JP2011018267A - Security management system, server device, security management method, program and recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To efficiently set security policy to be applied to an electronic document.SOLUTION: The server device 110 includes: a means 210 receiving a parameter for characterizing one or more document classes; an acquisition means 210 acquiring a plurality of electronic documents to which policies are set, from a resource 160 on a network; an analysis means 214 extracting a text from each acquired electronic document, applying natural language analysis, gathering the documents having similarity of contents according to the received parameter, and giving the document class to each electronic document; a means 218 receiving the security policy to be applied to the electronic document with each document class; and a setting means 218 generating setting data wherein access right is determined according to the security policy corresponding to the document class given to each classified electronic document.

Description

  The present invention relates to information security technology, and more particularly to a security management system, a server device, a security management method, a program, and a recording medium for efficiently setting a security policy applied to an electronic document.

  In recent years, in organizations such as government offices, companies, and educational institutions, so-called paperless processing is progressing in which documents and images used for business are handled as electronic documents instead of paper media. By handling it as an electronic document, it can be distributed to a large number of people or remote people via the Internet or an intranet, or it can be placed on a file server or database as an electronic document and accessed and used in a timely manner. Efficiency. On the other hand, such electronic documents are subject to information leakage due to the ease of copying, and in the organizations as described above, the authority to use electronic documents containing confidential information such as trade secrets and personal information is appropriately managed. Therefore, it is important for maintaining credit to take measures to prevent leakage of confidential information.

  Technologies for managing the use of electronic documents include asking for user authentication when opening document files and allowing only legitimate users to view, or printing the user when printing There is a technique for confirming the right of the user and permitting printing only to a user having the right of printing (for example, Japanese Patent Application Laid-Open No. 2004-152261).

  Japanese Patent Laid-Open No. 2007-4616 (Patent Document 2) discloses a document file security management for a document file that is viewed by a user for the purpose of providing a document file whose security policy is changed in time series. A plurality of security policies that define usage conditions such as information on authorized users to view files are described, and an effective policy number indicating a policy selected from the plurality of policies as a policy currently applied to the document file is described. A security management database for storing security management files is disclosed.

  In addition, Japanese Patent Laid-Open No. 2008-40659 (Patent Document 3) sets a policy for an electronic document in response to a setting request from a client for the purpose of more reliably preventing leakage of information described in the electronic document. In addition, a policy management server is disclosed in which an electronic document is encrypted and stored while being held in a policy information holding unit.

  According to the above-described conventional technology, it is possible to set a security policy including a viewing authority and a printing authority for an electronic document to be protected, and provide an appropriate usage method of the electronic document according to the policy. However, in the above prior art, it is necessary to repeat the setting of the security policy for each electronic document one by one, which is a burden on the operator. When a security management system has already been established, the worker who performs policy setting operations on an electronic document is usually the creator of the electronic document, and the problems caused by the above work burden are not so obvious. However, when the system is introduced, the administrator needs to process a large amount of existing electronic documents, which increases the work burden on the administrator and eventually becomes a threshold for the introduction of the security management system. In addition, when a document management system or the like has already been established, there is a demand for setting a security policy for a document from the viewpoint of a document repository administrator in the document management system.

  The present invention has been made in view of the above problems in the prior art, and based on the idea that the same security policy should be applied to electronic documents that are similar in content, in a given group of electronic documents. , It is possible to set security policies for electronic documents classified according to content similarity in a lump, and to set security policies to be applied to electronic documents efficiently, thereby reducing the workload on workers. An object of the present invention is to provide a security management system, a server device, a security management method, a program, and a recording medium.

  In order to solve the above-described problems, the present invention provides a server device that is connected to a network and sets a security policy that defines use authority for an electronic document, and a security management system including the server. The server device of the present invention receives parameters characterizing one or more document classifications, and acquires a plurality of electronic documents that are targets of policy setting from resources on the network. Then, text is extracted from each of the acquired electronic documents, subjected to natural language analysis, documents having similar contents are collected according to the received parameters, and document classification is given to each electronic document. Then, a security policy to be applied to the electronic document to which each document classification is attached is received, and for each of the classified electronic documents, usage authority is defined according to the security policy corresponding to the attached document classification. Generate configuration data.

  According to the above configuration, in the electronic document group designated as the policy setting target, the electronic document classified according to the similarity of the text content included in the electronic document is associated with the assigned document classification. It is possible to set the use authority in a batch according to the security policy, and as a result, it is possible to efficiently set the security policy for the electronic document, thereby reducing the work load on the operator.

  Furthermore, in the present invention, when attaching the document classification, the electronic documents can be classified so that each electronic document can belong to a plurality of document classifications. In this case, it is possible to combine the authority information included in the security policies of a plurality of document classifications in accordance with the designation of priority when combining the security policies. With the above-described configuration, it is possible to perform advanced usage authority control more flexibly and efficiently in accordance with the similarity of contents for each electronic document.

  In the present invention, for each acquired electronic document, the words included in each electronic document are totaled, and a data set is generated in which the appearance frequency of each word included in each electronic document is totaled. Can be classified. This data set can be, for example, a set for each electronic document of a document vector in which the appearance frequency of each word included in the electronic document is vector data, or the appearance frequency of the word included in the electronic document is It can be set as the data totaled for every electronic document and every word. As the appearance frequency, the number of appearances may be used as it is, or a value obtained by standardizing the number of appearances may be used. As the clustering algorithm, a constrained K-means method, a method combining a Naive Bayes method and an EM (Expectation Maximization) method, or an algorithm according to graph theory can be preferably used.

  In the present invention, the authority to use the electronic document is added to one or both of an identification value that identifies a user having browsing authority, an identification value that identifies a user having printing authority, and the browsing authority and printing authority. Additional conditions may be included. The additional condition can include an addition request at the time of browsing and an addition request at the time of printing. The additional request at the time of browsing may include designation of warning message display, and the additional request at the time of printing includes designation of warning message display, designation of confidential printing, designation of tint block printing, designation of stamp printing, and the like. , A warning print designation, and the like.

  Furthermore, according to the present invention, it is possible to provide a security management method executed by the server apparatus described above, a program for realizing the server apparatus described above on a computer, and a recording medium storing the program.

1 is a diagram illustrating an outline of a document security management system according to a first embodiment. The functional block diagram relevant to operation | movement of the secure file conversion service in the document security management system of 1st Embodiment. The detailed functional block diagram relevant to operation | movement of the secure file conversion service in the document security management system of 1st Embodiment. FIG. 6 is a sequence diagram showing an operation of a secure file conversion service in the document security management system according to the first embodiment. 6 is a flowchart illustrating an analysis process executed by the secure document management server according to the first embodiment when “exclusive” is selected. 6 is a flowchart illustrating analysis processing executed when the “coexistence” is selected, which is executed by the secure document management server according to the first embodiment. The figure which shows the data structure of the data produced | generated in the file analysis part of 1st Embodiment. The figure which shows GUI displayed on the screen of the display apparatus of the management terminal of 1st Embodiment. The figure which shows the classification parameter setting screen displayed on the screen of the display apparatus of the management terminal of this embodiment. The figure which shows the other GUI displayed on the screen of the display apparatus of the management terminal of 1st Embodiment. The figure which shows the policy setting input screen displayed on the display screen of the management terminal of 1st Embodiment. The figure which shows the data structure used in the document security management system of 1st Embodiment. FIG. 11 is a sequence diagram (1/2) when a secure file is used in the document security management system according to the first embodiment. FIG. 3 is a sequence diagram (2/2) when a secure file is used in the document security management system according to the first embodiment. 12 is a flowchart showing an analysis process executed when the “exclusive” is selected, which is executed by the secure document management server of the second embodiment. 12 is a flowchart illustrating an analysis process performed when the “coexistence” is selected, which is executed by the secure document management server according to the second embodiment. 14 is a flowchart showing analysis processing executed by the secure document management server of the third embodiment. The conceptual diagram of the clustering in 3rd Embodiment.

  Hereinafter, although embodiment of this invention is described, embodiment of this invention is not limited to the following embodiment. In the following embodiments, as an example of a server device and a security management system, a secure document management server that sets a security policy for an electronic document and provides a user with the secured electronic document, and the secure document A description will be given using a document security management system including a management server.

[First Embodiment]
FIG. 1 is a diagram showing an outline of a document security management system 100 according to the first embodiment. A document security management system 100 shown in FIG. 1 includes a secure document management server 110, a management terminal 130, user terminals 140a and 140b, and a security server 150 that are connected to each other via a network 102. In the document security management system 100 shown in FIG. 1, document repositories 160a, 160b, and 160c are further connected to the secure document management server 110 via a firewall 120 and other networks.

  The network 102 is connected using a LAN (Local Area Network) based on a transaction protocol such as Ethernet (registered trademark) or TCP / IP (Transmission Control Protocol / Internet Protocol), a VPN (Virtual Private Network), or a dedicated line. It can be configured as a WAN (Wide Area Network) or the like. However, the configuration of the network 102 is not particularly limited, and may include the Internet connected via a router (not shown), and may be configured as a wired or wireless network, or a mixed network thereof. it can.

  The secure document management server 110 applies a predetermined security policy to a group of electronic document files stored in a network resource such as the document repository 160 and converts the files into a secure electronic document file. Provide secure file conversion service. Here, the secure file conversion service is a service for converting an original electronic document into a security-protected document file (hereinafter referred to as a secure file) by applying security protection such as encryption. .

  The management terminal 130 is a terminal used by an administrator or the like to access the secure document management server 110 and instruct the use of the secure file conversion service. The management terminal 130 can be configured as a dedicated terminal installed with a management tool for communicating with the secure document management server 110 and managing various settings. Alternatively, when the secure document management server 110 is configured as a web server, the management terminal 130 may be configured as a terminal that includes a web browser and accesses a web-based user interface provided by the secure document management server 110. .

  The security server 150 is a server that executes secure file conversion processing that actually performs security protection on an electronic document. Upon receiving a request from the secure document management server 110, the security server 150 converts the requested original file and returns the secure file generated as a processing result. When the secure file is received from the security server 150, the secure document management server 110 stores it in an internal database so that it can be accessed from the user terminals 140a and 140b.

  The security server 150 further manages the use of the secure file by deciphering the encryption applied to the secure file to make it usable, the identified user terminal and the user's user Security management data for determining authority is stored in association with a secure file. When using a secure file, the user terminal 140 first obtains a desired secure file from the secure document management server 110 and inquires the security server 150 about the use request. Upon receiving the inquiry, the security server 150 authenticates the use request source such as the user terminal or the user, reads the security policy corresponding to the secure file requested for use, and browses the secure file of the use request source. Judgment of authority, printing authority, and other additional conditions. In response to a request from a use request source that is deemed to have browsing authority, the security server 150 transmits information such as a key necessary for using a secure file to the user terminal 140. Thereby, on the user terminal 140 side, when there is a viewing authority, the secure file can be browsed.

  The document repositories 160a, 160b, and 160c are sources of original electronic documents that are converted into secure files by the secure file conversion service, and the electronic documents on the document repository 160 are, for example, URL (Uniform Resource Locator) or URN (Uniform Resource Name). ) And the like (Uniform Resource Identifier). As an electronic document that can be converted into a secure file, various types of electronic documents such as a document created by office environment software, a presentation slide, a spreadsheet, and a PDF (Portable Document Format) can be used. The electronic document that can be used in the first embodiment can have any data format as long as the text can be extracted to determine similarity, and the electronic document itself may include text data. If text can be extracted by character recognition processing or the like, character information may be included in the form of a pixel image such as TIFF, bitmap, PNG, GIF, JPEG, or JPEG2000. Any format known so far can be adopted as the secure file as long as security protection such as encryption can be set, but preferably a secure PDF file (secure PDF) is adopted. be able to.

  The secure document management server 110 is implemented by various computer devices such as a personal computer, a workstation, and an enterprise server. More specifically, the secure document management server 110 includes a central processing unit (CPU), a ROM (Read Only Memory) that stores a basic input output system (BIOS), and an execution storage space that enables program processing by the CPU. A hard disk drive (HDD) that stores a RAM (Random Access Memory) that provides storage, a database (hereinafter referred to as DB) that holds secure files and the like in an accessible manner, and the network 102 It consists of hardware elements including a network interface card (NIC) for connection. These hardware elements are connected via an internal bus, and the secure document management server 110 of this embodiment operates.

  The secure document management server 110 reads out a program stored in a storage device such as a ROM, HDD, or other NV-RAM or SD card, and expands it in a memory area of the RAM, so that an appropriate operating system (OS) is installed. Thus, each functional means and each process described later are realized. The security server 150 can have the same configuration. The management terminal 130 and the user terminal 140 can also have the same hardware configuration, and include a user interface including an input device such as a mouse and a keyboard and a display device such as a display.

  Hereinafter, the operation of the secure file conversion service in the document security management system 100 of this embodiment will be described in detail. FIG. 2 is a functional block diagram related to the operation of the secure file conversion service in the document security management system of the first embodiment. Each function unit in the secure document management server 110, the management terminal 130, the user terminal 140, the security server 150, and the document repository 160 illustrated in FIG. 2 controls each hardware element connected by an internal bus. Is realized on each device.

  The management terminal 130 includes a policy setting start command unit 230. The policy setting start command unit 230 displays the start screen of the secure document conversion service of the present embodiment on a display device such as a display and operates the management terminal 130. Wait for an instruction from the administrator to start the security policy setting process. FIG. 8 illustrates a graphical user interface (hereinafter referred to as GUI) displayed on the screen of the display device of the management terminal 130 of this embodiment. FIG. 8A shows a secure document conversion service start screen. The start screen 400 shown in FIG. 8A includes a policy setting start button 402 that waits for an instruction to start setting processing, a converted document list button 404, a manual button 406, and a cancel button 408. The converted document list button 404 is a button for calling a screen for displaying a list of electronic documents that have already been converted into secure files, and the manual button 406 is a button for displaying an operation manual related to the secure file conversion service. A cancel button 408 is a button for canceling the security policy setting process.

  When this service is activated, the policy setting start command unit 230 displays a service start screen 400 as shown in FIG. 8A, and subsequently detects a click on the policy setting start button 402 on this screen. When the processing start instruction is received from the administrator, the security policy setting process is started and a storage location designation screen as shown in FIG. 8B is displayed. FIG. 8B illustrates a storage location designation screen 410 for designating a storage location where an electronic document to be set as a policy setting target is stored. The storage location designation screen 410 shown in FIG. 8B includes a list box 412 that displays a storage location that is currently designated, and an add button 414 for additionally designating a new storage location. In the list box 412, the URL of the selected storage location is highlighted 418. When the delete button 416 for deleting the storage location is clicked in this state, the selected storage location is deleted from the designation. . The storage location is specified by a path such as a URL, for example, and by this specification, an electronic document in the specified folder or an electronic document in a hierarchy below the specified folder is specified as a policy setting target.

  When one or more storage locations are specified on the storage location specification screen 410 and the “next” button 420 is clicked, the policy setting start command unit 230 further displays a classification parameter setting screen as shown in FIG. . FIG. 9 shows a classification parameter setting screen displayed on the screen of the display device of the management terminal according to the first embodiment. The classification parameter setting screen 430 shown in FIG. 9 is used to set various parameters that characterize each document classification when classifying an electronic document that is a policy setting target. The classification parameter setting screen 430 shown in FIG. 9 includes a table 432 showing various parameters, an add button 434 for adding a document classification, and an edit button 436 and a delete button 438 arranged on the right side of each document classification. Including. The table 432 displays the designated document classification name 432a and the keyword 432b designated for each document classification in association with each other. When an edit button 436 arranged on the right side of each document category is clicked, a GUI for editing the keyword of the corresponding document category is called. A delete button 438 arranged on the right side of each document category waits for an instruction to exclude the corresponding document category. In the embodiment to be described, an explanation will be given assuming that an arbitrary character string is input as a keyword. However, in another embodiment, for example, a keyword candidate group extracted based on past analysis results or a keyword is set in advance. You may make it select from a keyword candidate group.

  The classification parameter setting screen 430 further includes a radio button 442 for selecting a relationship between document classifications from “coexistence” or “exclusive”. Here, the relationship between “coexistence” document categories refers to a relationship between software document categories in which an electronic document can belong to a plurality of document categories at the same time. On the other hand, the relationship between “exclusive” document classifications refers to a relationship between hard document classifications in which an electronic document belongs only to a single document classification. The classification parameter setting screen 430 further shows a radio button 444 for designating a policy coupling method when “coexistence” is selected. When “coexistence” is selected in the radio button 442, the radio button 444 becomes operable. The radio button 444 is used to specify a method of combining policies corresponding to each document classification when a plurality of document classifications are attached to one electronic document. In the example shown in FIG. Three items of “priority”, “permission priority”, and “classification priority” are shown.

  “Reject priority” is a method of giving priority to the items that are not explicitly allowed in the policy and combining them, so that only the items that are allowed in all the combined policies are allowed in the combined policy. It is to be combined. “Permitted priority” is a method of concatenating prioritized items that are explicitly permitted in a policy, contrary to the above “rejected priority”, and is permitted in at least one of the policies to be combined. The matter is to join as permitted in the combined policy. “Classification priority” is to combine documents according to a document classification policy with a high priority when a plurality of document classifications are assigned to one electronic document.

  The classification parameter setting screen 430 further shows a list box 446 and a button 448 for setting the document classification priority when “classification priority” is selected. When the document classification is selected in the list box 446 and the button 448 is clicked, the priority of the document classification being selected (for example, highlighted by the reverse display 446a) is raised.

  In the classification parameter setting screen 430, one or more document classifications are designated, one or more keywords are designated for the document classification, the relationship between the document classifications is selected, the policy combining method and the document classification priority are appropriately set. When the “next” button 440 is clicked after the determination, the policy setting start command unit 230 displays the above-described document classification, the keyword, the relationship between the document classifications, the policy combination method, the document classification priority order, and the like. The classification parameter to be included and the list of designated storage locations are passed to the secure document management server 110 and the execution of the classification process according to the designated classification parameter is instructed.

  The secure document management server 110 includes a file acquisition unit 210 and a file DB 212 as functional units. In response to the command from the policy setting start command unit 230 of the management terminal 130, the file acquisition unit 210 acquires the electronic document file from the storage location specified in the storage location list, and temporarily stores the file in the file DB 212. Keep in. In addition, the acquisition method of an electronic document is not particularly limited, and a file sharing protocol, a file transfer protocol (FTP), a hypertext transfer protocol (HTTP), and the like have been known so far. An acquisition method according to any data transfer protocol can be used. In the embodiment to be described, the storage location is specified when the secure file conversion service is started. However, when setting processing is performed on the same storage location regularly or irregularly, etc. The storage location may be registered in advance. In the present embodiment, the file acquisition unit 210 constitutes means for receiving parameters characterizing the document classification and acquisition means for acquiring an electronic document.

  The secure document management server 110 further includes a file analysis unit 214 and an analysis result display unit 216 as functional units. When the file acquisition unit 210 acquires all the electronic document files from the designated storage location, the file acquisition unit 210 causes the file analysis unit 214 to start analyzing a group of files in the file DB 212. The file analysis unit 214 extracts the text while applying an appropriate document filter to each of the electronic documents stored in the file DB 212 according to the specified classification parameter, performs natural language analysis, and depends on the similarity of the contents The electronic document classification process is executed. The file analysis unit 214 constitutes an analysis unit in the present embodiment.

  Here, with reference to FIG. 3A and FIG. 7, the details of the file analysis processing in the document security management system 100 of the present embodiment will be described. FIG. 3 is a detailed functional block diagram related to the operation of the secure file conversion service in the document security management system of the first embodiment. FIG. 3A shows a detailed functional block diagram around the file analysis unit 214. FIG. 7 illustrates a data structure of data generated by the file analysis unit of the present embodiment.

  As shown in detail in FIG. 3A, the file analysis unit 214 includes a text extraction unit 260, a syntax analysis unit 262, and a document classification unit 264. The text extraction unit 260 reads an electronic document file from the file DB 212, calls a document filter corresponding to the electronic document file format, extracts the text from the electronic document, and passes it to the syntax analysis unit 262. The syntax analysis unit 262 specifies a language used from bibliographic information of an electronic document, for example, calls an appropriate natural language processing engine, and performs syntax analysis on the extracted text. As a natural language processing engine, more simply, a morphological analysis engine that divides text described in a predetermined language into morphemes and tags part-of-speech information can be used. In the embodiment to be described, a morphological analysis engine is used. However, applicable natural language analysis is not particularly limited, and any known natural language analysis processing can be applied, for example, dependency analysis. Or, by using an appropriate pattern dictionary, it is possible to extract a group of higher-order meanings.

  For example, when the morpheme analysis is performed on the text 300 shown in FIG. 7A, morpheme analysis result data 310 including the morpheme 310a and the part of speech information 310b as shown in FIG. 7B is generated. In addition, the parsing unit 262 performs an appropriate filtering process, and does not require particles, dates, terms such as “do”, “be”, “is”, “is”, adverbs, vocabulary particles, conjunctions, auxiliary verbs, directives, etc. Simple words can be removed. In the example shown in FIG. 7B, morphemes with an asterisk can be removed. Then, the morphemes contained in the electronic document are aggregated to form a set of morphemes and the number of appearances of the morphemes, and a document vector is generated. In another embodiment, after the analysis processing for all the electronic document files is completed, the analysis result for all the electronic documents is further analyzed by tf-idf, etc. Document vectors can also be generated as a set of.

  FIG. 7C illustrates a data structure of document vector data including a document vector calculated for each electronic document. The document vector data 320 shown in FIG. 7C includes a morpheme 320a and morpheme appearance counts 320b to 320d in each electronic document. The document classification unit 264 reads out the generated document vector data 320, and uses each classification and clustering algorithm such as a K-means method or an EM (Expectation Maximization) method, according to the classification parameters. Label a document with one of the document classifications. As a document clustering method, when there are a large number of electronic documents already labeled with a document classification, a rule for document classification can be obtained by learning from the group of electronic documents that have been labeled. On the other hand, corresponding to the case where there are a small number of electronic documents labeled with document classification, such as at the time of initial introduction, this embodiment uses a method for improving classification accuracy using electronic documents that are not labeled with document classification. Use. As such a method, a constrained clustering algorithm can be used, and a constrained K-means method can be suitably used. In the present embodiment, the initial cluster center is not selected at random, but is obtained from a keyword as a constraint.

More specifically, when a relationship between “exclusive” document classifications is selected, each document classification C _i (i = 1,... N | N is the number of document classifications) is designated. A set of initial central document vectors W (C _i ) is generated using keywords, (re) classification according to the distance from the central document vector W (C _i ), and each central document vector W (C _i ) Specified for each document class by repeating recalculation (that is, calculating the average number of occurrences in the document vector over electronic documents classified (re-) in each document class) until convergence to a steady solution. Classification according to keywords can be performed. In this case, each electronic document is labeled with any one document classification. FIG. 7D illustrates the data structure of the converged central document vector. The central document vector data 330 shown in FIG. 7D is configured as a set of morphemes 330a and average values 330b to d of morpheme appearance times in each document classification.

On the other hand, when the relationship between the “coexistence” document classifications is selected, one document classification C _i is divided into the document classification C _i and the other Not_C _i, and each document classification C _i is divided. By applying the K average algorithm, classification according to the keyword specified for each document classification can be performed. In this case, for one document classification C _i , first, an initial central document vector W (C _i ) is generated using the keyword specified in the document classification C _i , and the keyword specified in the other document classification. from generates an initial central document vector W of Not_C _i representing the rest (Not_C _i). Then, the document classification C _i according to the distance to the central document vector W (C _i ) or W (Not_C _i ) and the (re) classification to the other document classification Not_C _i and the recalculation of each central document vector are performed. By repeating until convergence to a stationary solution, classification into document classification C _i and other is performed. Then, the above-described operation is performed for all document classifications C _i (1,..., N). In this case, it is possible to label a plurality of document classifications for one electronic document.

  A description will be given with reference to FIG. 2 again. When the analysis process for all the target electronic documents is completed, the file analysis unit 214 passes the analysis result to the analysis result display unit 216. The analysis result display unit 216 processes the passed analysis result into data in a format that is easy for the user to understand, and transmits the data to the management terminal 130. When the analysis result data is received, in the management terminal 130, the analysis result browsing unit 232 displays a classification result browsing screen showing a result classified by the analysis processing on the display screen of the management terminal 130. FIG. 10 illustrates another GUI displayed on the display screen of the management terminal according to the first embodiment. FIG. 10A shows a classification result browsing screen. The classification result browsing screen 450 shown in FIG. 10A includes tabs 452a, 452b, and 452c for displaying a list of electronic documents belonging to any one of the document classifications. In the example shown in FIG. 10A, the “management” tab 452a is selected, and a list 454 of electronic documents belonging to the “management” document classification is displayed. In the list 454, the file name of the electronic document and the URL path indicating the storage location are displayed in a scrollable manner by the scroll bar 454b.

  The tab 452a further includes a classification information editing button 456 that waits for an editing instruction from the user of the classification information generated as a result of the classification process. When the classification information editing button 456 is clicked, the analysis result browsing unit 232 classifies the classification information for editing the electronic document currently selected in the list 454 (for example, highlighted by the reverse display 454a). Call the information edit dialog. FIGS. 10B and 10C show the classification information editing dialog. FIG. 10B shows a classification information editing dialog 460A when “coexistence” is selected, a display 462A of an electronic document, a check box 464A for designating a document classification into which the document is classified, and document classification information And a determination button 466A for confirming the contents of. On the other hand, FIG. 10C shows a classification information editing dialog 460B when “exclusive” is selected, and instead of a check box, a radio button 464B for exclusively selecting a document classification is shown. . By editing using such a dialog, the administrator can modify an electronic document that is anxious to be classified into a desired document classification.

  Referring to FIG. 10A again, when the “next” button 458 is clicked on the classification result browsing screen 450, the analysis result browsing unit 232 passes the processing to the policy setting input unit 234. The policy setting input unit 234 of the management terminal 130 displays a policy setting input screen for setting and inputting a security policy for each document classification. FIG. 11 shows a policy setting input screen displayed on the display screen of the management terminal 130 of the first embodiment. The security policy applied to the electronic document in this embodiment includes a policy number, a policy effective date, a viewing authority, a viewing additional condition, a printing authority, and a printing authority additional condition. The policy setting input screen 470 shown in FIG. 11 includes a GUI component for inputting information constituting these security policies.

  The policy setting input screen 470 includes a box 472 for displaying a policy number and a text box group 474 for inputting a policy effective date. The policy setting input unit 234 assigns a policy number, which is an identification value for identifying a plurality of policies, and displays it in the box 472. The “policy effective date” is the date when the security policy created here is actually applied to the secure file and becomes effective. In this embodiment, a plurality of security policies can be set for a secure file, and different effective dates are set for each of the plurality of created security policies, so that the policy effective dates differ. The policy can be applied to the secure file.

  Policy setting input screen 470 further includes a list box 476 for registering a viewing authority and a box 478 for registering additional viewing conditions. The “viewing authority” is a user who is permitted to view a secure file. The administrator includes usage request source identification information for identifying the usage request source such as the name, user ID, and terminal name of the user who wants to grant viewing permission for the secure file of the electronic document belonging to the predetermined document classification in this list. input. The “browsing additional condition” refers to a condition additionally applied when browsing a secure file by a viewing authority. In other words, the “browsing additional condition” is a condition for setting the scope of handling of a secure file in association with browsing for a viewing authority, and conditions for alerting handling and restrictions on handling as described later. The conditions shown can be mentioned. In the security policy setting input screen shown in FIG. 11, the administrator designates a condition to be set as a policy from conditions prepared in advance. For example, if the warning option “Warning message display” is enabled, when the user browses a secure file, the user terminal 140 used by the user will display “Please handle with care. A warning message such as “.” Is displayed.

  Policy setting input screen 470 further includes a list box 480 for registering a print authority and a box 482 for registering additional printing conditions. The “printing authority” is a user who is permitted to print among users who are permitted to view the secure file. If the user is registered as a print authority, the user terminal 140 can print a secure file. The administrator inputs the use request source identification information of the user who wants to give print permission to the secure file of the electronic document belonging to the predetermined document classification in this list. The “print additional condition” refers to a condition additionally applied when printing a secure file by a print authority.

  For example, when the “warning message display” print option is enabled, a warning message such as “Please handle with care” is displayed on the display screen when a secure file is printed on the user terminal 140. Become so. When the “confidential printing” printing option is enabled, a user is required to input a secret personal identification number (PIN) to the printer when printing out. Further, when “background pattern printing” is enabled, a background pattern image in which, for example, the user name and the printing date and time are highlighted when the image is copied by a copying machine, is superimposed on the image of the secure file. When “stamp printing” is enabled, for example, a “confidential” mark is printed as a stamp on the image of the secure file. When “warning printing” is enabled, when a secure file is printed, for example, a user name and a printing date are printed.

  Note that the browsing option and the printing option described above are examples, and the “viewing additional condition” may set an additional condition other than the above-described condition as a security policy. For example, for “background pattern printing”, “stamp printing”, “warning printing”, etc., it is also possible to individually specify a background pattern pattern to be printed, a stamp, a warning content, and the like.

  Here, description will be given with reference to FIG. 2 again. When the administrator sets the security policy for all document classifications via the security policy setting input screen 470 and clicks the “Next” button 484 on the security policy setting input screen 470 for the last document classification. The policy setting input unit 234 instructs the secure document management server 110 to start the policy setting process. Note that the data describing the security policy for each document category is transmitted to the secure document management server 110 when the security policy setting input screen 470 is switched or together with a command to start the last policy setting process. The correction contents of the document classification are also transmitted to the secure document management server 110, and the confirmed document classification result is stored in the file DB 212.

  The secure document management server 110 further includes a policy setting unit 218 and a file transmission unit 220 as functional units. The policy setting unit 218 receives data describing the security policy for each document classification, reads out the document classification information from the file DB 212, and converts it into security policy setting data for each electronic document belonging to each document classification.

  More specifically, when “exclusive” is selected for the relationship between document classifications, only one document classification is labeled in one electronic document, and therefore, the security policy corresponding to the labeled document classification. Is the policy to be set for the electronic document. On the other hand, if “coexistence” is selected as the relationship between document classifications, multiple document classifications may be labeled in one electronic document, so document classifications labeled according to the selected combination method Combine security policies. For an electronic document that is labeled with only one document classification, it follows the security policy corresponding to the labeled document classification. For an electronic document labeled with a plurality of document categories, (i) when the “rejection priority” combination method is selected, a common set of viewing authority and printing authority is obtained. The detected one is used as it is. In this case, since “rejection priority” is operated so as to have the strictest restrictions, a union of additional conditions may be set. (Ii) When the combination method of “permission priority” is selected, the union of the viewing authority and the printing authority is obtained, and the additional condition is used as it is once it is detected. In this case, the “permission priority” is operated so that the restriction is relaxed, so that a common set of additional conditions may be set. (Iii) When the combination method of “classification priority” is selected, the browsing authority person, the printing authority person, and each additional condition follow the document classification with the higher priority.

  For example, “Taro Yamada” and “Hanako Tanaka” are registered as viewing authority for the document classification of “Management”, and “Taro Yamada”, “Hanako Tanaka”, and “Suzuki” are registered for the document classification of “Production Management”. Consider an electronic document that is labeled with the “Management” and “Production Management” document classifications when “Ryoko” is registered as a viewing authority. In the above (i) “rejection priority” combination method, only “Taro Yamada” and “Hanako Tanaka” who have the browsing authority in both categories become the browsing authority, and in the above (ii) “permission priority” combination method, “Taro Yamada”, “Hanako Tanaka”, and “Ryoko Suzuki” who have viewing authority of any category are viewing authority persons. (Iii) When the combination method of “classification priority” is selected, the policy of document classification with a high priority is followed.

  FIG. 12 shows a data structure used in the document security management system 100 of the first embodiment. FIG. 12A shows a data structure of security policy setting data generated corresponding to each electronic document. As shown in FIG. 12A, the setting data describes a URL indicating the storage location of the electronic document, the file name of the document, and the contents of the set security policy. When the setting data for the electronic document is converted, the policy setting unit 218 sets the original file of each electronic document belonging to each document classification and the corresponding setting data as a set to the security server 150 via the file transmission unit 220. Send. In this embodiment, the policy setting unit 218 constitutes a setting unit and a unit that receives a security policy for each document classification.

  In the security server 150, the file receiving unit 250 receives the original file of the electronic document and the corresponding setting data from the file transmission unit 220 of the secure document management server 110 and passes them to the secure file conversion unit 252. The secure file conversion unit 252 converts the original file of the electronic document passed from the file reception unit 250 into a secure file that is secured according to the corresponding setting data, and is security data that is management data for using the secure file Generate management data. Note that the secure file conversion unit 252 constitutes the conversion unit of the present embodiment.

  Details of the secure file conversion process in the document security management system 100 of this embodiment will be described below. FIG. 3B shows a detailed block diagram around the secure file conversion unit 252. As shown in FIG. 3B, the secure file conversion unit 252 includes a file encryption unit 270, a key generation unit 272, a security management data creation unit 274, a secure file creation unit 276, A file ID generation unit 278.

  The key generation unit 272 encrypts the original file of the electronic document using an encryption algorithm, and randomly generates a key for decryption. The file encryption unit 270 encrypts the original file of the electronic document received by the file reception unit 250 using the encryption key generated by the key generation unit 272, and creates an encrypted file. The file ID generation unit 278 assigns a unique file ID for identifying the file encrypted by the file encryption unit 270. Examples of encryption algorithms that can be used in the present embodiment include algorithms of common key encryption methods such as DES (Data Encryption Standard) triple DES and AES (Advanced Encryption Standard). In another embodiment, an algorithm of a public key cryptosystem such as RSA or ELGamal can be used.

  The secure file creation unit 276 creates a secure file by adding the file ID generated by the file ID generation unit 278 to the encrypted file created by the file encryption unit 270, and passes it to the secure file transmission unit 254. Then, the secure file transmission unit 254 transmits the secure file generated by the secure file conversion unit 252 to the secure document management server 110. On the other hand, the security management data creation unit 274 creates security management data for managing usage according to the key for decrypting the encrypted file and the setting data received by the file receiving unit 250, and the security management data It is passed to the storage unit 256. The security management data storage unit 256 stores the security management data in the security management DB 258 in association with the secure file.

  FIG. 12B illustrates the data structure of security management data stored in the security management DB 258. As shown in FIG. 12B, the security management data includes a file ID uniquely assigned to the electronic document, a key for decrypting the encrypted data of the secure file, and the contents of the set security policy. Described.

  Here, referring to FIG. 2 again, the secure document management server 110 further includes a secure file receiving unit 222 and a secure file DB 224 as its functional units. The secure file receiving unit 222 receives a secure file corresponding to each electronic document converted by the security server 150 and stores it in the secure file DB 224 so that it can be used externally from the user terminal 140 or the like. Thus, the secure file acquisition unit 240 of the user terminal 140 can access the secure file DB 224 of the secure document management server 110 and use a secure file of a desired electronic document.

  In the embodiment in which the secure document management server 110 is configured as a web server and the management terminal 130 accesses the web-based management interface using a web browser, the file acquisition unit 210 and the analysis result in the secure document management server 110 are analyzed. The display unit 216 and the policy setting unit 218 are configured as means for generating a web page describing a user interface of each screen by using a script language such as HTML (HyperText Markup Language) or JavaScript (registered trademark). In this case, the generated web page is transmitted to the management terminal 130 according to the HTTP protocol, and in the web browser on the management terminal 130, the policy setting start command unit 230, the analysis result browsing unit 232, and the policy setting according to the description of the web page. The input unit 234 is realized.

  Hereinafter, the operation of the secure file conversion service of this embodiment will be described with reference to sequence diagrams and flowcharts. FIG. 4 is a sequence diagram showing the operation of the secure file conversion service in the document security management system of the first embodiment. FIG. 4 shows operations of the management terminal 130, the secure document management server 110, and the security server 150.

  In the management terminal 130, when an instruction to request batch conversion to a secure file is input to the input device via the start screen 400 shown in FIG. 8A, for example, the batch conversion processing of the secure file starts. In step S100, the management terminal 130 displays, for example, the policy setting screens shown in FIGS. 8B and 9 on the display device. When the input of the target storage location and the classification parameter is accepted and determined via the policy setting screen, the management terminal 130 performs secure document management on the list of the specified storage location and the classification parameter in step S101. The data is passed to the server 110 to initialize the classification parameters and to instruct the execution of the classification process according to the specified conditions.

  In response to the instruction, in step S102, the secure document management server 110 obtains an electronic document file from the storage location specified in the storage location list and calls an analysis process for classifying the electronic document. FIG. 5 is a flowchart showing an analysis process executed when the “exclusive” is selected, which is executed by the secure document management server 110 according to the first embodiment. Note that the analysis method shown in FIG. 5 is based on the constrained K-average method, and is called when the relationship between the document classifications of the classification parameters is “exclusive”.

  The process shown in FIG. 5 is called in the process of step S102 shown in FIG. 4 and starts from step S200. In step S201, the secure document management server 110 reads an electronic document file stored in the file DB 212, calls an appropriate document filter, extracts text from the electronic document, and extracts the extracted text from a memory or an HDD. Store in the storage area.

  In step S202, the secure document management server 110 reads the text extracted and stored from the electronic document, calls an appropriate morpheme analysis engine, divides the text into morphemes, tags part of speech information with each morpheme, and performs filtering. The unnecessary words are removed by the above and the syntax analysis result data is stored in the storage area. In step S203, the secure document management server 110 reads the parsing result data from the storage area, counts the number of appearances for each morpheme, creates a document vector, and associates the document vector with the electronic document in the storage area. Store.

  In step S204, the secure document management server 110 determines whether or not an unprocessed electronic document file remains in the file DB 212, that is, whether or not creation of document vectors for all target electronic documents has been completed. If it is determined in step S204 that the process has not been completed (NO), the process proceeds to step S205, the next electronic document is targeted, and the process loops to step S201. On the other hand, if it is determined in step S204 that the process has been completed (YES), the process proceeds to step S206.

In step S206, the secure document management server 110 generates a central document vector W (C _i ) of each document classification C _i as an initial value according to the keyword of each document classification of the classification parameter passed from the management terminal 130, and appropriately. The document vector is also modified. For example, when the keyword included in the classification parameter does not constitute a document vector, the value of the corresponding keyword is set to 0 and added to the element of the document vector. In step S207, the secure document management server 110 calculates the Euclidean distance between the central document vector W (C _i ) of each document classification C _i and each document vector, and the central document vector having the shortest distance between each document vector is calculated. The electronic document is classified as belonging to the document classification. In step S208, the secure document management server 110 calculates the average of the document vectors to which each newly classified document class belongs, and calculates and updates a new central document vector.

  In step S209, the secure document management server 110 compares each previous central document vector with each newly calculated central document vector, and determines whether or not convergence has occurred. For example, the sum of squares of the difference between each previous central document vector and each new central document vector is calculated as an index value, and can be determined to have converged when it falls below a certain reference value. In this case, an upper limit value of the number of iterations may be set. If it is determined in step S209 that it has not converged (NO), the process loops to step S207, and the recalculation and reclassification processing of the central document vector are repeated until the convergence determination condition is satisfied. On the other hand, if it is determined in step S209 that the convergence has occurred (YES), the process proceeds to step S210. In step S210, the secure document management server 110 determines the classification into the document set, generates data indicating the classification result, stores it in the storage area, and ends the analysis processing in step S211.

  On the other hand, FIG. 6 is a flowchart showing an analysis process executed by the secure document management server of the first embodiment when “coexistence” is selected. The analysis method shown in FIG. 6 is based on the constrained K-average method, and is called when the relationship between document classifications of classification parameters is “coexistence”. In addition, since the process from step S300 to S305 is the same as what was shown in FIG. 5, description is omitted.

It is determined in step S304 that the processing is completed, and the processing in steps S307 to S311 is repeated for each document classification C _i through the loop of step S306 and step S312. In step S307, the secure document management server 110 generates the central document vector W (C _i ) of the document classification C _i as an initial value according to the keyword of the document classification C _i to be processed passed from the management terminal 130. In step S308, the secure document management server 110 generates a central document vector W (NOT_C _i ) as an initial value using a document classification keyword other than the target document classification C _i . For example, an average of the number of appearances of each keyword is obtained from keywords of a document classification that is not the document classification C _i to be processed in the loop. In step S309, the Euclidean distance between the central document vectors W (C _i ) and W (NOT_C _i ) and each document vector is calculated, and the electronic document is assumed to belong to the document classification of the central document vector in which each document vector is at the shortest distance. Classify documents. In step S310, the secure document management server 110 calculates the average of the document vectors according to the newly classified result, and calculates and updates new central document vectors W (C _i ) and W (NOT_C _i ).

In step S311, the secure document management server 110 compares each previous central document vector with each newly calculated central document vector, and determines whether or not convergence has occurred. If it is determined in step S311 that it has not converged (NO), the process loops to step S309, and the recalculation of the central document vector and the reclassification process are repeated until the convergence determination condition is satisfied. On the other hand, if it is determined in step S311 that it has converged (YES), the process proceeds to step S312, and if there is a document classification to be processed, the process proceeds to the next document classification C _{i + 1} . When the processing for all the set document classifications is completed, in step S313, the secure document management server 110 determines the classification into the document set, generates data indicating the classification result, stores the data in the storage area, and stores the data in step S314. Then, the analysis process is terminated.

  Referring to FIG. 4 again, after the analysis processing in step S102, in step S103, the secure document management server 110 converts the classification result into a format that can be easily viewed by the user, and transmits it to the management terminal 130. In step S104, the management terminal 130 displays the classification result browsing screen 450 shown in FIG. In step S <b> 105, the management terminal 130 accepts correction and confirmation of the classification result via the classification result browsing screen 450. In the management terminal 130, for example, when an instruction to proceed to the setting of the security policy is input to the input device via the classification result browsing screen 450 illustrated in FIG. The policy setting input screen 470 shown in FIG. When the administrator sets the security policy for all document classifications and the setting is completed, the management terminal 130 transmits an instruction to start the policy setting process to the secure document management server 110. In step S107, the secure document management server 110 expands the security policy setting data for each electronic document for each electronic document included as an element of each document classification, and the original file for each electronic document and the corresponding setting data. Are sent to the security server 150 and a secure file conversion process is requested.

  When the security server 150 receives the setting data and the original file of each electronic document from the secure document management server 110, the security server 150 randomly generates a key for encrypting and decrypting the original file in step S108, and generates the key in step S109. The original file of the received electronic document is encrypted using the key, and an encrypted file is created. In step S110, the security server 150 generates a file ID for identifying the encrypted file. In step S111, the security server 150 adds a file ID corresponding to the encrypted file to create a secure file for each electronic document. The created secure file of each electronic document is transmitted to the secure document management server 110.

  The security server 150 creates security management data including the generated file ID, the key used for decrypting the encrypted file, and the security policy in the received setting data in step S112, and created in step S113. Security management data is stored in the security management DB 258. In step S114, the security server 150 loops the process to step S108 until processing for all electronic documents is completed (during NO), and ends the processing when processing for all electronic documents is completed (YES). In this way, the security management file identified by the file ID is stored in the security management DB 258 for each electronic document, and the secure file is transmitted to the secure document management server 110 for each electronic document.

  On the other hand, when the secure document management server 110 receives a secure file from the security server 150, the secure file management server 110 stores the received secure file in the secure file DB 224 in step S115 so that the user can access it. In step S116, the secure document management server 110 loops the process to step S115 until reception of secure files for all electronic documents is completed (during NO), and when storage of secure files for all electronic documents is completed. (YES), the management terminal 130 is notified of the end of processing in step S117, and the processing is terminated. In this way, for each electronic document, the secure file is stored in the secure file DB 224 and can be used by the user.

  Hereinafter, the operation when using the secure file in the document security management system 100 of the first embodiment will be described. 13 and 14 are sequence diagrams when a secure file is used in the document security management system according to the first embodiment. Note that FIG. 13 and FIG. 14 are connected at point A and point B. 13 and 14 show operations of the user terminal 140 and the security server 150. In the following description, it is assumed that the secure file has already been acquired in the user terminal 140 by the above-described secure file conversion process, and the secure file is stored in a storage area such as a hard disk of the user terminal 140.

  In the user terminal 140, for example, one of a plurality of secure file icons displayed in advance on the display of the user terminal 140 is clicked by the user's operation, and the secure file is designated in the input device. When the information to be entered is input, secure file usage processing is started, and in step S401, the user terminal 140 acquires secure file designation information in accordance with the input from the input device. Examples of the designation information include a path name, a file name, and a URL.

  Subsequently, in step S402, the user terminal 140 reads the secure file specified from the acquired designation information from the storage area, and in step S403, extracts the file ID from the read secure file. In step S404, the user terminal 140 acquires the user ID of the user of the secure file. For example, a user ID input screen is displayed on the display, and the user ID input to the input device by the user via this input screen is acquired. When the user terminal 140 is a specific terminal for a specific user and the user ID is stored in the user terminal 140 in advance, the stored user ID is read and acquired. May be. In step S405, the user terminal 140 transmits the file ID and user ID to the security server 150.

  In step S406, the security server 150 reads security management data having the file ID received from the user terminal 140 from the security management DB 258. In step S407, the security server 150 extracts a policy from the read security management data. Further, in step S408, the security server 150 extracts browsing authority information from the extracted policy. In step S409, the security server 150 refers to the usage authority ID table for the extracted browsing authority information, and the browsing authority is ID information. Convert to ID. The use authority person ID table stores the names of persons who may be given use authority to the secure file in association with the use authority person ID which is identification information of the person. More specifically, for example, when used in a predetermined company, the names and IDs of all employees who may use this system are stored in association with each other. Note that when the viewing authority is registered with the ID information in the security policy itself, the above-described conversion may not be performed.

  Subsequently, in step S410, the security server 150 determines whether or not the user ID received from the user terminal 140 is included in the browsing authority person ID obtained by conversion, thereby allowing the user to have the browsing authority. It is determined whether or not there is. Here, when the user does not have the browsing authority (step S410; NO), the security server 150 transmits the browsing non-permission information to the user terminal 140 in step S411. In this case, in step S412, the user terminal 140 displays information indicating that browsing is not permitted in accordance with the browsing non-permission information received from the security server 150, and ends the secure file usage processing. Thus, a user who is not set as a browsing authority in the policy cannot browse the secure file.

  On the other hand, if the user has viewing authority (step S410; YES), the security server 150 extracts the decryption key from the read security management data in step S413 shown in FIG. 14, and further in step S414. The browsing additional conditions are extracted from the extracted policy. In step S415, the security server 150 transmits the extracted key and the browsing additional condition to the user terminal 140. If the user has printing authority, information indicating that printing is permitted is included in the viewing additional conditions, and additional printing information is transmitted to the user terminal 140.

  When the user terminal 140 receives the key and the additional viewing condition from the security server 150, the user terminal 140 extracts the encrypted file from the read secure file in step S416, and encrypts it using the key received from the security server 150 in step S417. Decrypt the file and return it to a viewable file.

  Subsequently, in step S418, the user terminal 140 displays the content of the decrypted electronic document file on the display according to the received browsing additional conditions. Specifically, when the browsing option “warning message display” is set as the viewing additional condition, the user terminal 140 displays a warning message on the display as the document content is displayed.

  When a print request is instructed by the user via the input device, the user terminal 140 controls printing of the document content according to the received print setting of the additional viewing conditions. Specifically, printing is permitted when printing permission is set in the viewing additional conditions, and printing is prohibited when printing non-permission is set. Further, when the print option is set in the viewing additional condition, the user terminal 140 controls the printer driver or the like of the printer connected to the input / output interface, so that printing according to the print option is performed at the time of printing. I do. In this way, only a user who is set as a browsing authority in the policy can browse and use the secure file.

  Subsequently, in step S419, the user terminal 140 determines whether or not browsing of the secure file by the user is ended, for example, by detecting that the content display window is closed, and ends browsing of the secure file. (NO during step S419). On the other hand, if it is determined that the browsing has ended (step S419; YES), the user terminal 140 obtains the key received from the security server 150 in step S420 and the file created by decryption in step S417. It deletes from the storage area in the user terminal 140, and this secure file utilization process is complete | finished.

  According to the embodiment described above, an existing electronic document stored in the document repository 160 or the like is classified according to the contents of the electronic document, and the document classification is labeled according to the similarity of the contents of the electronic document. It is possible to set a security policy for a set of electronic documents collectively. As a result, the workload of the administrator at the time of system introduction or the like is reduced, and as a result, the threshold for the introduction of the security management system can be lowered. In addition, the administrator can customize the document classification and the security policy corresponding to the document classification according to the storage location of the electronic document. Therefore, the administrator can secure the electronic document from the viewpoint of the document repository administrator in the document management system. It is also possible to respond to requests for setting a policy.

  In the above-described embodiment, the clustering algorithm used for document classification has been described in detail using the constrained K-average method. However, clustering algorithms that can be employed in the embodiments of the present invention are not limited to those described above. Hereinafter, another embodiment using another clustering algorithm will be described.

[Second Embodiment]
The document security management system according to the second embodiment described below has substantially the same configuration as the document security management system 100 according to the first embodiment, and hence analysis processing that is a difference will be described below. In the analysis processing of the first embodiment, the constrained K-means method is used as a clustering algorithm. However, in the analysis processing of the second embodiment, the Naive Bayes method, which is a probability model, and the EM method are used. Adopt a method that combines. FIG. 15 is a flowchart illustrating an analysis process executed when the “exclusive” is selected, which is executed by the secure document management server 110 according to the second embodiment.

The analysis process shown in FIG. 15 is called in the process of step S102 shown in FIG. 4 and starts from step S500 when the relationship between the document classifications of the classification parameters is “exclusive”. In step S501, the secure document management server 110 reads the file of each electronic document stored in the file DB 212, analyzes each electronic document, and the word w _t (t = 1,... | V |: | V | This is the number of words in all document sets.) N (w _t , D _i ) the number of occurrences of a specific electronic document D _i (i = 1,... | D |: | D | is the number of documents). ) More specifically, in step S501, as described in the first embodiment, text is extracted from each electronic document by using an appropriate document filter for each read electronic document file, and morphological analysis is performed. Decompose into morphemes and filter unnecessary words. Then, the number of each word w _t is counted for each electronic document D _i , and the counted N (w _t , D _i ) is stored in a storage area such as a memory or HDD.

In step S502, the secure document management server 110 regards the keyword list of each document category as a document, and for each document category C _j , the probability that the word w _t appears once in the document category C _j according to the following equation (1). P (w _t | C _j ) representing, and P (C _j ) representing the appearance probability of the document classification C _j is calculated according to the following equation (2).

In the above formula, P (C _j | D _i ) represents the probability that the document D _i belongs to the document classification C _j . | C | represents the number of document classifications. In the calculation of step S502 in which the document classification keyword list is processed as a document, | D | = 1, and for P (C _j | D _i ), the document D _i represented by the keyword list is a document. If supported to the classification _{C j} are, _P for the document _{D i,} which represents the keyword list of document classification _{C j} is the probability that belong to a document classification _{C j |} a _{(C j D i) = 1} , otherwise In this case, P (C _j | D _i ) = 0. Subsequently, in step S503, the secure document management server 110 performs P (w _t | C _j ) and P (C _j ) calculated in step S502 on all electronic documents D _i according to the following equation (3). , The probability P (C _j | D _i ) that each document D _i belongs to the document classification C _j is calculated. In the present embodiment, the initial value of the probability P (C _j | D _i ) is obtained from the keyword.

Subsequently, in step S504, for each document classification C _j , the value of the probability P (C _j | D _i ) newly obtained for each electronic document D _i (excluding those in the keyword list) is used. according to the above formula (1) _P | calculates the _(w t _{C j),} calculates the P _{(C j)} according to the above formula (2). P (w _t | C _j ) calculated here is a value of 0 or more and less than 1. In step S505, P (w _t | C _j ) and P (C _j ) calculated in step S504 are used for all electronic documents D _i , and the probability P (C _j | D is calculated according to the above equation (3). _i ) Recalculate. In step S506, the secure document management server 110 determines whether it has converged. For example, the sum of squares of the difference between the probabilities P (C _j | D _i ) before and after is calculated as an index value, and it can be determined that it has converged when it falls below a certain reference value. In addition, when the average change rate of the probability P (C _j | D _i ) falls below a certain threshold value, it can be determined that it has converged.

If it is determined in step S506 that the convergence has not occurred (NO), the process loops to step S504, and recalculation is repeated until the convergence determination condition is satisfied. On the other hand, if it is determined in step S506 that convergence has occurred (YES), the process proceeds to step S507. In step S507, the secure document management server 110 labels the document classification corresponding to the highest probability P (C _j | D _i ) for each electronic document, determines the classification into the document set, and displays the classification result. The data shown is generated, and the analysis process is terminated in step S508.

FIG. 16 is a flowchart illustrating an analysis process executed by the secure document management server 110 according to the second embodiment when “coexistence” is selected. The analysis process shown in FIG. 16 is called in the process of step S102 shown in FIG. 4 and starts from step S600 when the relationship between the document classifications of the classification parameters is “exclusive”. In step S601, the secure document management server 110 analyzes each electronic document stored in the file DB 212 and totals N (w _t , D _i ).

Then is performed the loop processing of steps S602～S610, a document classification _{C j,} and repeats the processing performed separately in the other document classification NOT_C _j for each document classification _{C j.} In step S603, the secure document management server 110 creates a keyword list of the document classification NOT_C _j using the keywords of the document classification other than the processing target. In step S604, the secure document management server 110 regards the keyword list of the target document classification C _j and the other document classification NOT_C _j as a document, and determines the document classification C _j and NOT_C _j (hereinafter, without distinguishing them) Then, P (w _t | C) representing the probability that the word w _t appears once in the document classification C is calculated according to the above equation (1), and the document classification is calculated according to the above equation (2). P (C) representing the appearance probability of C is calculated. Subsequently, in step S605, the secure document management server 110 uses P (w _t | C) and P (C) calculated in step S604 according to the above equation (3) for all electronic documents D _i . Thus, the probability P (C _j | D _i ) and the probability P (NOT_C _j | D _i ) that the document D _i belongs to the document classification C _j and NOT_C _j are calculated.

Subsequently, in step S606, using the value of the probability P (C | D _i ) newly obtained for each electronic document D _i (excluding those in the keyword list), for the document classification C _j and NOT_C _j , P (w _t | C) is calculated according to the above equation (1), and P (C) is calculated according to the above equation (2). In step S607, the probability P (C | D _i ) according to the above equation (3) is used for all electronic documents D _i using P (w _t | C) and P (C) calculated in step S606. Is recalculated. In step S608, the secure document management server 110 compares each previous probability P (C | D _i ) with each newly calculated probability P (C | D _i ) to determine whether or not the convergence has occurred. judge. If it is determined in step S608 that it has not converged (NO), the process loops to step S606, and recalculation is repeated until the condition for convergence determination is satisfied. On the other hand, if it is determined in step S608 that convergence has occurred (YES), the process proceeds to step S609.

In step S609, the secure document management server 110 performs document classification for each electronic document D _{i according} to the value of the probability P (C _j | D _i ) and the probability P (NOT_C _j | D _i ). Decide whether to label For example, when the probability P (C _j | D _i ) is larger than the probability P (NOT_C _j | D _i ), it is determined that the document belongs to the document classification C _j and is labeled. When the process of step S602~ step S610 for all document classification _{C j} is complete, the secure document management server 110 in step S611, to confirm the classification of the document set, and stores the data indicating the classification result, the in step S612 End the analysis process.

[Third Embodiment]
Hereinafter, an embodiment using still another clustering algorithm will be described. The document security management system according to the third embodiment described below has a configuration substantially similar to that of the document security management system 100 according to the first embodiment, and therefore, analysis processing that is a difference will be described below. In the analysis processing of the second embodiment described above, a method combining the Naive Bayes method and the EM method is used, but in the third embodiment, a graph cut method is employed. FIG. 17 is a flowchart illustrating an analysis process executed by the secure document management server 110 according to the third embodiment.

The analysis process shown in FIG. 17 is called in the process of step S102 shown in FIG. 4, and starts from step S700. At step S701, the secure document management server 110 analyzes each electronic document, create the document vector of each electronic document D _i consists words containing. Note here creates a document vector from the keyword list L _j of each document classification C _j, the following process to create a k-nearest neighbor graph with the union of the document D and the keyword list L. In step S702, the secure document management server 110 calculates the Euclidean distance E between document vectors. At step S703, the secure document management server 110, tensioning the weighted side of the top k documents vector from the direction Euclidean distance is closer to the electronic document D _i. The edge weight can be determined from the following equation (4). In the following formula (4), E (D _i , D _j ) represents the Euclidean distance between the document D _i and the document D _j, and n is an arbitrary positive number having a constant value.

Subsequently, the generated k neighborhood graph is processed for each document classification C _j by the loop processing shown in steps S704 to S708. In step S705, the secure document management server 110 searches the keyword list L for the document classification _Cj that is the current processing target, from the keyword list L, whether it belongs to the document classification _Cj . In step S706, the secure document management server 110 adds a positive node and a negative node to the graph, and uses an edge having a large weight between the keyword list belonging to the document classification _Cj that is the current processing target and the positive node. Connect the keyword lists that do not belong to C _j and the negative nodes with edges having large weights. For this large weight value, for example, the most positive floating point that can be expressed on a computer may be used. Subsequently, in step S707, the secure document management server 110 cuts the graph using the Ford-Fulkerson algorithm and classifies each electronic document D _i as belonging to the document classification C _j and not belonging to the document classification C _j . The graph cut is to separate the graph into unconnected parts by removing a set of edges that minimize the sum of the weights of all neighboring elements.

FIG. 18 is a diagram showing a conceptual diagram of clustering in the third embodiment. FIG. 18 (A) for one document classification _{C j,} it shows the state of the graph after performing the process from step S705 to step S707. In FIG. 18A, keyword lists L _j (j = 1, 2, 3) for three document classifications are represented by ●, ▲, and ■, respectively, and documents D other than the keyword list are represented by ○. Has been. In addition, between documents (including a keyword list), neighboring objects are connected by edges indicated by solid lines. Further, FIG. 18A shows a positive node indicated by “+”, and is connected with a large weight to the keyword list of 2 corresponding to the document classification C _j . In FIG. 18A, a negative node indicated by “−” is shown, and is connected with a large weight to a keyword list of ● and ▲ not corresponding to the document classification _Cj . Then, at one point chain thick lines, and elements of documents belonging to the document classification C _j, the boundaries of the graph cut to separate the elements of the document which does not belong to Cj are shown schematically.

FIG. 18 (B) shows the state of the graph after having been subjected to processing for all the documents classified _{C j} from step S705 to step S707. As shown in FIG. 18B, the graph includes a keyword list of each document classification C _j and includes a classification number m that separates documents belonging to the document classification C _j and documents that do not belong (FIG. 18B). The number of graph cuts is 3).

When the process shown in step S704~S708 are completed for each document classification _{C j,} the process proceeds to step S709. In step S709, the process branches according to the relationship between the selected document classifications. If “exclusive” is selected as the document classification interval, the process proceeds to step S710. In step S710, the secure document management server 110 excludes the obtained m graph cuts having the largest sum of the edge weights, and puts the graph into m regions by the remaining m-1 graph cuts. The electronic document D included in each area is divided and a corresponding document classification label is attached. FIG. 18C-1 shows a state in which, when “exclusive” is selected as the document classification, the graph is divided by m−1 graph cuts, and respective clusters are formed. FIG. 18D-1 shows a state after the graph is divided by m-1 graph cuts and the electronic documents included in each region are labeled with the corresponding document classification.

  On the other hand, if “coexistence” is selected as the document classification in step S709, the process proceeds to step S711. In step S711, the secure document management server 110 determines whether or not it belongs to each document classification Cj, using the determined m graph cuts as a boundary, and attaches a label. Also, a document classification label in which another electronic document having the closest Euclidean distance is classified is attached to a document that does not belong to any document classification. FIG. 18C-2 shows a state in which, when “coexistence” is selected as the document classification, the graph is divided by the boundaries of m graph cuts, and respective clusters are formed. FIG. 18D-2 shows a state after the graph is divided by the boundaries of the m graph cuts and the electronic documents included in each region are labeled with the corresponding document classification. As shown in FIG. 18D-2, it can be seen that a document that does not belong to any cluster is labeled with a document classification of ▲ in which the documents with the closest Euclidean distance are classified. In step S710 or step S711, each electronic document is labeled with a document classification. In step S712, classification into a document set is confirmed, and data indicating the classification result is stored. In step S713, the analysis process is performed. End.

  As described above, according to the embodiments described above, based on the idea that the same security policy should be applied to electronic documents that are similar in content, the similarity of content in a given group of electronic documents Security that enables security policies to be set for electronic documents classified by gender in a batch, which in turn enables security policies to be applied efficiently to electronic documents, reducing the work burden on workers. A management system, a server device, a security management method, a program, and a recording medium can be provided.

  The above functions can be realized by a computer-executable program written in a legacy programming language such as an assembler, C, C ++, C #, Java (registered trademark), an object-oriented programming language, or the like. ROM, EEPROM, EPROM, It can be stored in a device-readable recording medium such as flash memory, flexible disk, CD-ROM, CD-RW, DVD, SD card, MO, and distributed.

  Although the embodiments of the present invention have been described so far, the embodiments of the present invention are not limited to the above-described embodiments, and those skilled in the art may conceive other embodiments, additions, modifications, deletions, and the like. It can be changed within the range that can be done, and any embodiment is included in the scope of the present invention as long as the effects of the present invention are exhibited.

DESCRIPTION OF SYMBOLS 100 ... Document security management system, 102 ... Network, 110 ... Secure document management server, 120 ... Firewall, 130 ... Management terminal, 140 ... User terminal, 150 ... Security server, 160 ... Document repository, 210 ... File acquisition part, 212 ... file DB, 214 ... file analysis unit, 216 ... analysis result display unit, 218 ... policy setting unit, 220 ... file transmission unit, 222 ... secure file reception unit, 224 ... secure file DB, 230 ... policy setting start command unit, 232 ... Analysis result browsing unit, 234 ... Policy setting input unit, 240 ... Secure file acquisition unit, 250 ... File reception unit, 252 ... Secure file conversion unit, 254 ... Secure file transmission unit, 256 ... Security management data storage unit, 258 …Security Management DB, 260 ... text extraction unit, 262 ... syntax analysis unit, 264 ... document classification unit, 270 ... file encryption unit, 272 ... key generation unit, 274 ... security management data creation unit, 276 ... secure file creation unit, 278 ... file ID generation unit, 300 ... text, 310 ... morpheme analysis result data, 310a ... morpheme, 310b ... part of speech information, 320 ... document vector data, 320a ... morpheme, 320b-d ... number of appearances, 330 ... central document vector data, 330a ... morpheme, 330b-d ... average value, 400 ... start screen, 402 ... policy setting start button, 404 ... converted document list button, 406 ... manual button, 408 ... cancel button, 410 ... storage location designation screen, 412 ... List box, 414 ... Add button, 416 ... Delete button 418 ... Reverse display, 420 ... Next button, 430 ... Classification parameter setting screen, 432 ... Table, 432a ... Document classification name, 432b ... Keyword, 434 ... Add button, 436 ... Edit button, 438 ... Delete button, 440 ... "Next" button, 442, 444 ... Radio button, 446 ... List box, 448 ... Button, 450 ... Classification result browsing screen, 452 ... Tab, 454 ... List list, 456 ... Edit button, 458 ... "Next" Button 460 ... Classification information edit screen 462 ... Display 464A ... Check box 464B ... Radio box 470 ... Policy setting input screen 472 ... Box 474 ... Text box group 476 ... List box 478 ... Box 480 ... List box, 482 ... Box, 484 ... Next button, 486 ... Cancel button

JP 2004-152261 A Japanese Patent Laid-Open No. 2007-4616 JP 2008-40659 A

Claims (16)

A security management system including a server device that is connected to a network and sets a security policy that defines usage rights for an electronic document, the server device comprising:
Means for receiving parameters characterizing one or more document classifications;
Obtaining means for obtaining a plurality of electronic documents to be policy-set from resources on the network;
Extracting text from each of the acquired electronic documents, performing natural language analysis, analyzing documents that have content similarity according to the received parameters, and attaching the document classification to each of the electronic documents;
Means for receiving a security policy to be applied to each electronic document to which the document classification is attached;
A security management system, comprising: setting means for generating setting data in which the use authority is defined for each of the classified electronic documents according to the security policy corresponding to the attached document classification.   The analyzing unit classifies the electronic document so that a plurality of the document classifications can be given to the electronic document, and the setting unit sets the plurality of documents according to designation of priority rules when combining the security policies. The security management system according to claim 1, wherein the authority information included in the security policy of the classification is combined.   For each of the acquired electronic documents, the analysis unit totals the words included in each of the electronic documents, generates a data set in which the appearance frequencies of the words included in each of the electronic documents are totaled, The security management system according to claim 1 or 2, wherein documents having the similarity are classified according to an algorithm.   The setting unit passes each acquired electronic document and the corresponding setting data to a conversion unit that converts the original electronic document into a secure electronic document that is secured, and each secure electronic document The security management system according to claim 1, wherein the generated secure electronic document is made available.   The security management system according to any one of claims 1 to 4, wherein the parameter includes a keyword defined for each of the document classifications, and the keyword is used to obtain an initial condition for processing related to the classification. .   The security management system is attached to a user interface for inputting the parameters, a user interface for inputting the security policy to be applied to each electronic document with the document classification, and the electronic document. The security management system according to claim 1, further comprising: a management terminal that provides a user interface for editing the document classification; and a conversion server device that implements the conversion unit.   The specified priority rules are combined in accordance with a reject priority method that prioritizes items that are not permitted to be combined, a permission priority method that prioritizes items that are permitted to be combined, and a predetermined priority order for the document classification. The security management system according to claim 2, which is selected from a classification priority method. A server device that is connected to a network and sets a security policy that regulates usage rights for an electronic document, the server device comprising:
Means for receiving parameters characterizing one or more document classifications;
Obtaining means for obtaining a plurality of electronic documents to be policy-set from resources on the network;
Extracting text from each of the acquired electronic documents, performing natural language analysis, analyzing documents that have content similarity according to the received parameters, and attaching the document classification to each of the electronic documents;
Means for receiving a security policy to be applied to each electronic document to which the document classification is attached;
A setting unit configured to generate setting data in which the use authority is defined for each of the classified electronic documents according to the security policy corresponding to the attached document classification.   The analyzing unit classifies the electronic document so that a plurality of the document classifications can be given to the electronic document, and the setting unit sets the plurality of documents according to designation of priority rules when combining the security policies. The server apparatus according to claim 8, wherein the authority information included in the classification security policy is combined.   For each of the acquired electronic documents, the analysis unit totals the words included in each of the electronic documents, generates a data set in which the appearance frequencies of the words included in each of the electronic documents are totaled, The server apparatus according to claim 8 or 9, wherein documents having similarities are classified according to an algorithm.   The setting unit passes each acquired electronic document and the corresponding setting data to a conversion unit that converts the original electronic document into a secure electronic document that is secured, and each secure electronic document The server apparatus according to claim 8, wherein the secure electronic document generated is made available. A method of setting a security policy for defining usage rights for an electronic document,
Receiving parameters characterizing one or more document classifications;
Obtaining a plurality of electronic documents to be policy-set from resources on the network;
Extracting text from each of the acquired electronic documents, performing natural language analysis, collecting documents having content similarity according to the received parameters, and attaching the document classification to each of the electronic documents;
Generating each of the classified electronic documents according to the received security policy corresponding to the attached document classification, and generating the setting data in which the use authority is defined.   The step of attaching the document classification includes a sub-step of classifying the electronic document so that a plurality of the document classifications can be given to the electronic document, and the generating step is a priority when combining the security policies. 13. The security management method according to claim 12, further comprising a substep of combining authority information included in a plurality of document classification security policies according to a specified specification.   In the step of attaching the document classification, for each of the acquired electronic documents, the words included in each of the electronic documents are totaled, and a data set in which the appearance frequencies of the words included in the respective electronic documents are totaled is generated. The security management method according to claim 12 or 13, comprising a sub-step and a sub-step of classifying the documents having the similarity according to a clustering algorithm.   The computer-executable program for implement | achieving each means of any one of Claims 8-11 in a computer.   A recording medium for storing the computer-executable program according to claim 15 in a device-readable manner.