JP2011186612A - Program and diagnostic method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a program and a diagnostic method, for determining frequency of executing security diagnosis based on input operation and executing the security diagnosis. <P>SOLUTION: A CPU (Central Processing Unit) 10 of a PC (Personal Computer) 1 receives operation received by an operation part 14, connection of a storage medium to a storage medium connection part 17, and connection to a network (N) to a communication part 18 and another network as operation by a user of the PC 1. The CPU 10 extracts operation related to security from the received operation based on a point list sent from a server device, and obtains points indicating a risk degree on the security of each operation. The CPU 10 calculates a total value of the points obtained correspondingly to the operation received within a prescribed period, reads the frequency corresponding to the total value from a frequency table sent from the server device, and determines it. The CPU 10 executes the security diagnosis based on the determined frequency. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present application relates to a program and a diagnosis method for determining and executing a frequency of security diagnosis based on an input operation.

  In recent years, computer security vulnerabilities have been diagnosed by periodically performing security diagnosis on computers. For example, the diagnosis is performed by determining whether each file stored in the computer is a program causing a vulnerability such as a computer virus. In addition, for example, it is determined whether the security settings of various programs installed in the computer are settings that may cause vulnerabilities such as unauthorized access from outside or leakage of stored data. And diagnose (see, for example, Patent Document 1). During the period in which the security diagnosis is being executed, the processing speed relating to other applications being executed by the computer decreases. And it becomes difficult for the user to operate other applications comfortably.

Japanese Patent Laid-Open No. 2004-126874

  However, with conventional technologies, even when a safe user who does not perform operations that cause security vulnerabilities as much as possible operates, security diagnosis is periodically executed and comfortable operations may be hindered. It was.

  The present application has been made in view of such circumstances. An object of the present invention is to provide a program and a diagnostic method that enable a comfortable operation by determining the frequency of executing a security diagnosis according to the degree of risk determined based on an input operation.

  The program according to the present application is a program for causing a computer to execute a security diagnosis. The computer includes an operation information acquisition unit that acquires operation information indicating an operation on the computer, and security information on the computer based on the acquired operation information. A risk determination unit that determines a risk level indicating a risk level and a diagnosis control unit that controls the start of execution of the security diagnosis according to the determined risk level.

  According to one aspect of the apparatus, a comfortable operation can be performed by determining the frequency of executing the security diagnosis according to the degree of risk determined based on the input operation.

It is a schematic diagram which shows the example of a management system. 2 is a block diagram illustrating an example of internal hardware of a PC according to Embodiment 1. FIG. 3 is a block diagram illustrating an example of internal hardware of a server device according to Embodiment 1. FIG. 6 is a chart showing an example of a record layout of a diagnostic item table according to Embodiment 1. FIG. It is a chart which shows the example of a record layout of a score table. It is a chart which shows the example of a record layout of a frequency table. It is a chart which shows the example of a record layout of work data. 4 is a flowchart illustrating a procedure of operation data recording processing according to the first embodiment. It is a flowchart which shows the procedure of a score calculation process. It is a chart which shows the example of a record layout of operation data. It is a flowchart which shows the procedure of a security diagnosis execution process. It is a flowchart which shows the other procedure of a security diagnosis execution process. 10 is a block diagram illustrating an example of internal hardware of a PC according to Embodiment 2. FIG. 10 is a chart showing a record layout example of a diagnostic item table according to Embodiment 2. FIG. It is a chart which shows the example of record layout of a correspondence table. It is a flowchart which shows the procedure of a schedule table storage process. It is a chart which shows the example of a record layout of a schedule. 10 is a block diagram illustrating an example of internal hardware of a server apparatus according to Embodiment 3. FIG. 10 is a flowchart illustrating a procedure of operation data recording processing according to the third embodiment. FIG. 10 is a block diagram illustrating an example of internal hardware of a PC according to a fourth embodiment.

Embodiment 1
Hereinafter, embodiments will be specifically described with reference to the drawings. The diagnostic apparatus according to the present application is an information processing apparatus such as a PC (Personal Computer), a mobile phone, and a PDA (Personal Digital Assistant) connected to a network. The diagnostic apparatus has various settings relating to security vulnerabilities such as unauthorized access from the outside via a network and leakage of stored data. The diagnosis device executes security diagnosis by determining whether various settings related to security are settings that cause vulnerability. In the first embodiment, a PC will be described as an example of a diagnostic apparatus.

  FIG. 1 is a schematic diagram illustrating an example of a management system. In the figure, reference numeral 1 denotes a desktop or laptop PC (Personal Computer) installed in a limited area such as in-house, and various programs operated by the user are installed. Each PC 1 is generally operated by a specific user. For example, an employee working in a company where the PC 1 is installed can be cited as a user of the PC 1. Each PC 1 diagnoses a vulnerability to security by determining whether there is a setting that causes a vulnerability in the settings of various programs. Further, each PC 1 diagnoses a vulnerability to security by determining whether or not a program causing the vulnerability is included in each stored file.

  Each PC 1 is connected to a network N installed in a company such as a LAN (Local Area Network). The network N may be connectable to another network outside the company (not shown), and in this case, a firewall or the like is provided to prevent unauthorized access from outside. The PC 1 can send and receive data such as e-mails with other PCs 1 installed in the office via the network N. Further, the PC 1 can access an external web server device and a file server device (not shown) installed in the company via the network N, browse a website, download and upload various files, and the like. Furthermore, the PC 1 can also access an external web server device, file server device, and the like by connecting to another network such as the Internet network from within the company.

  The PC 1 may be taken outside and connected to another network outside the company. The server device 2 is operated by a system administrator or the like, and manages various data related to security diagnosis executed by the plurality of PCs 1. The server device 2 transmits various data to each PC 1 via the network N. The PC 1 receives various data sent from the server device 2 via the network N.

  FIG. 2 is a block diagram illustrating an example of internal hardware of the PC 1 according to the first embodiment. The PC 1 may be a computer device such as a general personal computer, and includes a central processing unit (CPU) 10, a read-only memory (ROM) 11, a random-access memory (RAM) 12, and a hard disk drive (HDD). 13 and the operation unit 14. The CPU 10 controls each part of internal hardware connected via the bus 10a. In addition, the CPU 10 executes a security diagnosis by reading a program stored in the HDD 13 into the RAM 12 and executing it. The operation unit 14 is a keyboard, a mouse, or the like, and receives an operation from the user of the PC 1.

  The PC 1 includes a clock unit 15 that outputs the date and time to the bus 10a, a display unit 16, a storage medium connection unit 17, and a communication unit 18. The clock unit 15 outputs the time to the CPU 10. Further, when the clock unit 15 is instructed to start timing, the clock unit 15 starts counting elapsed time and outputs the elapsed time to the CPU 10. The display unit 16 is a liquid crystal display or the like, and displays an operation screen and the like related to a program executed by the CPU 10.

  The storage medium connection unit 17 is connected to a storage medium such as a USB (Universal Serial Bus) memory, a CD (Compact Disc) -ROM, and a DVD (Digital Versatile Disc) -ROM. The storage medium connection unit 17 records or reproduces data with respect to the connected storage medium. The communication unit 18 is connected to the network N or another network. The communication unit 18 is connected to a network via a network cable. The communication unit 18 may be connected to the network by performing wireless communication with a wireless station connected to the network.

  The CPU 10 receives the operation received by the operation unit 14, the connection of the storage medium to the storage medium connection unit 17, and the connection of the communication unit 18 to the network N or another network as operations by the user (operator). The HDD 13 stores a diagnosis item table 131 including a plurality of diagnosis items diagnosed by the security diagnosis. Further, the HDD 13 stores operation data 132 indicating an operation referred to in order to determine the frequency of executing the security diagnosis among the operations by the user accepted by the CPU 10.

  FIG. 3 is a block diagram illustrating an example of internal hardware of the server device 2 according to the first embodiment. The server device 2 includes a CPU 20, a ROM 21, a RAM 22, an HDD 23, an operation unit 24, a display unit 26, and a communication unit 28. The CPU 20 controls each internal hardware unit connected via the bus 20a. The HDD 23 stores a score table 231, a frequency table 232, and work data 233. In the score table 231, a score indicating the degree of security risk for each operation by the user that can be accepted by the CPU 10 of each PC 1 is recorded in advance.

  In the frequency table 232, a plurality of different frequencies are determined and recorded in advance corresponding to the average score, which will be described later, indicating the security risk of each PC1. The work data 233 records the working hours of a specific user who operates each PC 1. The system administrator can change the score table 231, the frequency table 232, and the work data 233 stored in the HDD 23 by operating the operation unit 24 of the server device 2. Each time the score table 231, the frequency table 232, and the work data 233 stored in the HDD 23 are changed, the server device 2 transmits the changed table or data to each PC 1 via the network N by the communication unit 28. .

  Each time the PC 1 receives the score table 231, the frequency table 232 or the work data 233 sent from the server device 2, the PC 1 updates the table or data stored in the HDD 13 using the received table or data. Further, when the PC 1 is not taken out of the office and connected to the network N and the server apparatus 2 fails to transmit the score table 231, the frequency table 232, and the work data 233 to the PC 1, the PC 1 Retransmit when N is connected. As described above, the score table 231, the frequency table 232, and the work data 233 stored in the server device 2 are stored in the HDD 13 of each PC 1.

  FIG. 4 is a chart showing a record layout example of the diagnosis item table 131 according to the first embodiment. The example of the diagnostic item table 131 illustrated in FIG. 4 includes “Web browser setting”, “file exchange software”, “shared folder”, and the like as diagnostic items. The diagnosis item “web browser setting” is an item for diagnosing settings related to security of the web browser. The web browser is a program that is installed in the HDD 13 of the PC 1 and used by the user for browsing the website. The setting related to the security of the web browser is a setting indicating whether or not malware such as spyware downloaded illegally from a website is detected.

  Moreover, the setting regarding the security of a web browser is a setting which shows whether the unauthorized website pretending to be a regular website is detected, for example. The diagnosis item “file exchange software” is an item for diagnosing whether or not file exchange software that may leak data to the outside is stored in the HDD 13. The diagnosis item “shared folder” is an item for diagnosing whether or not the setting of the shared folder that can be accessed only by the authorized user is stored in the HDD 13.

  FIG. 5 is a chart showing a record layout example of the score table 231. In the score table 231, among the operations that can be accepted by the CPU 10, a score indicating a security risk level corresponding to each operation related to the security of the PC 1 is determined and stored in advance as a raw score. The raw points are stored in the score table 231 in association with the operation date and time, the operation content, and the user authority of the operated user. When the operation date and time is outside the working hours of a specific user who operates the PC 1, there is a high possibility that an unauthorized user has operated the PC 1, and the security risk is high. For this reason, in the example illustrated in FIG. 5, a raw point 3 larger than the raw point 0 associated with the working hours is associated with the non-working hours.

  Also, when the user authority is an administrator, there are many settings that can be changed for the PC 1, and the security risk is higher than when the user authority is a general user. Therefore, in the example illustrated in FIG. 5, when the user authority is an administrator, a raw point 2 larger than the raw point 1 associated with the user authority being a general user is associated. The operation content “browsing website (in-house)” indicates an operation for browsing a website provided by an in-house web server device connected to the network N. The operation content “browsing website (external)” indicates an operation of browsing a website provided by an external web server device connected to another network.

  When browsing a web browser provided by an in-house web server device, for example, the possibility that malware is illegally downloaded to the PC 1 is low, and the security risk is low. For this reason, in the example illustrated in FIG. 5, the raw point 0 is associated with the operation content “website browsing (in-house)”. In addition, browsing a web browser provided by an external web server device has a high possibility that, for example, malware is illegally downloaded to the PC 1, and the security risk is high. Therefore, in the example shown in FIG. 5, the operation content “website browsing (external)” has a higher score 1 than the raw score 0 associated with the operation content “website browsing (internal)”. It is associated.

  Operation contents “Send mail (in-house)” and “Receive mail (in-house)” are operations for sending a mail to another PC 1 connected to the network N and receiving a mail from the PC 1. Indicates. In the transmission / reception of mail between a plurality of PCs 1 in the company, there is a low possibility that data leakage or reception of a mail containing a virus will occur, and the security risk is low. For this reason, in the example illustrated in FIG. 5, the operation content “send mail (in-house)” and “reception of mail (in-house)” is associated with a raw point 0. Operation contents “Send mail (outside)” and “Receive mail (outside)” are operations for sending and receiving emails to external PCs connected to other networks. Show.

  In the transmission / reception of mail between the in-house PC 1 and the outside PC, there is a high possibility that data leakage or reception of a mail containing a virus will occur, and the security risk is high. Therefore, in the example shown in FIG. 5, the operation contents “send email (external)” and “receive email (external)” include the operation contents “send email (internal)” and “receive email (internal)”. The raw point 3 higher than the raw point 0 associated with "" is associated. Operation contents “network connection (internal)” and “network connection (external)” indicate operations for connecting to the internal network N and other external networks.

  When the PC 1 is connected to an external network, there is a high possibility that leakage of data from the PC 1 to the outside and unauthorized access to the PC 1 from the outside will be performed, and the security risk is high. Therefore, in the example illustrated in FIG. 5, the operation content “network connection (external)” is associated with a raw point 3 larger than the raw point 0 associated with the operation content “network connection (internal)”. It has been. The operation contents “connection of storage medium (CD-ROM)” and “connection of storage medium (USB memory)” respectively indicate operations for connecting the CD-ROM and USB memory to the storage medium connection unit 17.

  When a CD-ROM is connected to the storage medium connection unit 17, software that causes security vulnerability such as file exchange software may be installed in the HDD 13 from the CD-ROM, which poses a security risk. For this reason, in the example shown in FIG. 5, the operation content “connection of storage medium (CD-ROM)” is associated with the prime point 1. Further, when a USB memory is connected to the storage medium connection unit 17, the data stored in the HDD 13 is likely to be copied to the USB memory and leaked outside the company, and the security risk is high. Therefore, in the example shown in FIG. 5, the operation content “connection of storage medium (USB memory)” is larger than the prime point 1 associated with the operation content “connection of storage medium (CD-ROM)”. Point 2 is associated.

  FIG. 6 is a chart showing a record layout example of the frequency table 232. The frequency table 232 stores a plurality of different frequencies in association with a plurality of ranges having different average scores. The average score indicates a security risk calculated by a security diagnosis execution process described later based on an operation input to the PC 1. As the average score increases, the security risk of PC1 increases. The frequency table 232 is set so that the frequency of executing the security diagnosis increases as the average score increases. In the example shown in FIG. 6, the lowest frequency of “once a month” is stored when the average score is 0 or more and less than 25 and the degree of risk is the lowest. When the average score increases from 25 points to less than 50 points and the degree of risk increases, the frequency of increase “twice a month” is stored. Further, when the average score increases to 50 or more and less than 100 and the degree of risk further increases, a high frequency of “once a week” is stored. In addition, when the average score is 100 or more and the degree of risk is the highest, the highest frequency of “every day” is stored.

  FIG. 7 is a chart showing a record layout example of the work data 233. The work data 233 stores the working hours of the user in association with the user account of each PC 1 operated by each specific user. In the example shown in FIG. 7, the working hours of a specific user who generally operates the PC 1 to which the user account “USER1” is assigned are from 9:00 to 12:00 and from 13:00 to 18:00 from Monday to Friday. Yes.

  FIG. 8 is a flowchart showing the procedure of the operation data recording process according to the first embodiment. The operation data recording process is executed by the CPU 10 of the PC 1 in order to record the operation data 132 in the HDD 13. The CPU 10 starts recording an operation log (step S11). The operation log is a list of operations performed by the user received by the CPU 10, and includes operation details of each operation, operation date and time (operation time), user authority of the user who performed the operation, and the like. The operation log may be recorded by a resident program or the like that is constantly executed by the CPU 10 every time the CPU 10 receives an operation, and the operation log is recorded in the HDD 13 as an operation log.

  The CPU 10 starts measuring the elapsed time from the time when the operation log recording is started (step S12). CPU10 determines whether predetermined time passed (step S13). The predetermined time is determined in advance and stored in the HDD 13, and may be, for example, one hour. When it is determined that the predetermined time has elapsed (YES in step S13), the CPU 10 extracts the operation recorded within the predetermined time from the operation log stored in the HDD 13 (step S14). The CPU 10 further extracts operations included in the score table 231 stored in the HDD 13 from the extracted operations (step S15).

  The CPU 10 records the operation extracted in step S15 on the HDD 13 as operation data 132 (step S16). If the operation data 132 has already been recorded in the HDD 13, the extracted operation is added to the operation data 132. CPU10 determines whether completion | finish operation was received (step S17). The end operation is an operation for shutting down the PC 1, for example. If the CPU 10 determines in step S13 that the predetermined time has not elapsed (NO in step S13), the process proceeds to step S17.

  If the CPU 10 determines in step S17 that an end operation has not been received (NO in step S17), the process returns to step S12. Accordingly, every time a predetermined time elapses, an operation related to security is extracted from the operation log and added to the operation data 132. If the CPU 10 determines that an end operation has been received (YES in step S17), the operation data recording process ends.

  FIG. 9 is a flowchart showing the procedure of the score calculation process. The score calculation process is executed by the CPU 10 of the PC 1 to calculate the score corresponding to each operation included in the operation data 132. The CPU 10 reads out operations for a predetermined number of days from the operation data 132 stored in the HDD 13 (step S31). The predetermined number of days is determined in advance and stored in the HDD 13, and may be, for example, 7 days. The CPU 10 determines whether or not the read operation for a predetermined number of days includes an operation for which no score is recorded (step S32). If the CPU 10 determines that there is an operation for which no score is recorded (YES in step S32), the CPU 10 selects one operation (step S33).

  The CPU 10 reads the work time zone from the work data 233 stored in the HDD 13 (step S34). The CPU 10 reads raw points from the score table 231 stored in the HDD 13 based on the operation date and time of the selected operation and the read work hours (step S35). Here, when the operation date / time is not included in the read work time zone, the CPU 10 reads a raw score corresponding to the outside of the work time from the score table 231. In addition, when the operation date / time is included in the read work hours, the CPU 10 reads the raw points corresponding to the work hours from the score table 231. The CPU 10 reads a raw point corresponding to the operation content of the selected operation from the score table 231 stored in the HDD 13 (step S36).

  The CPU 10 reads a raw score corresponding to the user authority of the selected operation from the score table 231 stored in the HDD 13 (step S37). The CPU 10 totals the read raw points to calculate the score corresponding to the selected operation (step S38). The CPU 10 records the calculated score in the operation data 132 in association with the selected operation (step S39), and returns the process to step S32. If the CPU 10 determines in step S32 that there is no operation for which no score is recorded (NO in step S32), the score calculation process ends.

  FIG. 10 is a chart showing a record layout example of the operation data 132. The example shown in FIG. 10 is the operation data 132 recorded in the HDD 13 by the operation data recording process and further recorded by the score calculation process. The operation data 132 includes an operation extracted from the operation log by the operation data recording process, and each operation includes an operation date and time, an operation content, and a user authority. In the example shown in FIG. 10, an operation with an operation content “Browse website (outside)” operated by an employee having the user authority “general user” on the operation date “2009/10/01 09:20” is another operation. It is recorded with. The operation date and time “2009/10/01 09:20” is determined to be within working hours by the score calculation process, and a score of 0 corresponding to the operation during working hours is read from the score table 231 to operate data. 132.

  The score 1 corresponding to the operation content “website browsing (external)” is read from the score table 231 and recorded in the operation data 132 by the score calculation process. The score 1 corresponding to the user authority “general user” is read from the score table 231 and recorded in the operation data 132 by the score calculation process. Then, by the score calculation process, the total value of each raw point corresponding to the operation date and time “2009/10/01 09:20”, the operation content “browsing website (external)” and the user authority “general user” It is recorded in the operation data 132 as a score of 2 corresponding to the operation.

  FIG. 11 is a flowchart showing a procedure of security diagnosis execution processing. The security diagnosis execution process is executed by the CPU 10 to determine the frequency based on the score recorded in the operation data 132 and to execute the security diagnosis based on the frequency. CPU10 acquires the date which the clock part 15 outputs (step S51). The CPU 10 determines whether the time included in the acquired date and time is a preset frequency update time (step S52). If the CPU 10 determines that the time is the frequency update time (YES in step S52), the CPU 10 reads points for a predetermined number of days from the operation data 132 (step S53).

  For reading the score for the predetermined number of days, the score recorded in association with each operation having the operation date and time within the predetermined number of days from the latest may be read from the operation data 132. CPU10 calculates the total score of the score for the predetermined number of days read (step S54). The CPU 10 calculates the average score for one day by dividing the total score by the predetermined number of days (step S55). The CPU 10 reads the frequency corresponding to the average score from the frequency table 232 stored in the HDD 13 (step S56). The CPU 10 determines and updates the diagnosis date based on the read frequency (step S57).

  For example, when the frequency is the number of times in one month, the diagnosis date may be specified by a date. For example, when the frequency is the number of times per week, the day of the week may be specified as the diagnosis date. The CPU 10 determines whether an end operation has been accepted (step S58). If the CPU 10 determines that the end operation has not been accepted (NO in step S58), the process returns to step S51. If the CPU 10 determines in step S52 that the time is not the frequency update time (NO in step S52), the CPU 10 determines whether the date included in the acquired date is a diagnosis date (step S59).

  In step S59, when the frequency is every day, it is good to determine that it is a diagnosis date regardless of the date included in the acquired date. If the CPU 10 determines that it is not the diagnosis date (NO in step S59), the process returns to step S51. If the CPU 10 determines that it is a diagnosis date (YES in step S59), the CPU 10 determines whether or not the time included in the acquired date is a preset diagnosis time (step S60). If the CPU 10 determines that it is not the diagnosis time (NO in step S60), the process returns to step S51.

  When the CPU 10 determines that it is the diagnosis time (YES in step S60), the CPU 10 executes the security diagnosis by executing each diagnosis item included in the diagnosis item table 131 (step S61). After step S61, the CPU 10 moves the process to step S58. If it is determined in step S58 that an end operation has been accepted (YES in step S58), the CPU 10 ends the security diagnosis execution process.

  Although an example in which the diagnostic items “web browser setting”, “file exchange software”, and “shared folder” are included in the diagnostic item table 131 is shown, the present invention is not limited to this, and any item that diagnoses security-related settings may be used. . For example, the diagnostic item table 131 may include a diagnostic item “password setting”. The diagnosis item “password setting” diagnoses whether or not a password is set for the HDD 13 or the OS (Operation System) and BIOS (Basic Input Output System) executed by the CPU 10. When a password is set, the PC 1 is prevented from being operated by an unauthorized user.

  For example, the diagnostic item table 131 may include a diagnostic item “screen saver”. The diagnosis item “screen saver” diagnoses settings related to the screen saver function of the OS or the like executed by the CPU 10. For example, when the period during which the operation unit 14 does not accept an operation exceeds the waiting time, it is diagnosed whether the screen saver activation is set. When screen saver activation is set, when a legitimate user of PC1 is away from PC1, it prevents other users from seeing data displayed on display unit 16 of PC1 and leaking data. It becomes possible to do. For example, the diagnosis item “screen saver” may diagnose whether the waiting time is shorter than a predetermined time.

  The diagnostic item table 131 may include, for example, a diagnostic item “mail software setting”. The diagnosis item “mail software setting” diagnoses various settings of the mail software such as a password setting and a setting for enabling a function of detecting a computer virus included in the mail. The diagnostic item table 131 may include, for example, a diagnostic item “antivirus measure”. The diagnostic item “anti-virus” is installed in the HDD 13 and diagnoses various settings related to the anti-virus program. The anti-virus program is a program for detecting and notifying a computer virus by executing a virus scan on a storage drive such as the HDD 13 and is preferably executed by the CPU 10 as a process included in the security diagnosis.

  The diagnostic item “anti-virus” may diagnose, for example, whether or not a virus definition file defining various computer virus patterns has been updated to the latest file. Further, the diagnosis item “anti-virus measures” may diagnose whether or not all storage drives are selected as targets for detecting a computer virus when the PC 1 has a plurality of storage drives including the HDD 13. The diagnosis item “anti-virus” may diagnose whether or not a virus scan is executed within a predetermined period. For example, the diagnosis item table 131 may include a diagnosis item “encryption countermeasure”. The diagnostic item “encryption countermeasures” diagnoses settings related to encryption of data stored in the HDD 13. For example, it may be diagnosed whether or not encryption countermeasure software that encrypts data stored in the HDD 13 and prevents data leakage is installed in the HDD 13.

  In the first embodiment, the case where the PC 1 receives the work data 233 sent from the server device 2 and stores it in the HDD 13 is shown, but the present invention is not limited to this. For example, work data 233 input to the PC 1 by the user of the PC 1 may be stored in the HDD 13. In this case, the PC 1 may display an input screen for accepting the work data 233 on the display unit 16 and accept an input of the work data 233 by accepting a user operation corresponding to the input screen by the operation unit 14.

  The server device 2 may be connected to a time management system that manages the work status of the user who operates each PC 1 and may update the work data 233 as needed. In this case, the server device 2 rewrites the work data 233 stored in the HDD 23 using the work situation sent from the attendance management system as needed. Further, the server device 2 is connected to a security system that manages entry / exit to / from the building and room where each PC 1 is installed, and stores data indicating entry / exit as work status instead of work data 233. Good. In this case, when the user who operates each PC1 leaves the room where the PC1 is installed, it may be determined that it is out of working hours. Moreover, when the user who operates each PC1 has entered the room or the like where the PC1 is installed, it may be determined that it is within working hours.

  In the first embodiment, an example is shown in which the score is associated with the operation and recorded in the operation data 132 by the score calculation process, but the present invention is not limited to this, and the score is recorded in the operation data 132 by the operation data recording process. Also good. In this case, after step S15 of the operation data recording process shown in FIG. 8 is executed, steps S34 to S38 of the point calculation process shown in FIG. 9 are executed for the operation extracted in step S15. Should be calculated. In step S16 of the operation data recording process, the operation extracted in step S15 may be recorded in the HDD 13 as operation data 132 together with the calculated score.

  In the first embodiment, the case where the frequency corresponding to the average score is read from the frequency table 232 and set is shown. However, the present invention is not limited to this. For example, when the average score exceeds a predetermined threshold, the frequency is predetermined. Security diagnosis may be started. Here, a procedure for executing the security diagnosis when the average score exceeds a predetermined threshold will be described. FIG. 12 is a flowchart illustrating another procedure of the security diagnosis execution process. CPU10 acquires the date which the clock part 15 outputs (step S111).

  The CPU 10 determines whether the time included in the acquired date is the frequency update time (step S112). If the CPU 10 determines that the time is the frequency update time (YES in step S112), the CPU 10 reads points for a predetermined number of days from the operation data 132 (step S113). CPU10 calculates the total score of the score for the read predetermined number of days (step S114), and calculates the average score for one day (step S115). CPU10 determines whether the average score exceeded a predetermined threshold value (step S116). The predetermined threshold value may be determined in advance and stored in the HDD 13.

  If the CPU 10 determines that the predetermined threshold has been exceeded (YES in step S116), the CPU 10 determines whether or not the time included in the acquired date is the diagnosis time (step S117). If the CPU 10 determines that it is the diagnosis time (YES in step S117), the CPU 10 executes a security diagnosis (step S118). CPU10 determines whether completion | finish operation was received (step S119). If the CPU 10 determines that an end operation has not been accepted (NO in step S119), the process returns to step S111.

  If the CPU 10 determines that an end operation has been accepted (YES in step S119), the security diagnosis execution process ends. If the CPU 10 determines that the predetermined threshold is not exceeded in step S116 (NO in step S116), the CPU 10 determines that it is not the diagnosis time in step S117 (NO in step S117), or the frequency update time in step S112. If it is determined that there is not (NO in step S112), the process proceeds to step S119. Here, the case where the security diagnosis is executed when the predetermined threshold is exceeded and the diagnosis time is reached is shown, but the security diagnosis may be executed immediately when the predetermined threshold is exceeded.

  In the first embodiment, a score indicating the degree of risk to security is calculated based on an operation received by the CPU 10 of the PC 1, and the frequency of executing the security diagnosis is determined. Thereby, when the degree of risk is low, the security diagnosis is executed at a low frequency, so that the frequency at which the processing speed of the CPU 10 decreases with respect to the program being operated by the user is suppressed. And it becomes possible for a user to operate the program run by PC1 comfortably. In the first embodiment, the score is updated at a predetermined frequency update time to change the frequency. As a result, the frequency of executing a security diagnosis increases with an increase in the risk level for security, and it becomes possible to detect security vulnerabilities at an early stage.

  In the first embodiment, when the score table 231 and the frequency table 232 stored in the server device 2 are changed, the score table 231 and the frequency table 232 that are transmitted to the PC 1 and stored in the HDD 13 of the PC 1 are stored. Rewritten. As a result, when the system administrator changes the security policy, which is a standard for evaluating the risk level of each operation content and the standard for setting the frequency according to the risk level, the network network is changed according to the changed security policy. The score table 231 and the frequency table 232 stored in each PC 1 connected to N can be changed.

Embodiment 2
FIG. 13 is a block diagram illustrating an example of internal hardware of a PC according to the second embodiment. In the second embodiment, all the diagnosis items are diagnosed when the security diagnosis is executed, whereas the diagnosis items selected according to the received operation content are diagnosed. In the first embodiment, the diagnosis time is determined in advance. In the second embodiment, the diagnosis time of each diagnosis item is determined based on the accepted operation history. The PC 3 is connected to the network N in the same manner as the PC 1 in the first embodiment, and executes security diagnosis. The PC 3 includes an HDD 33 that stores a diagnostic item table 331, operation data 332, and the like.

  The HDD 33 stores a schedule table 333 indicating a security diagnosis execution schedule and a correspondence table 334 in which diagnosis items to be executed in accordance with each operation input to the PC 3 are set. Since the operation data 332 is the same as the operation data 132 of the first embodiment, detailed description thereof is omitted. The diagnosis item table 331 includes a plurality of diagnosis items diagnosed by the security diagnosis and a required time required for diagnosis of each diagnosis item. Since the other internal hardware units included in the PC 3 are the same as those of the PC 1 of the first embodiment, only the difference in reference numerals is described. The PC 3 includes a CPU 30, a bus 30 a, a ROM 31, a RAM 32, an operation unit 34, a clock unit 35, a display unit 36, a storage medium connection unit 37, and a communication unit 38.

  FIG. 14 is a chart showing a record layout example of the diagnosis item table 331 according to the second embodiment. In the example shown in FIG. 14, the required time of 2 minutes is recorded in association with the diagnostic item “Web browser setting”. In this case, the CPU 30 starts diagnosis of the diagnosis item “web browser setting” and instructs the clock unit 35 to start counting elapsed time. The CPU 30 acquires the elapsed time counted by the clock unit 35 when the diagnosis of the diagnosis item “web browser setting” is completed, and records it in the diagnosis item table 331 in association with the diagnosis item “web browser setting”. . The CPU 30 rewrites the required time recorded in the diagnostic item table 331 using the acquired required time each time diagnosis of each diagnosis item is executed.

  FIG. 15 is a chart showing a record layout example of the correspondence table 334. Among the diagnostic items included in the diagnostic item table 331, a diagnostic item to be executed according to the operation content recorded in the operation data 332 is selected in advance, and the diagnostic item is recorded in the correspondence table 334 corresponding to each operation content. Has been. In the example shown in FIG. 14, the diagnostic item “web browser setting” is selected in correspondence with the operation content “browse website (external)”. The correspondence table 334 may be stored in the HDD 23 of the server device 2. In this case, the correspondence table 334 is transmitted from the server device 2 to the PC 3. When the system administrator changes the correspondence table 334 stored in the server device 2, the server device 2 transmits the changed correspondence table 334 to the PC 3. The PC 3 stores the correspondence table 334 sent from the server device 2 in the HDD 33.

  FIG. 16 is a flowchart showing the procedure of the schedule table storing process. The schedule table storage process is executed by the CPU 30 in order to determine the diagnosis item and diagnosis time from the operation contents and operation time history input to the PC 3 and to store the schedule table 333 in the HDD 33. CPU30 acquires the date which the clock part 35 outputs (step S71). The CPU 30 determines whether or not the time included in the acquired date and time is a schedule update time set in advance and stored in the HDD 33 (step S72). When determining that it is not the schedule update time (NO in step S72), the CPU 30 returns the process to step S71 and waits until the schedule update time is reached.

  When it is determined that it is the schedule update time (YES in step S72), the CPU 30 reads the operation time for the latest predetermined number of days from the operation data 332 (step S73). The CPU 30 extracts an operation whose operation time fluctuates within a predetermined range from the read operations (step S74). For example, when a predetermined number of days and a predetermined range of 1 hour are set, operations whose operation time is within 1 hour are extracted from the operations input in the most recent 7 days. As described above, an operation to be operated at a time within a predetermined range is predicted and extracted based on the operation history.

  The CPU 30 extracts one operation with the earliest operation time for each extracted operation regardless of the operation date (step S75). For example, the operation with the earliest operation time is extracted every day from the operation dates and times included in the most recent seven days of the selected operation. The CPU 30 reads out and selects a diagnostic item corresponding to each extracted operation from the diagnostic item table 331 (step S76). The CPU 30 reads the required time of the selected diagnostic item from the diagnostic item table 331 (step S77). CPU30 determines the diagnostic time of each diagnostic item corresponding to each operation based on the time extracted and read corresponding to each operation and the required time (step S78).

  For example, the time obtained by subtracting the required time from the extracted operation time may be set as the diagnosis time. Alternatively, the time obtained by subtracting the required time and a predetermined time set in advance from the extracted operation time may be used as the diagnosis time. The CPU 30 stores the diagnosis item and the diagnosis time determined for each diagnosis item in the schedule table 333 (step S79). The CPU 30 determines whether an end operation has been received (step S80). When it is determined that the end operation has not been accepted (NO in step S80), the CPU 30 returns the process to step S71. CPU30 complete | finishes a schedule table storage process, when it determines with having received completion | finish operation (it is YES at step S80).

  FIG. 17 is a chart showing a record layout example of the schedule table 333. The schedule table 333 is stored in the HDD 33 by the schedule table storage process. In the example illustrated in FIG. 17, diagnostic items “web browser setting”, “file exchange software”, “shared folder”, and the like are stored as scheduled diagnostic items. For example, when the operation content “browse website (external)” is extracted as an operation whose operation time is within a predetermined range, the diagnostic item “web browser setting” corresponding to the operation content is extracted from the correspondence table 334. Read and select.

  In this case, the required time of 2 minutes for the diagnostic item “Web browser setting” is read from the diagnostic item table 331. For example, when 9 o'clock is extracted as the earliest operation time of the operation content “Browse web browser (external)”, the diagnosis time is 8:58, which is obtained by subtracting 2 minutes from 9 o'clock. It is determined. As shown in FIG. 16, the diagnosis time “8:58” is stored in the schedule table 333 as the time for diagnosing the diagnosis item “web browser setting”.

  Since the security diagnosis execution process according to the second embodiment is the same as that shown in the flowchart of FIG. 11, differences will be described and detailed description will be omitted. In step S <b> 60 of FIG. 11, the CPU 30 determines whether or not it matches the diagnosis time included in the schedule table 333. In step S61 in FIG. 11, the CPU 30 executes only the diagnostic item corresponding to the matched diagnostic time as the security diagnosis. Further, a predetermined time for executing diagnostic items not included in the schedule table 333 may be set and stored in the HDD 33.

  In this case, in step S60 of FIG. 11, the CPU 30 may determine whether or not the diagnosis time or the predetermined time included in the schedule table 333 coincides. If the CPU 30 determines that the time matches the predetermined time (YES in step S60), the remaining diagnostic items not included in the schedule table 333 among the diagnostic items included in the diagnostic item table 331 are executed as security diagnosis in step S61. Good.

  Although the correspondence table 334 shows an example in which one diagnosis item is associated with each operation content, the present invention is not limited to this, and a plurality of diagnosis items are associated with each operation content. May be. In addition, each diagnosis item included in the correspondence table 334 may overlap among a plurality of operation contents. For example, the operation item “connection of storage medium (USB memory)” may be associated with the diagnosis item “anti-virus” in addition to the diagnosis item “file exchange software”. Further, for example, in addition to the diagnostic item “shared folder”, the diagnostic items “anti-virus”, “screen saver”, “encryption”, etc. may be associated with the operation content “network connection (external)”. .

  In the second embodiment, a diagnostic item is selected based on the history of operations accepted by the CPU 30, and a diagnostic time for diagnosing each diagnostic item is determined. By diagnosing each selected diagnosis item at a different diagnosis time, the resources of the CPU 30 used for security diagnosis are reduced. And the fall of the processing speed of CPU30 is suppressed with respect to the program which the user is operating. As a result, the user of the PC 3 can comfortably operate the program executed on the PC 3.

  The second embodiment is as described above, and the other parts are the same as in the first embodiment or the first embodiment. Therefore, the corresponding parts are denoted by the same reference numerals and detailed description thereof is omitted.

Embodiment 3
FIG. 18 is a block diagram illustrating an example of internal hardware of the server device according to the third embodiment. In the third embodiment, the frequency is determined by the PC 1 while the frequency is determined by the PC 1 in the first embodiment. The server device 4 is connected to the network N similarly to the server device 2 of the first embodiment, and transmits various data and tables to the PC 1. The server device 4 includes an HDD 43 that stores a score table 231, a frequency table 232, work data 233, and operation data 432. Other hardware units included in the server device 4 are the same as those of the server device 2 of the first embodiment, and therefore only the difference in reference numerals is described. The server device 4 includes a CPU 40, a bus 40 a, a ROM 41, a RAM 42, an operation unit 44, a display unit 46, and a communication unit 48.

  FIG. 19 is a flowchart showing a procedure of operation data recording processing according to the third embodiment. The CPU 10 of the PC 1 starts recording an operation log (step S91). The CPU 10 starts measuring elapsed time with the clock unit 15 (step S92). CPU10 determines whether predetermined time passed (step S93). If the CPU 10 determines that the predetermined time has not elapsed (NO in step S93), the CPU 10 waits until the predetermined time elapses.

  When it is determined that the predetermined time has elapsed (YES in step S93), the CPU 10 reads a part of the predetermined time from the operation log (step S94). The CPU 10 transmits the user account assigned to the PC 1 and a part of the operation log read from the HDD 13 to the server device 4 through the communication unit 18 (step S95). CPU10 determines whether completion | finish operation was received (step S96). If the CPU 10 determines that the end operation has not been accepted (NO in step S96), the process returns to step S93. Thereby, the CPU 10 transmits a part of the operation log indicating the operation received within the predetermined time to the server device 4 every predetermined time.

  When it is determined that the end operation has been accepted (YES in step S96), the CPU 10 ends the operation data recording process. The CPU 40 of the server device 4 receives the data sent from the PC 1 (step S97). The CPU 40 determines whether or not the received data is a part of the operation log (step S98). If the CPU 40 determines that it is not part of the operation log (NO in step S98), it returns the process to step S97. If the CPU 40 determines that it is a part of the operation log (YES in step S98), it extracts the operation included in the score table 231 from a part of the operation log (step S99).

  The CPU 40 records operation data 432 including the extracted operation in the HDD 43 in association with the user account (step S100). The CPU 40 determines whether an end operation has been accepted (step S101). If the CPU 40 determines that an end operation has not been accepted (NO in step S101), the process returns to step S97. When it is determined that the end operation has been accepted (YES in step S101), the CPU 40 ends the operation data recording process.

  The CPU 40 of the server device 4 executes a score calculation process and stores the score in the operation data 432 recorded in the HDD 43. The score calculation process executed by the CPU 40 is the same as the procedure shown in FIG. The CPU 40 performs a security diagnosis by executing a security diagnosis execution process. Since the security diagnosis execution process executed by the CPU 40 is the same as the procedure shown in FIG. In step S61, the CPU 40 transmits a security diagnosis execution instruction to the PC 1. The PC 1 executes a security diagnosis according to the execution instruction sent from the server device 4.

  In the third embodiment, the PC 1 periodically transmits an operation log to the server device 4, records the operation data 432 based on the operation log sent by the server device 4, and scores based on the operation data 432. Calculate and determine the frequency. Then, the server device 4 transmits a security diagnosis execution instruction to the PC 1 based on the determined frequency. Since the PC 1 does not perform processing such as score calculation and frequency determination, a decrease in the processing speed of the CPU 10 is suppressed with respect to a program operated by the user. As a result, the user of the PC 1 can comfortably operate the program executed on the PC 1.

  The third embodiment is as described above, and the others are the same as those of the first embodiment. Therefore, the corresponding parts are denoted by the same reference numerals, and detailed description thereof is omitted.

Embodiment 4
FIG. 20 is a block diagram illustrating an example of internal hardware of a PC according to the fourth embodiment. The PC 5 includes a storage medium connection unit 57 to which various storage media including the storage medium 6 are connected. Since the other hardware parts of the PC 5 are the same as those of the PC 1 of the first embodiment, differences in reference numerals will be described, and detailed description thereof will be omitted. The PC 5 includes a CPU 50, a bus 50 a, a ROM 51, a RAM 52, an HDD 53, an operation unit 54, a clock unit 55, a display unit 56, and a communication unit 58. The HDD 53 stores a diagnostic item table 531 and operation data 532.

  When the storage medium 6 is connected, the storage medium connection unit 57 reads the program 60 recorded in the storage medium 6 and stores it in the HDD 53, thereby installing the program 60 in the PC 5. The CPU 50 of the PC 5 reads the program 60 stored in the HDD 53 into the RAM 52 and executes it. The CPU 50 records the operation received by the operation unit 54 in accordance with the program 60 (recording step), and determines the frequency of executing the security diagnosis based on the recorded operation (frequency determining step). The CPU 50 executes security diagnosis based on the determined frequency (execution step).

  The program 60 is not limited to being read from the storage medium 6 and stored in the HDD 53, but communication between the communication unit 58 and an external computer may be established and the program 60 may be downloaded to the HDD 53. For example, the program 60 may be stored in the HDD 23 of the server device 2, and the program 60 transmitted from the server device 2 may be received by the PC 5 and stored in the HDD 53.

  The fourth embodiment is as described above, and the other parts are the same as those of the first embodiment or the first embodiment. Therefore, the corresponding parts are denoted by the same reference numerals, and detailed description thereof is omitted.

  The following additional notes are further disclosed with respect to the embodiments including the first to fourth embodiments.

(Appendix 1)
In a program that causes a computer to perform security diagnostics,
The computer,
An operation information acquisition unit for acquiring operation information indicating an operation on the computer;
A risk determination unit that determines a risk indicating the degree of security risk in the computer based on the acquired operation information;
A program that functions as a diagnosis control unit that controls the start of execution of the security diagnosis according to the determined degree of risk.

(Appendix 2)
The computer as a score acquisition unit that acquires a score corresponding to the operation content indicated by the acquired operation information from a score table storage unit that stores a score table that associates the operation content in the computer with the score associated with the operation content To further function,
The program according to supplementary note 1, wherein the risk determination unit determines the risk according to the score acquired by the score acquisition unit based on the acquired operation information.

(Appendix 3)
The computer further functions as a working time zone information acquisition unit for obtaining working time zone information of an operator who operates the computer from a working time zone information storage unit that stores working time zone information indicating an operator's working time zone Let
The operation information acquired by the operation information acquisition unit has an operation time indicating the time when the operation was performed,
When the operation time of the acquired operation information does not belong to the work time zone indicated by the acquired work time zone information, the risk level determination unit determines the degree of risk as compared to the case of belonging to the work time zone The program according to appendix 1 or appendix 2, wherein

(Appendix 4)
The acquired operation information from a diagnostic item correspondence table storage unit that stores a diagnostic item correspondence table in which a diagnostic item indicating the type of security diagnosis executed in the computer and an operation content indicating the operation content in the computer are associated with each other. A diagnostic item acquisition unit for acquiring a diagnostic item corresponding to the operation content indicated by
When the diagnosis control unit is instructed to start execution of security diagnosis, the computer further functions as an execution unit that executes security diagnosis related to the acquired diagnosis item. The listed program.

(Appendix 5)
Further causing the computer to function as a diagnosis time determination unit that determines a diagnosis time that is a time for executing the security diagnosis based on an operation time included in the acquired operation information,
The program according to any one of appendix 1 to appendix 4, wherein the diagnosis control unit controls execution start of the security diagnosis based on the determined diagnosis time.

(Appendix 6)
In a diagnostic method for causing a diagnostic device including a control unit to perform security diagnosis,
Obtaining operation information indicating an operation on the computer by the control unit,
Determining a degree of risk indicating a degree of security risk in the computer based on the acquired operation information;
A diagnostic method for controlling execution start of the security diagnosis according to the determined risk.

(Appendix 7)
In a diagnostic device that performs security diagnosis,
An operation information acquisition unit for acquiring operation information indicating an operation on the computer;
A risk determination unit that determines a risk indicating the degree of security risk in the computer based on the acquired operation information;
A diagnosis device comprising: a diagnosis control unit that controls execution start of the security diagnosis according to the determined degree of risk.

1, 3, 5 PC
2, 4 Server device 6 Storage medium N Network network 10, 20, 30, 40, 50 CPU
10a, 20a, 30a, 40a, 50a Bus 11, 21, 31, 41, 51 ROM
12, 22, 32, 42, 52 RAM
13, 23, 33, 43, 53 HDD
14, 24, 34, 44, 54 Operation unit 15, 35, 55 Clock unit 16, 26, 36, 46, 56 Display unit 17, 37, 57 Storage medium connection unit 18, 28, 38, 48, 58 Communication unit 60 Program 131, 331, 531 Diagnostic item table 132, 332, 432, 532 Operation data 231 Score table 232 Frequency table 233 Work data 333 Schedule table 334 Correspondence table

Claims (5)

In a program that causes a computer to perform security diagnostics,
The computer,
An operation information acquisition unit for acquiring operation information indicating an operation on the computer;
A risk determination unit that determines a risk indicating the degree of security risk in the computer based on the acquired operation information;
A program that functions as a diagnosis control unit that controls the start of execution of the security diagnosis according to the determined degree of risk. The computer as a score acquisition unit that acquires a score corresponding to the operation content indicated by the acquired operation information from a score table storage unit that stores a score table that associates the operation content in the computer with the score associated with the operation content To further function,
The program according to claim 1, wherein the risk determination unit determines the risk according to the score acquired by the score acquisition unit based on the acquired operation information. The computer further functions as a working time zone information acquisition unit for obtaining working time zone information of an operator who operates the computer from a working time zone information storage unit that stores working time zone information indicating an operator's working time zone Let
The operation information acquired by the operation information acquisition unit has an operation time indicating the time when the operation was performed,
When the operation time of the acquired operation information does not belong to the work time zone indicated by the acquired work time zone information, the risk level determination unit determines the degree of risk compared to the case of belonging to the work time zone The program according to claim 1, wherein the program is determined to be high. The acquired operation information from a diagnostic item correspondence table storage unit that stores a diagnostic item correspondence table in which a diagnostic item indicating the type of security diagnosis executed in the computer and an operation content indicating the operation content in the computer are associated with each other. A diagnostic item acquisition unit for acquiring a diagnostic item corresponding to the operation content indicated by
4. The computer according to claim 1, further causing the computer to further function as an execution unit that executes a security diagnosis related to the acquired diagnostic item when the diagnosis control unit is instructed to start execution of a security diagnosis. Program described in 1. In a diagnostic method for causing a diagnostic device including a control unit to perform security diagnosis,
Obtaining operation information indicating an operation on the computer by the control unit,
Determining a degree of risk indicating a degree of security risk in the computer based on the acquired operation information;
A diagnostic method for controlling execution start of the security diagnosis according to the determined risk.

Images