JP2009053896A - Unauthorized operation detector and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an unauthorized use detector and a program, capable of detecting an unauthorized use for a document. <P>SOLUTION: A document operation history storage server 200 manages operation histories, and an unauthorized operation detection server 100 performs, when a document operation is performed by a client PC 300 or a composite machine 400, processing for detecting an unauthorized operation using the operation histories managed by the document operation history storage server 200. The unauthorized operation detection server 100 generates user groups of users involved in a document of an operation object, associates a high-frequency user group having a high frequency of involvement in the document of the generated user groups with the document, and detects an unauthorized operation when a user who operates the document does not belong to the high-frequency user group. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an unauthorized operation detection device and a program.

  Various security technologies are used to prevent leakage of handling documents, customer personal information, and confidential information in the company to the outside. There are methods of encrypting the target information so that it cannot be referred to even when it is leaked to a third party, or access is restricted so that only a specific user can access it.

  Among them, when a user operates a document using a computer, the operation history is registered, and the operation is monitored from the operation history to prevent information leakage, or in the unlikely event that information leakage occurs There is a technology to identify the information leaked in to minimize the damage.

The prior art disclosed in Patent Document 1 stores an evaluation value calculated by analyzing the contents of access data from an external network as statistical distribution data, and distinguishes a value range determined to be normal and a value range determined to be abnormal. Calculate the threshold. This is a technique for notifying an access pattern that is evaluated as a value in the vicinity of the threshold value even when it is determined to be normal as well as a value range that is determined to be abnormal as a high possibility of unknown unauthorized access.
JP-A-2005-85157

  SUMMARY OF THE INVENTION An object of the present invention is to provide an unauthorized operation detection device and a program capable of detecting an unauthorized operation on a document.

  In order to achieve the above object, the invention of claim 1 is directed to an operation history management unit that manages an operation history of an operation performed on a document, and an operation on the document from an operation history managed by the operation history management unit. Generating means for determining a determination condition related to the operation history for determining that the operation is an unauthorized operation, and when the operation on the document corresponds to the determination condition generated by the generating means, And an unauthorized operation detecting means for detecting.

  The invention according to claim 2 is the invention according to claim 1, wherein the generation unit is configured to combine an operator set consisting of operators of one or a plurality of documents managed by the operation history management unit into a combination of a plurality of documents. An operator set creating means created corresponding to the operator set, and an operator set having an appearance frequency equal to or higher than a predetermined value for a plurality of operator sets created by the operator set creating means. A setting unit configured to set as a high-frequency operator set operated at a frequency, and the unauthorized operation detection unit is not included in the high-frequency operator set set by the setting unit Further, the present invention is characterized in that an operation on the corresponding document by the operator is detected as an unauthorized operation.

  The invention according to claim 3 is the invention according to claim 2, wherein the unauthorized operation detection means includes the operator set created by the operator set creation means and the high-frequency operator set by the setting means. A similarity calculating means for calculating the similarity to the set, and when the similarity calculated by the similarity calculating means is equal to or less than a predetermined value specified in advance, an operation on the corresponding document by the operator can be performed by an unauthorized operation; It is characterized in that it is detected.

  According to a fourth aspect of the present invention, in the third aspect of the invention, the similarity calculation means is configured to calculate a smaller one of the number of operators belonging to the operator set and the number of operators belonging to the frequent operator set. The similarity is calculated by dividing the logical product of the number of operators belonging to the operator set and the number of operators belonging to the high-frequency operator set by the number of operators.

  According to a fifth aspect of the present invention, in the first aspect of the invention, the generation unit arranges the operation histories of the documents managed by the operation history management unit in time series, and is commonly used for the operation histories of the documents. An extraction unit that extracts an operation pattern to be generated; and a state transition probability calculation unit that calculates a transition probability of a document state based on the operation pattern extracted by the extraction unit. The unauthorized operation detection unit includes the transition probability. It is specified from the transition probability calculated by the state transition probability calculating means, and when the transition probability is equal to or less than a predetermined value specified in advance, the operation is detected as an unauthorized operation.

  The invention according to claim 6 is the operator according to claim 5, wherein the state transition probability calculating means creates an operator set from operators specified by the operation history of the operation pattern extracted by the extracting means. A set creation means and initial state probability data are assigned to the operation pattern created by the operator set created by the operator set creation means, and a state transition probability is calculated by maximum likelihood estimation calculation.

  The invention of claim 7 is characterized in that, in any one of the inventions of claims 1 to 6, further comprising a notifying means for notifying an administrator of an unauthorized operation detected by the unauthorized operation detecting means. .

  The invention according to claim 8 is an operation history management means for managing an operation history of an operation performed on a document, and an operation on the document is illegally operated from an operation history managed by the operation history management means. Generating means for generating a determination condition relating to the operation history for determining that the operation history is an illegal operation for detecting the operation as an illegal operation when an operation on the document corresponds to the determination condition generated by the generating means It is made to function as a detection means.

  According to the first aspect of the present invention, it is possible to detect an illegal operation on a document using information that is dynamically changed by the document operation.

  According to the second aspect of the present invention, there is an effect that an operation by an operator other than the operators belonging to the high-frequency user group having a high frequency of document operations can be an unauthorized operation.

  According to the third aspect of the present invention, the fraudulent operation can be detected because the high-frequency user group set in the operation target document is not similar to the user group to which the user operating the document belongs. Play.

According to claim 4, it is possible to calculate the similarity between user groups. According to claim 5, the document state in which the document operation is performed from the document state before the document operation is performed. There is an effect that it becomes possible to detect an unauthorized operation by the transition probability to.

  Further, according to the sixth aspect, it is possible to detect an unauthorized operation with a more accurate transition probability.

  Further, according to the seventh aspect, there is an effect that an administrator can confirm it by detecting an unauthorized operation.

  According to the eighth aspect of the invention, it is possible to detect an unauthorized operation on a document using information that is dynamically changed by the document operation.

  Hereinafter, an embodiment of an unauthorized operation detection device and program according to the present invention will be described in detail with reference to the accompanying drawings.

  FIG. 1 is an example of a system configuration diagram of an unauthorized operation detection system configured by applying an unauthorized operation detection device and a program according to an embodiment of the present invention.

  In FIG. 1, the unauthorized operation detection system includes a document operation history storage server 100, an unauthorized operation detection server 200, a client PC 300, and a multifunction peripheral 400, and uses an operation history stored by the document operation history storage server 100. This is a system for detecting an unauthorized operation performed on a document. It should be noted that the unauthorized operation shown below includes an operation that is highly likely to be an unauthorized operation, and also includes an illegal operation shown below. That is, an unauthorized operation and an operation that is likely to be an unauthorized operation are detected as an unauthorized operation.

  The client PC 300 and the MFP 400 are examples of terminals that operate documents, and the client PC 300 can perform operations such as “view”, “reference”, “change document name”, and “print request” on the document. Yes, the multifunction device 400 can perform operations such as “document reading”, “print output”, “copy (copy)”, and “facsimile transmission”.

  In the unauthorized operation detection system, the operation history stored in the document operation history storage server 100 is stored for each operation target document, and is recorded by operating the document using the client PC 300 or the multifunction machine 400. In each operation history, operation contents, operation date / time, operator, source document information, and the like are associated with a document ID for identifying a document.

  This operation source document information is information for identifying the operation source document, and the operation source document and a document generated after operating the document (post-operation document) have a mutual relationship.

  An example of the operation history managed by the document operation history storage server 100 will be described below with reference to FIG.

  FIG. 2 is a diagram showing a processing procedure for generating an operation history of a document used in the unauthorized operation detection system according to the embodiment of the present invention.

  FIG. 2A shows a processing procedure for creating an operation history of a document named “sample.foo” created using the foo application installed in the client PC 300.

  An operation value (hash value) is calculated by applying an operation expression such as a hash function to the document “sample.foo”. An example of the hash function is “SHA-256”, and identification information (hereinafter referred to as “document hash value”) calculated by applying the hash function “SHA-256” is “bodyhash”. This information identifies the state of the content itself. That is, a new hash value different from that of the document before update is calculated by updating the content of the document.

  When the document hash value “bodyhash” for the document is calculated in this way, the document is subsequently bound, and an operation history in XML (Extensible Markup Language) format including the calculated document hash value “bodyhash” is created. . An example of this operation history is shown below.

  A line number used for explanation is shown at the left end of each step of the operation history shown below.

01 <doc>
02 <body> bodyhash </ body>
03 <base></base>
04 <info>
05 <user> user_A </ user>
06 <time> time_A </ time>
07 <method> New </ method>
08 </ info>
09 </ doc>
This operation history is information in XML format surrounded by the <doc> tag on the 01st line to the </ doc> tag on the 09th line. The document hash value “bodyhash” calculated by applying a hash function to the document is specified as the element of the <body> tag described on the 02st line, and is described below as the element of the <base> tag on the 03rd line. The value of “did” calculated by performing the arithmetic processing is specified.

  This value “did” is information calculated from the operation history information of the document from which the document hash value “bodyhash”, which is an element of the <body> tag described in the 02st line, is calculated. Information used to establish a correlation with the document after the operation.

  In addition, in the <user> tag element on the 05th line provided in the <info> tag from the 04th line to the 08th line, "user_A" that is the information of the user who operated the document is specified, and the 06th line “Time_A”, which is time information, is specified in the <time> tag element of the eye, and information indicating the type of operation performed on the document is specified in the <method> tag element on the 07th line. .

  By the way, as an element specified in the <method> tag on the 07th line, “New creation” indicating that a new operation history has been created, updating and editing of a document in a state where the operation history is managed, etc. "Edited" indicating that the operation was performed, "not modified" indicating that the document was browsed / viewed, and that a print operation was performed on the document For example, “printed”.

  In the XML example shown above, “new creation” indicating that a new operation history for a document has been created is specified as an element of the <method> tag. ", The element of the <base> tag is" (blank) ". This is because the element of the <base> tag is a document hash value calculated by applying a hash value to an already created operation history.

  In this way, operation history information in the XML format as described above is newly created and stored in the document operation history storage server 100.

  Although not shown in the above example, the device and location operated by the user can be stored as operation history as information indicating the type of operation. In this case, a MAC address, an IP address, or the like can be used as information for specifying the device. Also, as information indicating the location, information on the location where the device is installed is stored in advance in association with information identifying the device, so that the location information corresponding to the device is read and used as a history. If the device has a global positioning system reception function, it is also possible to acquire position information during operation of the device and use it as a history.

  Next, FIG. 2B shows an editing operation for changing or updating the document content of the document “sample.foo” storing the operation history in the XML format as shown in FIG. The procedure of the process of creating the operation history of the document by performing is shown.

  First, a hash function “bodyhash2” is calculated by applying a hash function such as “SHA-256” to the document “sample.foo”. Since the operation content performed by the client PC 300 is an editing operation, the calculated document hash value “bodyhash2” is a new hash value different from the document hash value “bodyhash” before the editing operation, and has the following XML format: Create an operation history for.

01 <doc>
02 <body> bodyhash2 </ body>
03 <base> did </ base>
04 <info>
05 <user> user_A </ user>
06 <time> time_B </ time>
07 <method> Edit </ method>
08 </ info>
09 </ doc>
“Did”, which is an element in the <base> tag on line 03 of this operation history information, is a hash value calculated by applying a hash function to the operation history before the document editing operation. In addition, “time_B” that is an element in the <time> tag on the 06th line indicates the time when the operation history was created, and editing operation is specified by specifying “edit” as an element in the <method> tag on the 07th line. Indicates that

  As a result, an operation history in the XML format is created, and the interrelationship between the operation histories is associated with the elements of the <base> tag. This operation history is also stored in the document operation history storage server 100. Incidentally, the element of the <base> tag of this operation history indicates the operation source document information.

  FIG. 3 shows the relationship between the operation histories created in this way as a tree structure.

  FIG. 3 is a diagram showing an operation history for a document in a tree structure. The tree structure shown in FIG. 3 has a structure in which eight operation histories (operation history 31 to operation history 38) created by performing eight operations on the root document have a mutual relationship. .

  An “operation history 31” and an “operation history 38” are created by performing a browsing operation and an editing operation on a document in which a document is newly created and an operation history is newly created. Further, the “operation history 32” is created by performing a browsing operation on the document for which the “operation history 31” is created. In this way, an operation history is created for each operation.

  Note that the operation history shown in FIG. 3 shows an example when the operation shown in the operation history 38 is detected as an unauthorized operation. That is, a case where an unauthorized operation is detected by the unauthorized operation detection process described below is shown.

  An unauthorized operation detection process is performed using the operation history as described above.

  FIG. 4 is a schematic explanatory diagram for explaining an outline of processing of the unauthorized operation detection system according to the embodiment of the present invention.

  In the unauthorized operation detection system of the present invention, the operation history storage server 100 stores the operation history as described above (401), and the operation history stored in the operation history storage server 100 is used to operate the unauthorized operation detection server 200. Generates a dynamic model (402). Then, the unauthorized operation detection server 200 detects this when the operation executed by using the generated dynamic model is an unauthorized operation (403).

  This dynamic model is a group of information that is dynamically generated using an operation history created by performing a predetermined operation on a document. An example of this dynamic model is described in the following first embodiment. And in Example 2.

  In the first embodiment, a process of dynamically creating a user group composed of users involved in document operations and detecting an unauthorized operation using the user group will be described. In the second embodiment, a process of dynamically creating a probabilistic relationship between users who have operated a document and detecting an unauthorized operation from the probabilistic relationship between the users will be described.

  That is, the present unauthorized operation detection system creates a dynamic model from the operation history, and detects unauthorized operations by using the created dynamic model.

  The first embodiment shows a process of grouping one or a plurality of users who have operated a document into the same group, and detecting an unauthorized operation using the user group.

  FIG. 5 is a system configuration diagram showing a detailed configuration of the unauthorized operation detection system in the embodiment of the present invention.

  In FIG. 5, the unauthorized operation detection system includes a user operation detection unit 10, a context detection unit 11, an operation history storage unit 12, an operation history creation unit 13, an unauthorized operation detection unit 14, a process execution unit 15, an analysis result holding unit 16, An operation history analysis unit 17 is provided.

  Taking the system configuration diagram shown in FIG. 1 as an example, the client PC 300 realizes the functions in the user operation detection unit 10 and the context detection unit 11, and the document operation history storage server 200 in the operation history storage unit 12 and the operation history creation unit 13. The example which implement | achieves a function and the unauthorized operation detection server 100 implement | achieves the function in the unauthorized operation detection part 14, the process execution part 15, the analysis result holding | maintenance part 16, and the operation history analysis part 17 is shown.

  The operation history storage unit 12 stores the operation history as described above, and the operation history is information that is referred to during the unauthorized operation detection process by the unauthorized operation detection unit 14.

  When a user performs a predetermined operation such as “view / edit / print request / file name change” on a document using a UI (User Interface), the user operation detection unit 10 identifies the user who is an operator. Then, the contents of the operation performed on the document by the user to be operated are detected.

  The user who is an operator is in an authenticated state by communication with an authentication server (not shown) before operating the document, and the user operation detecting unit 10 selects the user by the user ID included in the authenticated user information. Identify.

  In this user operation detection unit 10, a monitoring mechanism for detecting a document operation is in operation, and when a user operation is detected, the monitoring mechanism notifies the operation history creation unit 13 and the unauthorized operation detection unit 14 accordingly. In addition, predetermined information is transmitted.

  When the user operation detection unit 10 detects an operation on a document, the operation history creation unit 13 is instructed to create an operation history. The operation history creation unit 13 that has received the creation instruction creates an operation history as described above and stores the operation history in the operation history storage unit 12.

  In addition, when the user operation detection unit 10 detects an operation on a document, the unauthorized operation detection unit 14 performs a process of detecting the operation when the operation is an unauthorized operation. The processing performed by the unauthorized operation detection unit 14 will be described in detail below with reference to FIGS.

  When the unauthorized operation detection unit 14 detects an unauthorized operation, it requests the process execution unit 15 to execute a process when an unauthorized operation is detected, and notifies the operation history creation unit 13 of the request. At this time, the operation history creation unit 13 receives the notification that the operation detected by the user operation detection unit 10 is an illegal operation, and the operation history is stored in the operation history for the operation stored in the operation history storage unit 12. Records that is an illegal operation.

  In addition, as an unauthorized operation process performed by the process execution unit 15 when the unauthorized operation detection unit 14 detects an unauthorized operation, for example, a warning that an unauthorized operation is being performed to the user who performed the operation A screen for performing the operation is displayed, and a process of notifying a monitoring person or an administrator that an unauthorized operation has been performed is performed. In the latter case, a screen as shown in FIG. 3 is displayed on the operation terminal of the supervisor or administrator.

  FIG. 3 shows a screen in a state where the operation indicated by the operation history 38 is detected as an unauthorized operation, and the state indicated by “× (X)” in the operation history 38 detected as an unauthorized operation. Is shown.

  As a result, the supervisor or administrator grasps the operation for the operation history and performs crisis management. In this crisis management, the supervisor or the administrator requests the operation analysis unit 17 to analyze the operation history of the operation detected as the unauthorized operation. The operation analysis unit 17 analyzes the operation history of the illegal operation stored in the operation history storage unit 12 and the detected operation, and discloses details of the operation history to the monitor and the administrator.

  Further, the analysis result of the operation history by the operation history analysis unit 17 is held by the analysis result holding unit 16.

  In this way, an unauthorized operation is detected.

  The details of the processing ((1) to (3)) for detecting an unauthorized operation on the document by the unauthorized operation detecting unit 14 shown in FIG. 5 will be described below.

  The unauthorized operation detection unit 14 detects an unauthorized operation of a document using a set of operation histories stored in the operation history storage unit 12 (hereinafter referred to as “operation history set”). As described above, the operation history is stored for each document, and an unauthorized operation on the document is detected by performing the following processing on the operation history of the operation target document.

  First, (1) a plurality of arbitrary documents are extracted from documents storing operation histories, and a process of forming a user group by calculating a logical product of users related to these documents is performed. If the above condition is satisfied, the user group is further registered in the high-frequency user group.

  This high-frequency user group indicates a group of users who are frequently involved in a certain document.

  Next, in the state where the user group is created, (2) detection processing for detecting an illegal operation on the document is performed. This detection process is composed of the following two processes. The first process is (2-1) when the user who operates the document is a user who does not belong to the high-frequency user group associated with the document. The operation is detected as an unauthorized operation. The second process is (2-2) the similarity between the user group to which the user who operates the document belongs and the high-frequency user group associated with the document. This is a process of calculating the degree and detecting the operation as an illegal operation when the degree of similarity does not exceed a certain value.

  The configuration may be such that an unauthorized operation is detected by executing these two search processes simultaneously, or the configuration may be such that an unauthorized operation is detected by executing only one of them. Good.

  Independent of the two processes ((1) and (2) above), (3) when a new document operation occurs, the user group to which the user who performed the document operation belongs is selected. Re-form the process. In this process, a logical sum of a user who operates the document and a user of a user group created from the document is calculated, and a new user group is formed for the operated document. Further, it is determined whether the user group created by calculating the logical product of the user of the newly created user group and the user of the high-frequency user group associated with the document satisfies a predetermined condition specified in advance. If the condition is satisfied, the user group is registered in the high-frequency user group and associated with the document.

  Details of the unauthorized operation detection process performed by the unauthorized operation detection unit 14 shown in FIG. 5 will be described below in detail with reference to FIGS.

  First, “(1) a process of creating a user group and associating with a document when the user group is a high-frequency user group by satisfying a predetermined condition” will be described with reference to FIGS.

  FIG. 6 shows details of processing for creating a user group of a user who has operated a document and registering it as a high-frequency user group when the user group satisfies a predetermined condition. The left end of FIG. 6 shows a line number used for explanation.

  In FIG. 6, from the 01st line to the 07th line, an arbitrary plurality of documents whose operation histories are included in the operation history set stored in the document operation history storage server 200 shown in FIG. 1 (in the example shown in FIG. 6). For two documents (document 1 (aDoc1) and document 2 (aDoc2)), the user who operated these documents (the user who operated document 1 (aDoc1.users), the user who operated document 2 (aDoc2.users) )) Is calculated, and the frequency level (aUG.occurrence) involved in the document set for the user group represented by this set product (aUG) is increased by one level. The level (aUG.occurrence) is set in the user group, and the user group represented by the set product (aUG) is registered in one of the existing user groups.

  This set product (aUG) of users indicates a group of participants involved in the document and indicates a user group.

  The 08th line shows a process for calling a registered high-frequency user group.

  From the 09th line to the 11th line, it is determined whether the level of participation frequency (aUG.occurrence) associated with the user group in the previous process is greater than or equal to a certain value (MIN_SUPPORT) specified in advance. If it is determined that the user group (aUG) is registered in the high-frequency user group, the process is shown.

  FIG. 7 shows details of processing for associating the user group belonging to the high-frequency user group with the operation target document. Similarly in FIG. 7, the left end shows a row number for use in the description.

  In FIG. 7, it is determined whether there is a high-frequency user group (aFUG) that includes a set of users (doc.users) involved in the operation target document, and the high-frequency user group (aFUG) exists. The process of associating the high-frequency user group with the document is shown.

  By this processing, a high-frequency user group is associated with the document, which indicates that a user belonging to the high-frequency user group is operating the document with high frequency.

  Next, “(2) detection processing for detecting an illegal operation on a document” will be described with reference to FIGS.

  FIG. 8 shows details of “(2-1) Processing for detecting an illegal operation when a document operation is performed by a user who does not belong to the high-frequency user group”. Similarly, FIG. 8 shows a line number for use in the description at the left end.

  In FIG. 8, when an operation is performed on a document, it is determined whether the user of the document belongs to a high-frequency user group associated with the document. If it is determined by this determination that the user of the document does not belong to the high-frequency user group, the operation by the user is detected as an unauthorized operation (“Abnormal”).

  Of course, when the operator of the document belongs to the high-frequency user group, it can be determined that the user is one of the users who frequently operate the document, so that it is not detected as an unauthorized operation ("Normal").

  Even if the document operator belongs to the high-frequency user group, based on the time zone when the document operation was performed, the device used for the operation, the location where the operation was performed, and combinations thereof, It is also possible to set to detect unauthorized operations. In this case, it is possible to detect unauthorized operations by analyzing the operation history and setting thresholds for determining whether each group is operated illegally for each time zone, device, and location. Is possible.

  FIG. 9 shows the details of “(2-2) Processing for detecting unauthorized operation based on similarity between user groups”. Similarly, FIG. 9 also shows a line number used for explanation at the left end.

  In FIG. 9, when an operation is performed on a document, how similar the user group (aFUG) to which the user who performed the operation belongs and the high-frequency user group (aDFUG) associated with the document are similar. The similarity (Sim) is calculated in order to determine whether or not it is. If the similarity (Sim) is greater than or equal to a certain value (MIN_SIM) specified in advance, that is, if it is determined that both user groups are similar, it is illegal as an operation by a user belonging to a similar user group It is not detected as an operation ("Normal").

  On the other hand, when the similarity (Sim) is smaller than a predetermined value (MIN_SIM), that is, when it is determined that the two user groups are not similar, the operation by the user is an unauthorized operation. Detect ("Abnormal").

  This similarity (Sim) is calculated by the arithmetic expression shown in FIG.

  FIG. 10 is an arithmetic expression for calculating the similarity (Sim) between user groups.

  “A” and “b” shown in FIG. 10 indicate each user group for calculating the similarity. In the example shown in FIG. 9, “a” indicates the user group “aFUG” to which the user belongs, and “b” indicates the document. The high-frequency user group “aDFUG” associated with is shown.

  The numerator of the arithmetic expression for calculating the similarity (Sim) represents the numerical value of the product of the number of users of the user group “a” and the number of users of the user group “b”. The denominator includes the user group “a ”Represents the smaller value of the number of users of the user group“ b ”and the number of users of the user group“ b ”, and the calculated value is the similarity (Sim).

  FIG. 11 is a process performed independently of the processes shown in FIGS. 6 to 10, and “(3) When a new document operation occurs, the user to which the user who performed the document operation belongs. The details of “the process of re-forming a group” are shown. Similarly, FIG. 11 also shows a line number used for explanation at the left end.

  The 01st line shows a process of adding a user (user) who operates (aOP) a document (doc) to a user group provided for the document.

  Lines 02 to 05 show the logical product of the user group ((aOP.doc) .users) to which the user who operated the document was added and the high-frequency user group (aDoc.users) associated with the document. The calculation shows a process of creating a new user group (aUG) and registering it in an existing user group.

  From line 06 to line 12, if the participation frequency level (aUG.occurrence) of the newly created user group (aUG) is greater than or equal to a certain value (MIN_SUPPORT), that user group (aUG) can be associated with the document. The processing to be added to the high-frequency user group is shown.

  In this way, an unauthorized operation is detected.

  FIG. 12 is a diagram showing an example of the data structure of the unauthorized operation detection system in the embodiment of the present invention.

  FIG. 12 shows a data structure in the document operation history storage server 200 shown in FIG. 1, and the document operation history storage server 200 has an IP address set.

  In the document operation history storage server 200 to which the IP address is set, “operation history class (1201)” and “user class (1202)” are defined. “Operation history class (1201)” is a class that defines information for managing operation history. “History ID” of String type, “user ID” of String type, “operation name” of String type, Date & Time type “Operation date and time”, “Derived source document ID” of String type, “Content ID” of String type, and “Route history ID” of String type are members.

  "User class (1202)" is a class that defines the information of the user who operates the document. String type "User ID", String type "User name", String type "User" The mail address is a member.

  That is, the document operation history storage server 200 includes an operation history information including a history ID, a user ID, an operation name, an operation date and time, a derivation source document ID, a content ID, and a route history ID, a user ID, and a user name. , It is composed of user information consisting of a user mail address.

  FIG. 13 is a diagram showing an example of the data structure of the unauthorized operation detection system in the embodiment of the present invention.

  FIG. 13 shows a data structure in the unauthorized operation detection server 100 shown in FIG. 1, and an IP address is set in the unauthorized operation detection server 100.

  Further, the “user group class” (1301) and the “document related user group class” (1303) are defined in the unauthorized operation detection server 100 to which the IP address is set. The “user group class (1301)” is a class that defines the created user group, and has a configuration in which the user group ID of the String type is a member, and the “related user group class by document (1303)” is an operation target. Is a class that defines a document type, and has a string type document ID as a member.

  Furthermore, “user class (1302)” is defined in “user group class (1301)”, and this “user class (1302)” belongs to the user group defined in “user group class (1301)”. In this configuration, the user ID of the user is a member. In addition, “high frequency user group class (1304)” is defined in “document related user group class (1303)”, and this “high frequency user group class (1304)” is “document related user group class (1304)”. 1303) ”as a member.

  That is, the unauthorized operation detection server manages one or a plurality of created user groups by the user group ID, and each user group identified by the user group ID manages the users belonging to the user group by the user ID. Yes. The document to be operated is managed by the document ID, and the user group of the high-frequency user group is managed by the user group ID for each document identified by the document ID.

  FIG. 14 is a flowchart showing a detailed processing flow of the unauthorized use detection system in the embodiment of the present invention.

  In FIG. 14, the operators involved in the document are grouped into user groups, and when the user group is a high-frequency user group, the high-frequency user group is associated with the document.

  First, an arbitrary document for storing an operation history is selected (1401), and a user group is created using the operation history of the document (1402).

  Next, a frequency indicating how much the created user group is involved in the document is calculated (1403). As a result of the calculation, if the frequency is equal to or higher than a certain value, it is determined whether the frequency is high (1404).

  If it is determined that the frequency is high (YES in 1404), the user group is associated with the document as a high frequency user group (1405). If it cannot be determined that the frequency is high (NO in 1404), the process ends.

  FIG. 15 is a flowchart showing a detailed processing flow of the unauthorized use detection system according to the embodiment of the present invention.

  In FIG. 15, an illegal operation detection process is performed using a user group created by the flow shown in FIG. 14, and the process is started when a document operation by the user is detected.

  First, when a document operation by the user is detected (YES in 1501), an unauthorized operation detection process A as shown in FIG. 17 is executed (1502), and an unauthorized operation detection process B as shown in FIG. 18 is executed (1503). ).

  Next, at least one of these unauthorized operation detection processes determines whether an unauthorized operation has been detected (1504). If an unauthorized operation is detected (YES in 1504), a warning screen is displayed to the operator. Or display a screen indicating that an unauthorized operation has been executed to the supervisor and the administrator (1505).

  If an unauthorized operation is not detected (NO in 1504), the operation is permitted.

  FIG. 15 shows a process in which an unauthorized operation detection process A as shown in FIG. 17 and an unauthorized operation detection process B as shown in FIG. 18 are executed simultaneously. As shown in FIG. It is also possible to perform processing for selecting an unauthorized operation.

  FIG. 16 is another flowchart similar to the flowchart shown in FIG. 15 and showing the detailed processing flow of the unauthorized use detection system according to the embodiment of the present invention.

  In FIG. 16, when a document operation by the user is detected (YES in 1601), one of the unauthorized operation detection processes to be executed (unauthorized operation detection process A, unauthorized operation detection process B) is selected (1602). This selection process may be configured such that any process is automatically selected from attributes related to the operation target document, such as a document name, a creation date, and a creator.

  Of course, it may be configured to execute a preset unauthorized operation detection process.

  By this selection process, it is determined whether the unauthorized operation detection process A is selected (1603). When the unauthorized operation detection process A is selected (YES in 1603), a process as shown in FIG. 17 is executed (1604). If the unauthorized operation detection process A is not selected (NO in 1603), it is subsequently determined whether the unauthorized operation detection process B is selected (1605).

  When the unauthorized operation detection process B is selected (1605 YES), a process as shown in FIG. 18 is executed (1606). If the unauthorized operation detection process B is not selected (NO in 1605), an error process indicating that no unauthorized operation detection process is selected is performed (1607).

  When any one is selected, it is determined whether an unauthorized operation is detected by the selected unauthorized operation detection process (1608), and when an unauthorized operation is detected (YES in 1608), an unauthorized operation process is executed. (1609). If no unauthorized operation is detected (NO in 1608), the document operation is permitted.

  FIG. 17 is a flowchart showing a detailed flow of “unauthorized operation detection process A” which is the first unauthorized operation detection process.

  In FIG. 17, when an operation on a document is detected, processing is started, and a user who has operated the document is specified (1701). Subsequently, it is determined whether the identified user belongs to a member of the high-frequency user group associated with the document (1702).

  If it is determined by this determination process that the user belongs to a member of the high-frequency user group (YES in 1702), “Normal” indicating that an unauthorized operation is not detected is set, and the process ends.

  On the other hand, if it is determined that the user does not belong to a member of the high-frequency user group (NO in 1702), “Abnormal” indicating that an unauthorized operation has been detected is set and the process is terminated. .

  Incidentally, whether the determination process of whether or not an unauthorized operation in step 1504 of the flowchart shown in FIG. 15 is detected and whether the unauthorized operation in step 1608 of the flowchart shown in FIG. 16 is detected is “Normal” or “Abnormal”. It is the process which judges whether it is either.

  FIG. 18 is a flowchart showing a detailed flow of “illegal operation detection process B” as the second unauthorized operation detection process.

  In FIG. 18, when an operation on a document is detected, processing is started, and a user who has operated the document is specified (1801). Subsequently, the similarity between the user group to which the identified user belongs and the high-frequency user group associated with the operation target document is calculated (1802). As this calculation method, there is a method of applying an arithmetic expression as shown in FIG.

  When the similarity is calculated, it is determined whether the calculated similarity is equal to or greater than a predetermined value (MIN_SIM) specified in advance (1803). If it is determined that the value is equal to or greater than the predetermined value (YES in 1803), it is possible to determine that the user group to which the user belongs and the high-frequency user group associated with the document are similar, and thus an unauthorized operation is detected. “Normal” indicating that the process is not performed is set (1804), and the process is terminated.

  On the other hand, if the calculated similarity is not determined to be greater than or equal to a predetermined value (MIN_SIM) specified in advance (NO in 1803), the user group to which the user belongs and the high-frequency user group associated with the document are determined. Since they are not similar, “Abnormal” indicating that an unauthorized operation has been detected is set (1805), and the process is terminated.

  The second embodiment shows a process of detecting an operation by a user deviating from the probability transition as an illegal operation by probabilistically calculating a relationship between one or a plurality of users who have operated a document. The configuration in the second embodiment is the same as the configuration shown in FIG. 1 described in the first embodiment.

  That is, in FIG. 1, the document operation history storage server 200 manages the operation history as described above, and the unauthorized operation detection server 100 detects the unauthorized operation when the document operation is performed by the client PC 300 or the multifunction device 400. Perform the process.

  At this time, the unauthorized operation detection server 100 performs the unauthorized operation detection process described below using the operation history stored in the document operation history storage server 200.

  In the second embodiment, an unauthorized operation detection process performed by the unauthorized operation detection server 100 will be described.

  The unauthorized operation detection processing performed by the unauthorized operation detection server 100 detects an operation pattern of an operation frequently performed on each document, and based on the operation pattern, determines the probability of state transition due to the operation. This is done by using quantified information. That is, when an operation whose probability represented by the operation pattern is equal to or less than a certain value is performed, this is detected as an unauthorized operation.

  When a predetermined operation is performed on a certain document (for example, “Document X”, “Document Y”, “Document Z”) by using the client PC 300 or the multifunction device 400, an operation history as shown in the first embodiment is obtained. Created for each document and stored in the operation history storage server 200.

  The unauthorized operation detection server 100 uses the operation history stored in the operation history storage server 200, so that a tree showing the relationship between operation histories as shown in FIG. 3 for each document (document X, document Y, document Z). Create a structure.

  When a tree structure is created for each document, an “order tree” is created by rearranging the documents in the order in which the operations were performed. An example of this order tree is shown in FIG. An operator is associated with each operation history node constituting the order tree of FIG. 19, and user transitions due to document operations are managed.

  The order tree shown in FIG. 19 has a tree structure in which operation histories of the documents “Document X”, “Document Y”, and “Document Z” are arranged in time series, and the order tree for “Document X” is shown in FIG. FIG. 19B shows an order tree for “document Y”, and FIG. 19C shows an order tree for “document Z”.

  First, the order tree of “document X” shown in FIG. 19A has a structure in which an operation history for “document X” is a node, and a number is assigned to distinguish each node. First, the node of the operation history X1 is an operation history indicating that the user B has operated, and this operation history X1 indicates an operation history node for “document X”.

  Further, the operation history X2 and the operation history X3 are created by the user A and the user C performing a predetermined operation on the “document X” in a state where the operation history X1 is created. Further, a state in which the operation history X4 is created by the user D performing a predetermined operation on the “document X” in a state where the operation history X2 is created is shown.

  Furthermore, the operation history X5 and the operation history X6 are created by the user F and the user A performing a predetermined operation on the “document X” in a state where the operation history X4 is created.

  Then, the operation history X7 and the operation history X8 are created by the user C and the user E performing a predetermined operation on the “document X” in a state where the operation history X6 is created.

  Next, the order tree of “document Y” shown in FIG. 19B has a structure in which the operation history for “document Y” is a node, and the tree structure of “document X” shown in FIG. Similarly, a number is assigned to distinguish each node. First, the node of the operation history Y1 is an operation history indicating that the user A has operated, and the operation history Y1 indicates an operation history node for “document Y”.

  Furthermore, a state in which the operation history Y is created by the user C performing a predetermined operation on “document Y” in a state in which the operation history Y1 is created is shown. Further, the operation history Y3 and the operation history Y4 are created by the user B and the user D performing a predetermined operation on the “document Y” in which the operation history Y2 is created.

  Further, the operation history Y5 and the operation history Y6 are created by the user F and the user A performing a predetermined operation on the “document Y” in a state where the operation history Y4 is created.

  Then, the operation history Y7 and the operation history Y8 are created by the user C and the user E performing a predetermined operation on the “document Y” in a state where the operation history Y6 is created.

  Next, the order tree of “document Z” shown in FIG. 19C has a structure in which an operation history for “document Z” is a node, and “document” shown in FIGS. 19A and 19B. Similar to the tree structure of “X” and “Document Y”, numbers are assigned to distinguish each node. First, the node of the operation history Z1 is an operation history indicating that the user G has operated, and this operation history Z1 indicates an operation history node for “document Z”.

  Furthermore, a state in which the operation history Z2 is created by the user D performing a predetermined operation on the “document Z” in a state in which the operation history Z1 is created is shown. Further, the operation history Z3 and the operation history Z4 are created by the user F and the user A performing a predetermined operation on the “document Z” in a state where the operation history Z2 is created.

  Furthermore, the operation history Z6 and the operation history Z7 are created when the user C and the user E perform a predetermined operation on the “document Z” in a state where the operation history Z4 is created.

  Then, a state in which the operation history Y8 is created by the user B performing a predetermined operation on the “document Y” in the state in which the operation history Z6 is created is shown.

  When such an ordered tree is created for each document, an operation pattern having a tree structure that is commonly generated in these ordered trees is extracted. Examples of this extraction method include a link mining method and a tree mining method. Thus, when an operation pattern having a tree structure is extracted, a user group is generated by a user associated with the operation history of the operation pattern.

  In the example illustrated in FIG. 19, the common partial tree structure 1900 corresponds to this, and a user group is generated by a user associated with the operation history of the common partial tree structure 1900. Also, probability data as shown in FIGS. 20B and 20C is created using an operation history that is a node of the common partial tree structure 1900 in which the user group is generated.

  FIG. 20 shows probability data used for detecting unauthorized operations, and FIG. 20A shows initial state probabilities used to create the probability data shown in FIGS. 20B and 20C. It is data. The number of initial probability states is determined heuristically.

  FIG. 20B shows state transition probability data, and FIG. 20C shows state output probability data.

  The state transition probability data shown in FIG. 20B and the state output probability data shown in FIG. 20C are generated by executing the flowchart shown in FIG. 21 based on the initial state probability data shown in FIG. Information.

  FIG. 21 is a flowchart showing a flow of processing for generating probability data (probability model) used for detecting an illegal operation of a document.

  In FIG. 21, first, initial state probability data to be an initial state as shown in FIG. 20A is assigned (2101). Three initial state probabilities are assigned, and the number of states is heuristically determined.

  Subsequently, it is determined whether all the parameters calculated for each individual state from the assigned initial state probability data to the other state are estimated (2102). In the state to which the initial state probability is assigned, of course, not all parameters are estimated (NO in 2102), so an intermediate variable is calculated (2103) and a model parameter is estimated (2104).

  This step (2103, 2104) will be described in detail.

It is assumed that data y (t) observed at a certain time t (data y (t) takes one of M values) is generated by the state s (t). Further, any state s (k) is any one of K states h (k), and the state of a certain state s (t) depends on the immediately preceding state s (t−1). The probability a (k) (k ′) that the state changes from h (k) to h (k ′) and the probability that the data y (t) is observed when the state is h (k) are b. (K) (k ′), expressed as A = ([a (k) (k ′)], [b (k)], [m (k)]) when assuming the first state m (k) A probability model is obtained by estimating the (K square + KM + K) parameters by maximum likelihood estimation. That is, a set of parameters that maximizes the likelihood P (y (t), T, A) of the observed data y (t) is obtained.

  When such processing is repeated for all parameters and all parameters are estimated (YES in 2102), the estimated model parameters are updated (2105). Then, it is determined whether or not the convergence condition is satisfied (2105). If the convergence condition is satisfied (YES in 2105), the process is terminated.

  If the convergence condition is not satisfied (NO in 2105), the above process is repeated again.

  As the convergence condition at this time, for example, a condition that the calculated pattern has a certain degree of similarity or more, and a condition that the degree of dissimilarity or less is also applicable.

  That is, the flowchart shown in FIG. 21 uses the maximum likelihood estimation calculation method such as EM (Expectation-Maximization) using the information shown by the common partial tree structure 1900 that has generated the user group, so that FIG. And a state output probability as shown in FIG. 20C.

  When a certain document is operated, an illegal operation is detected by determining whether the pre-operation state and the post-operation state have a certain degree of similarity or not using the output state transition probability. That is, it is detected as an unauthorized operation when the degree of similarity does not exceed a certain level.

  It should be noted that the present invention relates to a recording medium (CD-ROM, DVD-ROM, etc.) storing a program for executing the above-described operation with an unauthorized operation detection system having a communication function or for configuring the above-described means. It is also possible to configure an unauthorized operation detection system that executes the above-described processing by installing a program in a computer and executing the program. A computer constituting the unauthorized operation detection system is connected to a central processor unit (CPU), a read only memory (ROM), a random access memory (RAM), and a hard disk via a system bus. The CPU performs processing using the RAM as a work area according to a program stored in the ROM or the hard disk.

  The medium for supplying the program may be a communication medium (a medium for temporarily or fluidly holding the program such as a communication line or a communication system). For example, the program may be posted on an electronic bulletin board (BBS: Bulletin Board Service) of a communication network and distributed via a communication line.

  The present invention is not limited to the embodiments described above and shown in the drawings, and can be implemented with appropriate modifications within a range not changing the gist thereof.

An example of the system configuration | structure figure of the unauthorized operation detection system comprised by applying the unauthorized operation detection apparatus and program concerning embodiment of this invention. The figure which shows the procedure of the process which produces | generates the operation history of the document used with the unauthorized operation detection system concerning embodiment of this invention. The figure which shows the relationship between the operation histories used with the unauthorized operation detection system concerning embodiment of this invention. The figure which shows the outline | summary of the unauthorized operation detection system concerning embodiment of this invention. The block diagram which shows the detailed functional structure of the unauthorized operation detection system in embodiment of this invention. An example of the process step which registers a user group as a high frequency user group. An example of the processing step which matches a high frequency user group with a document. An example of the process step which shows the detail of the unauthorized operation detection process A. An example of the process step which shows the detail of the unauthorized operation detection process B. An example of the computing equation for calculating the similarity between user groups. An example of the process step which shows the process which re-forms a user group. The figure which shows an example of the data structure of the unauthorized operation detection system in embodiment of this invention. The figure which shows an example of the data structure of the unauthorized operation detection system in embodiment of this invention. The flowchart which shows the flow of a detailed process of the unauthorized use detection system in embodiment of this invention. The flowchart which shows the flow of a detailed process of the unauthorized use detection system in embodiment of this invention. The other flowchart which shows the flow of a detailed process of the unauthorized use detection system in embodiment of this invention. The flowchart which shows the detailed flow of the unauthorized operation detection process A which is a 1st unauthorized operation detection process. The flowchart which shows the detailed flow of the unauthorized operation detection process B which is a 2nd unauthorized operation detection process. FIG. 6 is a diagram illustrating an example of an ordered tree including a common partial tree structure 1900. The figure which shows an example of the probability data used for detection of unauthorized operation. The flowchart which shows the flow of the process which produces | generates the probability data used in order to detect the unauthorized operation of a document.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 User operation detection part 11 Context detection part 12 Operation history preservation | save part 13 Operation history creation part 14 Unauthorized operation detection part 15 Process execution part 16 Analysis result holding part 17 Operation history analysis part 100 Unauthorized operation detection server 200 Document operation history preservation | save server 300 Client PC
400 MFP

Claims (8)

An operation history management means for managing an operation history of operations performed on the document;
Generating means for generating a determination condition related to the operation history for determining that an operation on the document is an unauthorized operation from an operation history managed by the operation history management means;
An unauthorized operation detection device comprising: an unauthorized operation detection unit that detects an operation as an unauthorized operation when an operation on the document corresponds to a determination condition generated by the generation unit. The generating means includes
Operator set creation means for creating an operator set made up of operators of one or more documents managed by the operation history management means corresponding to a combination of a plurality of documents;
A setting for setting an operator set whose appearance frequency is a predetermined value or more for a plurality of operator sets created by the operator set creating means as a high-frequency operator set for operating the document with high frequency Means and
The unauthorized operation detection means includes
The unauthorized operation detection device according to claim 1, wherein when an operator of a document is not included in the high-frequency operator set set by the setting unit, an operation performed on the corresponding document by the operator is detected as an unauthorized operation. . The unauthorized operation detection means includes
A degree-of-similarity calculating means for calculating the degree of similarity between the operator set created by the operator set creating means and the high-frequency operator set set by the setting means;
The unauthorized operation detection device according to claim 2, wherein when the similarity calculated by the similarity calculation unit is equal to or less than a predetermined value specified in advance, an operation performed on the corresponding document by the operator is detected as an unauthorized operation. The similarity calculation means includes:
The number of operators belonging to the operator set and the operations belonging to the high frequency operator set with the smaller number of operators belonging to the operator set and the number of operators belonging to the high frequency operator set. The unauthorized operation detection device according to claim 3, wherein a value obtained by dividing a logical product with the number of persons is calculated as a similarity. The generating means includes
An extraction unit that arranges operation histories of each document managed by the operation history management unit in time series, and extracts operation patterns that occur in common in the operation history of each document;
State transition probability calculating means for calculating the transition probability of the document state by the operation pattern extracted by the extracting means,
The unauthorized operation detection means includes
2. The fraud according to claim 1, wherein the transition probability is specified from the transition probability calculated by the state transition probability calculation means, and the operation is detected as an illegal operation when the transition probability is equal to or lower than a predetermined value. Operation detection device. The state transition probability calculating means includes
An operator set creating means for creating an operator set from operators specified by the operation history of the operation pattern extracted by the extracting means;
6. The unauthorized operation detection device according to claim 5, wherein probability data in an initial state is assigned to an operation pattern created by the operator set creation means and the state transition probability is calculated by maximum likelihood estimation calculation.   The unauthorized operation detection device according to claim 1, further comprising notification means for notifying an administrator of an unauthorized operation detected by the unauthorized operation detection means. Computer
An operation history management means for managing an operation history of operations performed on the document;
Generating means for generating a determination condition related to the operation history for determining that the operation on the document is an unauthorized operation from the operation history managed by the operation history management means;
An unauthorized operation detection program that functions as an unauthorized operation detection unit that detects an operation as an unauthorized operation when an operation on the document corresponds to a determination condition generated by the generation unit.

Images