantine gateway 3 appropriately changes the access right of the terminal PC1 to the intra-organization network according to the determination result of connection OK / NG.

The above is the basic flow, but the system according to the present embodiment is mainly characterized in that the following effects are obtained by using each means included in the inspection control device 101.
(1) It is monitored that the agent program 107 that executes the inspection and connection request on the terminal PC1 is a genuine program stored in the inspection control device 101 and continues to operate normally.
(2) To prevent false inspection records and falsification of inspection records from software other than the agent program 107 recognized as authentic.
(3) The inspection control device 101 itself applies a digital signature to the inspection report and confirms it with the inspection server 2, thereby impersonating or falsifying the inspection report by malicious software or the like on another terminal or the terminal PC1. Rather, a correct inspection report is always made to the inspection server 2.

  Next, an operation example (message authentication method) for obtaining the above-described effect of the terminal PC1 according to the present embodiment will be outlined with reference to FIG. 12, and then with reference to FIGS. 3 to 11 and FIG. The detailed operation of the terminal PC1 will be described step by step.

First, the agent program storage unit 102 transmits an agent program and an agent key in accordance with an agent program load request from the OS 106 (S1201) (agent program transmission step). At this time, the agent program storage unit 102 also notifies the agent key to the agent operation monitoring unit 103 and the inspection record storage unit 104.
Next, reception and authentication processing of heartbeat notification by the agent operation monitoring unit 103 (S1202) (message authentication step), reception of event log and security inspection result by the inspection record storage unit 104, and authentication processing (S1203) (message authentication) Step) is performed in parallel. For the authentication process by the agent operation monitoring unit 103 and the authentication process by the inspection record storage unit 104, the agent key notified from the agent program storage unit 102 is used.
Then, the inspection report generation unit 105 generates an inspection report based on the request from the agent program 107, and the agent program 107 sends a connection request including the inspection report to the quarantine gateway as shown in S204 and S205 of FIG. 3 (S1204).

<Starting the agent program>
Next, details of the processing of S1201 shown in FIG. 12 will be described.
In the terminal PC1, the agent program storage unit 102 built in the inspection control device 101 stores a load module of the agent program 107. When an agent program load request is received from the OS 106, an agent key generated every time a program load request is received. Is embedded in the load module of the agent program 107, and is transferred to the OS.
The agent key generates a value that is difficult to guess using random numbers or the like.
The OS 106 activates the load image passed in the above procedure and materializes it as an agent program 107.
At the same time, the agent program storage unit 102 notifies the agent key to the agent operation monitoring unit 103 and the inspection record storage unit 104.

Specifically, as shown in FIG. 13, the agent program storage unit 102 first receives a load program load request for the agent program 107 from the OS 106 (S1301).
The agent program storage unit 102 that has received the load request generates an agent key (S1302). The value of the agent key changes for each load request.
Next, the agent program storage unit 102 embeds the agent key in the load module of the agent program 107 to generate a load image (S1303).
Next, the agent program storage unit 102 transmits the generated load image to the OS (S1304).
Further, the agent program storage unit 102 notifies the agent key to the agent operation monitoring unit 103 and the inspection record storage unit 104 (S1305).
As a result, the same agent key is shared among the agent program 107, the agent operation monitoring unit 103, and the inspection record storage unit 104.

<Agent action monitoring and authenticity check by heartbeat>
Next, details of the processing of S1202 shown in FIG. 12 will be described.
The agent program 107 periodically reports a heartbeat to the agent operation monitoring unit 103 in order to indicate to the inspection control device 101 that it is authentic and operating normally. The heartbeat notification is composed of the following data as shown in FIG.
A sequence number 302 that is incremented by 1 for each notification generation with an initial value = 0.
HMAC-SHA1 value (Keyed-Hashing for Message Authentication code-Secure Hash Algorithm 1) 303 with the sequence number 302 as a message text and the agent key as an authentication key.
In this embodiment, an example in which the HMAC-SHA1 value 303 is used will be described. However, other types of cryptographic hash functions may be used.
The agent operation monitoring unit 103 that is a recipient of the heartbeat notification holds the agent key and the next expected sequence number, and incorporates a watchdog timer for detecting that the heartbeat is interrupted.
4 and 5 show the operation of the agent operation monitoring unit 103. FIG.

When the terminal PC1 is powered on, the agent operation monitoring unit 103 initializes the register value to 0 and the agent key and the next expected sequence number are both empty and 0 (S401), and resets the watchdog timer (S402). When the agent key notification is received, the agent operation monitoring unit 103 sets the register value to the notification content and the next expected sequence number to 0 (S403).
As described below, the watchdog timer is also reset when a valid heartbeat notification is received. When the watchdog timer expires without receiving a reset, the agent operation monitoring unit 103 instructs the inspection record storage unit 104 to record an event log indicating that the operation of the authentic agent program cannot be confirmed. The watchdog timer is reset (S405).
When the heartbeat notification is received, the agent operation monitoring unit 103 first checks whether the value of the sequence number 302 is as expected, and then whether the value of the HMAC-SHA1 value 303 is as expected (respectively). (S406, S407) to confirm the validity. If it is valid, the next expected sequence number is incremented by 1 and the watchdog timer is reset (S408).
If at least one of the confirmations in S406 and S407 is not valid, the agent operation monitoring unit 103 instructs the inspection record storage unit 104 to record the fact as an event log (S409).
By the above procedure, the step of inspecting the sequence number 302 prevents a replay attack by malicious software or the like.
Specifically, the agent operation monitoring unit 103 analyzes the update status of the sequence number (identifier) included in the received heartbeat notification, and as a result, the received heartbeat notification is retransmitted in the past. When it is determined that it is present (when the same sequence number is received a plurality of times), a replay attack is prevented by recording the determination result as an event log.
Further, the step of checking the value of the HMAC-SHA1 value 303 prevents spoofing attacks by malicious software or the like.

With the above configuration, the agent operation monitoring unit 103 can reliably confirm that the agent program 107 maintains normal operation by eliminating impersonation or replay attacks by malicious software or the like.
Further, when an impersonation or replay attack attempt is detected, the fact can be recorded in the inspection record storage unit 104.
Further, by having the watchdog timer, when the operation of the agent program 107 is interrupted, the fact can be recorded in the inspection record storage unit 104.

<Recording of inspection information>
Next, details of the processing of S1203 shown in FIG. 12 will be described.
The agent program 107 instructs the inspection record storage unit 104 to record various event logs and security inspection results as means for confirming the security countermeasure status of the terminal PC 1 in accordance with the operation management policy.
The event log and security inspection result referred to in this system are data in which an event that has occurred is recorded along with the date and time, as in a general quarantine network system.
The security inspection result is data in which the evaluation result for each inspection item (for example, OS version, anti-virus software operating state, detection pattern file version, etc.) is recorded, and is overwritten with the latest inspection result for each inspection item. It is.
The inspection record storage unit 104 records the data in the form illustrated in FIG.
The interface for instructing data creation / deletion / update from the OS 106 is limited to the method described in this section, thereby preventing arbitrary addition / deletion / update of a record by a malicious program or the like. That is, limiting the interface prevents other programs from impersonating the agent program 107.
FIG. 7 shows a format of an event log recording request that the agent program 107 makes to the inspection record storage unit 104, and FIG. 8 shows a format of a security inspection result recording request.
Each recording request includes a sequence number that is initialized to 0 immediately after starting the agent program and incremented by 1 for each request, and an HMAC-SHA1 value created using the agent key.
9 to 11 show the operation of the inspection record storage unit 104. FIG.

When the terminal PC1 is turned on, the inspection record storage unit 104 initializes the agent key and the next expected sequence number to be empty and register values to 0 (S801). In addition, when receiving the agent key notification, the inspection record storage unit 104 sets the register value to the notification content and the next expected sequence number to 0 (S802).
When receiving an event log recording request from the agent, the inspection record storage unit 104 confirms the validity of the request by first confirming whether the sequence number is as expected and then the HMAC-SHA1 value is as expected. (S803, S804). If it is valid, a recording date and time is added to the requested event log, and it is added to the event log storage area, and the next expected sequence number is incremented by 1 (S805).
As a mounting method, for example, it is desirable to prevent falsification of the recording date and time by using a clock (internal clock) unique to the inspection control device 101 for the recording date and time.
When receiving a security inspection result record request from the agent program 107, the inspection record storage unit 104 first determines whether the sequence number is as expected, and then whether the HMAC-SHA1 value is as expected, as in the event log. The validity of the request is confirmed by confirming (S807, S808).
If it is valid, the inspection record storage unit 104 gives a recording date and time to the requested inspection item, and overwrites and records the inspection result in the storage area of each inspection item (S809).

With the above-described configuration, it is possible to eliminate impersonation and replay attacks by the inspection record storage unit 104, malicious software, and the like, and according to the event log recording request or security inspection result recording request from the authentic agent program 107, the event log and security inspection result Records can be recorded reliably.
For example, as a result of analyzing the update status of the sequence number (identifier) included in the received event log or security inspection result recording request, the inspection record storage unit 104 has already received the received event log or security inspection result recording request in the past. When it is determined that the event log or the security inspection result recording request is retransmitted (when the same sequence number is received a plurality of times), a replay attack can be prevented by recording the determination result as an event log.

Further, when impersonation or a replay attack attempt is detected, a procedure for recording the fact in the inspection record storage unit 104 may be added (S806, S810).
Thereby, it is possible to know at the time of a later inspection report that there has been an attempt of impersonation or a replay attack.

<Report of inspection>
Next, details of the processing of S1204 shown in FIG. 12 will be described.
In the step (S204 to S205 in FIG. 2) in which the terminal PC1 generates a test report and transmits a connection request including the test report to the quarantine gateway 3, the agent program 107 of this system sends a test report to the test report generation unit 105. Request to generate inspection report.
The inspection report generation unit 105 acquires an event log and inspection result record from the inspection record storage unit 104 to generate an inspection report, and uses the terminal-specific secret key 110 concealed in the inspection control device 101 to generate a digital signature. Is returned to the agent program 107.
The agent program 107 transmits the inspection report generated by the inspection report generation unit 105 to the inspection server 2 via the quarantine gateway 3.
In the confirmation procedure in the inspection server 2, it is confirmed that the inspection report is authentic by verifying the digital signature of the inspection report using the public key of the terminal PC1.

  With the above configuration, the event log, the inspection result record, and the terminal-specific secret key 110 are all stored in the inspection control device 101 in a form protected from malicious software on the OS 106. Therefore, the terminal PC1 It is possible to prevent malicious user operations and false test reports by malicious software.

As described above, the present embodiment has described the mobile PC monitoring system including the terminal PC and the quarantine server, and the terminal PC includes the following means.
(A) An agent program that runs on the OS of the terminal PC, performs an event log and security inspection, and reports an inspection report to a quarantine server;
(B) an inspection control device that is a hardware module that is built in or connected to the terminal PC and that includes the following means (c) to (f);
(C) Stores a load module of the agent program, responds to an agent program load request from the terminal OS or software on the terminal OS with a load image in which an agent key is embedded in the load module, and at least the following means ( d) Agent program storage means for notifying the agent key to (e);
(D) means for confirming that the operation of the agent is continued by receiving a heartbeat notification from the agent program, and the agent key is used for the heartbeat notification from the agent program; Agent operation monitoring means for confirming the heartbeat notification from the authentic agent program by performing message authentication;
(E) means for receiving a recording request such as an event log or a security inspection record from the agent program, and storing the contents thereof, and performing message authentication using the agent key for the request; Inspection record storage means for confirming that the record request is from a genuine agent program;
(F) Means for receiving a test report generation request from the agent program and responding to the test report information to be transmitted to the quarantine server, and the test report information to be responded includes a terminal concealed in the test control device Inspection report generation means for attaching message authentication information for verification by the quarantine server using a unique key.

  In the present embodiment, the processing request issued to each means (d), (e), and (f) by the agent program includes a sequence number that is updated at each request, and the processing request is received. It has been explained that each means confirms that it is not a retransmission of a processing request already received in the past by confirming that the sequence numbers are generated in the expected order.

  In the present embodiment, the inspection control device includes an internal clock, and the inspection record storage means receives the event log recording request and the security inspection record recording request and records them in the internal clock. Based on this, it has been explained that the event log generation time and the security inspection record inspection time are recorded.

  In the present embodiment, at least one of the agent operation monitoring unit and the inspection record storage unit may fail when message authentication fails for a received recording request or a heartbeat notification such as an event log or a security inspection record. The fact that the fact of the occurrence is recorded as an event log in the inspection record storage means has been explained.

  In this embodiment, at least one of the agent operation monitoring unit and the inspection record storage unit expects a sequence of sequence numbers given to a recording request such as a received event log or security inspection record or a heartbeat notification. It has been explained that when a system is inspected and a recording request or heartbeat notification that does not meet the expected value is received, the fact of the occurrence is recorded in the inspection record storage means as an event log.

Finally, a hardware configuration example of the terminal PC1 shown in the first embodiment will be described.
FIG. 14 is a diagram illustrating an example of hardware resources of the terminal PC1 illustrated in the first embodiment.
Note that the configuration of FIG. 14 is merely an example of the hardware configuration of the terminal PC1, and the hardware configuration of the terminal PC1 is not limited to the configuration illustrated in FIG. 14, but may be other configurations.

In FIG. 14, the terminal PC1 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, a processing unit, a microprocessor, a microcomputer, and a processor) that executes a program. The CPU 911 is connected to, for example, a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, and a magnetic disk device 920 via a bus 912. Control hardware devices. Further, the CPU 911 may be connected to an FDD 904 (Flexible Disk Drive), a compact disk device 905 (CDD), a printer device 906, and a scanner device 907. Further, instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
A communication board 915, a keyboard 902, a mouse 903, a scanner device 907, an FDD 904, and the like are examples of input devices.
The communication board 915, the display device 901, the printer device 906, and the like are examples of output devices.

The communication board 915 is connected to the intra-organization network 4 as shown in FIG. In addition, the communication board 915 may be connected to, for example, a LAN (local area network) other than the intra-organization network 4, the Internet, a WAN (wide area network), or the like.
The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924. A program of the program group 923 (for example, the agent program 107) is executed by the CPU 911, the operating system 921, and the window system 922.

The program group 923 stores programs that execute the functions described as “˜unit” and “˜means” in the description of the first embodiment. The program is read and executed by the CPU 911.
As described above, at least the agent key generation processing in the agent program storage unit 102, the agent program and agent key transmission processing to the OS 106 (921), the agent key transmission processing to the message authentication unit 108, the message authentication unit 108 The message (heartbeat notification, event log, and security inspection result notification) authentication process in the agent operation monitoring unit 103 and the inspection record storage unit 104 can be realized by a program.
The CPU 911 reads out and executes an agent key generation process, an agent program to the OS 106 (921) and an agent key transmission process, an agent key transmission process to the message authentication unit 108, and a message authentication process.

In the file group 924, in the description of the first embodiment, “determination of”, “calculation of”, “comparison of”, “evaluation of”, “update of”, “setting of”, Information, data, signal values, variable values, and parameters indicating the results of the processing described as “registering” are stored as items of “˜file” and “˜database”.
The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, editing, output, printing, and display.
Information, data, signal values, variable values, and parameters are stored in the main memory, registers, cache memory, and buffers during the CPU operations of extraction, search, reference, comparison, calculation, processing, editing, output, printing, and display. It is temporarily stored in a memory or the like.
In addition, the arrows in the flowchart described in the first embodiment mainly indicate input and output of data and signals. The data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic disk device. It is recorded on a recording medium such as a 920 magnetic disk, other optical disks, minidisks, and DVDs. Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In the description of the first embodiment, what is described as “to part” and “to means” may be “to circuit”, “to device”, and “to device”. It may be “step”, “˜procedure”, “˜processing”. That is, what is described as “˜unit” and “˜means” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, only hardware such as elements, devices, substrates, wirings, etc., or a combination of software and hardware, and further a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” and “to means” in the first embodiment. Alternatively, the procedure and method of “˜unit” and “˜means” of the first embodiment are executed by a computer.

  As described above, the terminal PC1 shown in the first embodiment includes a CPU as a processing device, a memory as a storage device, a magnetic disk, etc., a keyboard as an input device, a mouse, a communication board, and a display device as an output device, a communication board, and the like. It is a computer, and implement | achieves the function shown as "to part" and "to means" as mentioned above using these processing apparatuses, a memory | storage device, an input device, and an output device.

1 is a diagram illustrating a configuration example of a mobile PC monitoring system according to Embodiment 1. FIG. FIG. 3 is a sequence diagram illustrating an example of an operation procedure in the mobile PC monitoring system according to the first embodiment. FIG. 5 is a diagram showing a format example of a heartbeat notification according to the first embodiment. FIG. 3 is a flowchart showing an operation example of an agent operation monitoring unit according to the first embodiment. FIG. 3 is a flowchart showing an operation example of an agent operation monitoring unit according to the first embodiment. FIG. 4 is a diagram illustrating an example of a recording format of an inspection record storage unit according to the first embodiment. FIG. 4 is a diagram showing a format example of an event recording request according to the first embodiment. FIG. 4 is a diagram showing a format example of a security inspection result recording request according to the first embodiment. FIG. 5 is a flowchart showing an operation example of an inspection record storage unit according to the first embodiment. FIG. 5 is a flowchart showing an operation example of an inspection record storage unit according to the first embodiment. FIG. 5 is a flowchart showing an operation example of an inspection record storage unit according to the first embodiment. FIG. 3 is a flowchart showing an operation example of the terminal PC according to the first embodiment. FIG. 6 is a diagram illustrating an operation example of an agent program storage unit according to the first embodiment. FIG. 3 is a diagram illustrating a hardware configuration example of a terminal PC according to the first embodiment.

Explanation of symbols

  1 terminal PC, 2 inspection server, 3 quarantine gateway, 4 organization network, 101 inspection control device, 102 agent program storage unit, 103 agent operation monitoring unit, 104 inspection record storage unit, 105 inspection report generation unit, 106 OS, 107 Agent program, 108 message authentication unit, 110 private key.

Claims (8)

An information processing apparatus having an OS (Operating System),
An agent program storage section that stores an agent program that operates on the OS and transmits a message, and that transmits an agent key used for message authentication and the agent program to the OS;
The agent program that acquires the agent key from the agent program storage unit and authenticates the received message using the agent key when the message is received, and the received message is operating on the OS An information processing apparatus comprising: a message authentication unit that determines whether the message is a message transmitted from The message authentication unit
When the heartbeat notification is received as the message and the heartbeat notification is received, the received heartbeat notification is authenticated using the agent key, and the received heartbeat notification is operating on the OS. An agent operation monitoring unit for determining whether or not the heartbeat notification is transmitted from the agent program;
When at least one of the event log and the security inspection result notification is received as the message and the event log or the security inspection result notification is received, the received event log or the security inspection result notification is authenticated using the agent key. And / or an inspection record storage unit that determines whether the received event log or security inspection result notification is an event log or security inspection result notification transmitted from the agent program operating on the OS. The information processing apparatus according to claim 1, further comprising: The message authentication unit
Whether a received message is a retransmission of a message already received in the past by receiving a message containing an identifier that is updated with a certain regularity for each message, analyzing the update status of the identifier included in the received message The information processing apparatus according to claim 1, wherein the information processing apparatus determines whether or not. The information processing apparatus includes:
Including a built-in clock,
The inspection record storage unit
4. The information processing according to claim 2, wherein the received event log or security inspection result notification is recorded, and the recording time of the received event log or security inspection result notification is recorded according to the time of the built-in clock. apparatus. The message authentication unit
The determination result is recorded as an event log when it is determined that the received message is not a message transmitted from the agent program operating on the OS as a result of the message authentication. Information processing apparatus in any one of -4. The message authentication unit
The analysis result of the update status of the identifier included in the received message results in that the determination result is recorded as an event log when it is determined that the received message is a retransmission of a message already received in the past. Item 4. The information processing device according to Item 3. Agent program transmission step in which an agent program storage unit that stores an agent program that operates on an OS (Operating System) and transmits a message transmits an agent key used for message authentication and the agent program to the OS When,
When the message authentication unit obtains the agent key from the agent program storage unit and receives the message, the message authentication unit authenticates the received message using the agent key, and the received message operates on the OS. A message authentication step of determining whether or not the message is transmitted from the agent program. Agent program transmission processing in which an agent program storage unit that stores an agent program that operates on an OS (Operating System) and transmits a message transmits an agent key used for message authentication and the agent program to the OS When,
When the message authentication unit obtains the agent key from the agent program storage unit and receives the message, the message authentication unit authenticates the received message using the agent key, and the received message operates on the OS. A program for causing a computer to execute message authentication processing for determining whether or not the message is transmitted from the agent program.

Images