JP2012174151A - File tracking device, file tracking method and file tracking program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve the problem that whether or not a processing object file is generated by copy and transfer operations from a different file by tracking only a file operation log.SOLUTION: In trace-back, a narrowed period acquisition part 1116 acquires a narrowed period until a final trace object file is opened and preserved from a log entry, a tracking candidate generation part 1126 turns a different file separately opened in the narrowed period to a candidate file of a copy origin, and an additional trace determination part 1107 calculates similarity between the information of the final trace object file and the information of the candidate file, compares the similarity with a threshold, and estimates the candidate file whose similarity is larger than the threshold as the copy origin.

Description

  The present invention relates to a file tracking device that estimates an original file that created a processing target file, which is a predetermined file, by tracking a plurality of log entries. The present invention also relates to a file tracking device that estimates other files generated from a processing target file by tracking a plurality of log entries. In particular, the present invention relates to estimating whether a processing target file is generated from a part of information stored in the original file or estimating another file generated from a part of information stored in the processing target file.

For example, a case where the original file that created the processing target file is estimated will be described below. There are cases where an employee of an organization attaches a file managed and stored as a confidential file in a file server device in the organization to an email and sends the file as an attached file outside the organization. After sending an email, it may be investigated whether the file attached to the email comes from a confidential file. For example, if a file acquired from a file server device that stores a confidential file is renamed, and the renamed file is attached to an email and sent as an attached file, the attached file is derived from the confidential file stored in the file server It is. When the confidential file manager of the organization knows that the confidential file has been sent out by such an investigation, the organization performs a response such as requesting the destination of the mail to delete the attached file.
As a method of examining the original file (origin of the attached file) that generated the file attached to the email and sent, the operation history (log entry) of the file when the attached file was operated There is a method of tracking the original file that is the source of the attached file by tracing.

  In addition, there is a method of determining whether a processing target file is generated by using a part of information stored in an original file by tracking information stored in a clipboard.

JP 2009-026294 A

  In the invention described in Japanese Patent Laid-Open No. 2009-26294, the copy operation / paste operation is grasped by monitoring the clipboard. However, such a method requires a function for monitoring the clipboard, and depending on the method, it is necessary to analyze the clipboard operation log, so that there is a problem that the number of logs to be analyzed increases and the amount of logs also increases.

  The file operation log stores file generation, file saving, file deletion, file renaming, file movement, file open / close by an application such as spreadsheet software, and the like. A file can be traced from a file operation log in which such an operation is stored as a history. However, a copy and paste operation that generates a file to be processed from a part of information stored in the original file (a part of the original file is copied and copied) A file to be processed is generated from a part of the original file by performing a paste operation on the file (copy and paste of the file), or generated from a part of information stored in the file to be processed Copy and paste operations that generate other files (perform processing by copying part of the file to be processed and pasting part of the copied file into other files) Copying and pasting files from one part of a file to another, copying and pasting data between files Record of the paste does not remain in the operation log. For this reason, in an operating environment where only file operation logs can be collected, whether it is a file generated by copying and pasting a file, or an original file that generates another file by copying and pasting a file, Cannot be estimated.

The present invention makes it possible to determine copy and paste of a file only from an operation log in an operating environment in which only a file operation log can be collected.
In addition, using the method of tracing the original file that generated the processing target file (trace back) or the method of tracking the other file generated from the processing target file (trace forward), multiple operation logs can be The data copy and paste operation is estimated, and the file on which the operation is performed is traced.

The file tracking apparatus according to the present invention, the file tracking apparatus for estimating the original file that generated the processing target file by tracking a plurality of log entries,
An operation log storage unit that stores a plurality of log entries each including an operation command, an operation content including the file name of the operated file, and a time stamp indicating the date and time when the operation was performed;
An operation for inputting the processing target file name of the processing target file and saving the processing target file using an operation command and operation contents of the log entry from a plurality of log entries stored in the operation log storage unit. A log entry indicating that the processing has been performed is extracted, and the time stamp of the extracted log entry is acquired as the storage date and time, and the log entry indicating that the operation to open the processing target file is performed by the acquired storage date and time. Extracting, acquiring a time stamp included in the extracted log entry as an open date, and outputting a squeeze period acquisition unit having the acquired open date and the storage date and time;
The squeezing period output by the squeezing period acquisition unit is input, and the squeezing that is input using the time stamp, operation command, and operation content of the log entry from the plurality of log entries stored by the operation log storage unit. One or more log entries indicating that any one of an operation of opening and closing a file having a similar file name similar to the file name to be processed in the period is extracted, and each of the extracted one or more A tracking candidate generator for storing the log entry in the storage device as a tracking candidate log;
The tracking candidate generation unit sequentially inputs the tracking candidate log stored in the storage device, and inputs the information stored in the file represented by the similar file name included in the operation content of the input tracking candidate log as the tracking candidate information. Whether or not to estimate the original file that generated the similar file with the similar file name by tracking a plurality of log entries is determined using the input tracking candidate information, and the tracking candidate log determined to be estimated An additional tracking log determination unit that outputs
An additional tracking log storage unit that stores the tracking candidate log output by the additional tracking log determination unit as an additional tracking log;
The similar file name included in the operation content of the additional tracking log stored in the additional tracking log storage unit is input, the original file that generated the similar file with the input similar file name is changed to the processing target file. The generated original file includes a tracking unit that tracks and estimates a plurality of log entries.

  According to the file tracking apparatus of the present invention, there is an effect that it is possible to estimate an original file of a file generated by copying and pasting operations that could not be tracked (traced) by a plurality of log entries. Furthermore, in specifying the original file candidate, the original file can be estimated based on the similarity between the information stored in the file as the original file candidate and the information stored in the trace target file.

The figure which shows an example which tracks (traces) the operation with respect to a file. The block diagram explaining the structure of the file tracking system which a file tracking apparatus operate | moves. The figure which shows an example of the external appearance of a file tracking system and a file tracking apparatus. The figure which shows an example of the hardware resource of the file tracking system 1 and a file tracking apparatus. The figure explaining the various periods used with the file tracking system of Embodiment 1. FIG. FIG. 3 is a block diagram of a trace unit and a copy and paste file specifying unit according to the first embodiment. 6 is a flowchart for explaining the operation of the trace unit according to the first embodiment. 5 is a flowchart showing operations of a copy and paste file specifying unit 1106 and an additional trace determining unit 1107 according to the first embodiment. 10 is a flowchart showing the operation of a squeezing period acquisition unit 1116 of the copy and paste file specifying unit 1106 according to the first embodiment. 6 is a flowchart showing an operation of a tracking candidate generation unit 1126 of the copy and paste file specifying unit 1106 according to the first embodiment. The figure explaining the various periods which the file tracking system 1 of Embodiment 1 uses. 9 is a flowchart showing the operation of the trace unit according to the second embodiment. 10 is a flowchart showing operations of a copy and paste file specifying unit 1106 and an additional trace determining unit 1107 according to the second embodiment. 10 is a flowchart showing an operation of a squeezing period acquisition unit of the copy and paste file specifying unit 1106 according to the second embodiment. 10 is a flowchart showing the operation of the tracking candidate generation unit 1126 of the copy and paste file specifying unit 1106 according to the second embodiment. The figure which shows the table | surface which showed the combination and score of the paste destination and copy origin extension of Embodiment 4. FIG. The flowchart showing the outline | summary of a process of a trace part, a copy and paste file specific | specification part, and an additional trace judgment part. The figure which shows an example of a log entry.

In the embodiment described below, an operation log is a log entry. Performing copy and paste operations on a file is called copy and paste. Tracking multiple log entries is called tracing. The process of estimating a file created based on a certain file by tracing a plurality of log entries is called traceback. In traceback, the above-mentioned file is called a process target file, a trace target file, or a final trace target file. In particular, in the trace section described below, it is called a process target file or a trace target file, and is copied and pasted. In the file specifying part and the additional trace determining part, it is called a final trace target file. A process of estimating a file generated based on a certain file by tracing a plurality of log entries is called trace forward. In trace forward, a file based on a process is called a process target file, a trace target file, or a final trace target file. In particular, in the trace section described below, a process target file or a trace target file is called and copied. In the and paste file specifying part and the additional trace determining part, it is called a final trace target file. E-mail is simply called mail.
In the first embodiment, in the trace back, information that is separately opened during the period until the trace target file is opened and saved is estimated, the estimated file is set as a copy source candidate, and the information stored in the trace target file An example of a file tracking device that identifies the file as a copy source by examining the similarity between the file and information stored in the candidate file will be described.
In another embodiment, in the trace forward, a file that is separately stored in a period until the trace target file is opened and closed is estimated, the estimated file is set as a copy destination candidate, and the information stored in the trace target file is An example of a file tracking device that identifies the file as a copy destination by examining the similarity with the information stored in the file as a candidate will be described.
First, an operational environment for performing trace back or trace forward will be described.

FIG. 1 is a diagram illustrating an example of tracing (tracing) an operation on a file.
In FIG. 1, a confidential file 91 is stored in the file server 90. The file name of the confidential file 91 is aaa. csv. Employee A sends file name bbb. The csv file is attached to the e-mail and transmitted to another organization other than the organization to which the employee A belongs via the Internet 940 via the mail server 94 (1).
When the operation (1) is performed, the mail log (history information on mail editing operations such as generating and sending mail) is recorded as “attaching / sending file bbb.csv from the mail address of employee A”. .
The administrator of the file server confirms the mail log recorded by the operation (1), and checks the file name bbb. It is grasped that the file as csv is attached to the e-mail and transmitted to another organization (2).
The file server administrator confirms the file downloaded from the file server to the terminal A within a certain period including the date and time when the e-mail grasped in (2) is confirmed by checking the operation log of the file server. (3).
When a file is downloaded from the file server to the terminal A, an operation log of “download aaa.csv from the file server to the terminal A” is recorded in the file server log. In (3), the administrator of the file server confirms the recorded operation log.
Since the file name of the downloaded file is different from the file name of the attached file, the file server administrator checks the file operation log of terminal A, which is the terminal used by employee A, and downloads the downloaded file. It is confirmed whether or not a rename operation for changing the file name is performed (4).
When the rename operation for changing the file name is performed on the downloaded file in the terminal A which is the terminal used by the employee A, the “rename file aaa.csv to the file bbb.csv” is recorded in the operation log of the terminal A. The operation log is recorded.
When these records are traced back from the mail transmission record of (1), the attached file bbb. csv is aaa. It can be seen that csv is derived. A method of investigating the handling of the transmitted file going back in time is called traceback. In FIG. 1, bbb. Let csv be the trace target file. Each operation log 97 is collected in the log analysis server 96 and traced back.

  In addition, there is a trace forward in which a plurality of operation logs are analyzed and investigated as to how a file downloaded from a file server is handled after downloading and finally sent out of the organization. Trace forward analyzes and investigates multiple logs in the reverse procedure of traceback. Specifically, in the trace forward, a file downloaded from a file server is set as a trace target file, and a file generated from the trace target file is estimated by tracing an operation log.

Embodiment 1 FIG.
In the first embodiment, an example of a file tracking apparatus that performs traceback and estimates a file that has been subjected to copy and paste operations from a plurality of log entries will be described.

In this embodiment, a computer used by employees of an organization is called a “terminal”. “Terminal” has a history of file operation information representing file operations for inputting files from the outside of the terminal using the terminal, and file operation information representing file operations performed on files stored in the storage device of the terminal. A storage device storing the operation log file recorded by
The file tracking device operates by a file tracking system that is a file tracking server that is a computer different from the terminal. The file tracking system periodically fetches operation log files from the terminal. As an example of the method, there is a method in which an automatic file transfer program installed in a terminal in advance is realized by periodically transferring an operation log file to a file tracking system. The method of transferring the operation log file to the file tracking system is not limited to this example, and other methods may be used.

The configuration of the file tracking device will be described.
FIG. 2 is a block diagram illustrating the configuration of a file tracking system in which the file tracking device operates.
The file tracking system 1 processes both trace back and trace forward, which is the reverse of the trace. In the present embodiment, the trace back processing will be described.
The configuration of the file tracking system of the present invention will be described with reference to FIG.
The file tracking system 1 includes a trace unit 1104, a trace result determining unit 1105, a copy and paste file specifying unit 1106, an additional trace determining unit 1107, a period input unit 1108, an operation log file capturing unit 1103, an external input log file capturing unit 1101a, An external input file specifying unit 1102a, an external output log file capturing unit 1101b, and an external output file specifying unit 1102b are provided.

The outline of each element provided in the file tracking system will be described below.
External input log file import unit 1101a
The external input log file capturing unit 1101a inputs the external input log file 2101a from the outside of the file tracking system 1. The external input log file capturing unit 1101a extracts and outputs an external input log 2201a representing an operation log stored in the input file according to the format of the log. For example, the file tracking system 1 stores in the storage device the format definition information that defines the file name of the external input log file 2101a and the format of the operation log stored in the file in advance. The external input log file import unit 1101a searches the storage device for a file name that matches the file name of the input external input log file 2101a, and from the external input log file 2101a based on the format definition information corresponding to the searched file name. The external input log 2201a is acquired.
The external input log file 2101a is a log file that stores an operation log in which a file input operation is performed from the outside of the terminal to the terminal. In the present embodiment, the external input log file 2101a is a file server log file that stores an operation log recording that a file has been downloaded from the file server to the terminal. The external input log 2201a is a file server log stored in a file server log file. In the file server log, a plurality of log entries having a download date and time when a file is downloaded from the file server to the terminal, an identifier of the downloaded terminal, an operation command indicating a download operation, a download file name, and the like are recorded.

External output log file import unit 1101b
The external output log file 2101b is input, and the external output log 2201b which is the contents of the log is extracted from the file according to the log format and output.
The external output log file 2101b is a log file that stores an operation log in which a file output from the terminal to the outside of the terminal is recorded. In the present embodiment, the external output log file 2101b is a mail log file. In this case, the external output log 2201b is a log entry (mail log) stored in the mail log file. In the mail log, a plurality of log entries having a transmission date and time, a transmission source mail address, a destination mail address, an operation command indicating an operation transmitted by being attached to the mail, an attached file name, and the like are recorded.

External input file specifying unit 1102a
The external input log 2201a is input, an external input file that is a file input from the outside of the terminal to the terminal is specified according to the external input file specifying condition 2102a, and an external input file name 2202a and a file input date 2203a are output.
When the external input log 2201a is a file server log, the external input file name 2202a is the name of the file downloaded from the file server (download file name), and the file input date 2203a is the date of download (download date).
The external input file specifying condition 2102a specifies a condition for specifying an external input file. As the condition, a condition for specifying the confidential file is designated. In the present embodiment, the condition is “file downloaded from file server”.

External output file specifying unit 1102b
An external output log 2201b is input, an external output file that is a file output from the terminal to the outside of the terminal is specified according to the external output file specifying condition 2102b, and an external output file name 2202b and a file output date 2203b are output.
For example, when the external output log 2201b is a mail log, the external output file name 2202b is an attached file name (attached file name) attached to the mail, and the file output date 2203b is transmitted with the attached file attached to the mail. Date and time (send date).
The external output file specifying condition 2102b specifies a condition for specifying an external output file. As this condition, a condition suspected of information leakage is designated. In this embodiment, the condition is “when the attached file size of the transmitted mail exceeds the threshold”. The reason for specifying this condition is that when information leakage is performed, a group of data may be leaked, so that a condition that an attached file of a certain size or larger is transmitted. The threshold value specified for the condition specifies a numerical value or a file name of a file storing the numerical value.

-Period input unit 1108 (an example of a period input unit)
The period input unit 1108 inputs various periods used in the file tracking system 1 and stores them in the storage device. For example, the processing target period 2108 having the start date and time and the end date and time is input from the input device and stored in the storage device. Alternatively, the file input date / time 2203a output by the external input file specifying unit 1102a is input as the start date / time, and the file output date / time 2203b output by the external output file specifying unit 1102b is input as the end date / time and stored in the storage device.

Operation log file import unit 1103 (an example of an operation log extraction unit)
An operation log file 2103 is input, an operation log 2204 (an example of a log entry) representing a log entry that is operated during the processing target period stored in the storage device by the period input unit 1108 is extracted according to the log format, and the processing target log It memorize | stores in the memory | storage part 1109 (an example of an operation log memory | storage part). For example, the file tracking system 1 stores, in a storage device, format definition information that defines the file name of the operation log file 2103 and the format of the log stored in the file in advance. The operation log file capturing unit 1103 searches the storage device for a file name that matches the file name of the input operation log file 2103, and based on the format definition information corresponding to the searched file name, the operation log file 2103 to the operation log 2204. To get. In this embodiment, data is output in a format of “time stamp, user identifier, terminal identifier, file name, file operation content, application name”.

Processing target log storage unit 1109
The processing target log storage unit 1109 is a file for storing the operation log 2204 acquired by the operation log file capturing unit 1103, and the file is stored in the storage device.

Trace unit 1104 (an example of a tracking unit)
External input file name 2202a, file input date / time 2203a, external output file name 2202b, file output date / time 2203b, operation log 2204, trace start condition 2104, trace condition 2105, trace end condition 2106 are input, last transition date / time 2205a, trace start The date and time 2205b, the trace end date and time 2205c, the final trace target file name 2206, and the traced result are output as the determination result 2207.

The trace start condition 2104 is a designation of the trace mode, and designates whether to perform trace back or trace forward. In the present embodiment, traceback is designated.
The trace condition 2105 is a condition for tracing, and in this embodiment, as the condition for searching the log entry by the copy and paste file specifying unit 1106, the same as the file extension specified by the external output file name 2202b. This is information in which a condition that a log entry in which a file with an extension is recorded is searched is defined. The trace end condition 2106 is a condition for ending the trace. Since the present embodiment is a trace back, information defining a condition that “the result is traced from the file server as a result of tracing the external output file” is defined. It is.

The last transition date and time 2205a is the date and time when the oldest file that was found in the trace process was changed because the present embodiment is trace back. A file transition is a file rename, copy, or move operation. That is, the file transition represents a file operation for generating a new file using the information stored in the original file as it is as new file information. The final trace target file name 2206 is the file name of the file that has changed the oldest during the trace process because the present embodiment is trace back.
The trace start date and time 2205b (an example of the start date and time) is the date and time when the trace is started. The trace end date and time 2205c (an example of the end date and time) is the date and time when the trace ends. The trace start date and time 2205b and the trace end date and time 2205c are the processing target period 2108 stored in the storage device by the period input unit 1108.

Trace result determination unit 1105
The determination result 2207 output from the trace unit 1104 is input, and based on the determination result 2207, a trace result 2107, which is a trace result, is output. Specifically, the trace result 2107 is displayed on a display device included in the file tracking system 1, or the trace result 2107 is printed on a printer device included in the file tracking system 1, or a warning device such as a buzzer or an indicator lamp is used. The trace result 2107 is output.
Since this embodiment is a traceback, if it cannot be determined that the file is derived from the file server as a result of tracing the external output file, is the data of the file derived from the file server copied and pasted into the file to be traced? In order to make a determination, a copy and paste investigation instruction 2208 is output.

Copy and paste file specifying unit 1106 (an example of a squeezing period acquisition unit and a tracking candidate generation unit)
A copy and paste investigation instruction 2208 is input, and an operation log 2204, a last transition date 2205a, a trace start date 2205b, a last trace target file name 2206, a trace start condition 2104, a trace condition 2105, and a trace end condition 2106 are input. Since this embodiment is a traceback, it is investigated whether copy and paste has occurred for a trace target file from a file derived from a file server. The result is output as a specific result 2209 and a trace target candidate file list 2211 (an example of a tracking candidate log) which is a list of candidate files to be additionally traced.

Additional trace determination unit 1107 (an example of an additional tracking log determination unit)
From the identification result 2209 output from the copy and paste file identification unit 1106 and the trace target candidate file list 2211, it is determined whether or not to perform additional trace. The included trace target candidate file name is stored in the additional trace target file list 2210a as the additional trace target file name 2210b. The trace unit 1104 inputs the additional trace target file name 2210b stored in the additional trace target file list 2210a as a new process target file, and traces the new process target file name.

FIG. 3 is a diagram illustrating an example of the appearance of the file tracking system and the file tracking apparatus.
In FIG. 3, a file tracking system 1 and a file tracking device are a system unit 910, a display device 901 having a CRT (Cathode / Ray / Tube) or LCD (liquid crystal) display screen, a keyboard 902 (Key / Board: K / B). ), A mouse 903, an FDD 904 (Flexible / Disk / Drive), a compact disk device 905 (CDD), a printer device 906, a scanner device 907, and the like, which are connected by cables and signal lines.
The system unit 910 is a computer, and is connected to the facsimile machine 932 and the telephone 931 via a cable, and is connected to the Internet 940 via a local area network 942 (LAN) and a gateway 941.

FIG. 4 is a diagram illustrating an example of hardware resources of the file tracking system 1 and the file tracking apparatus.
In FIG. 4, the file tracking system 1 and the file tracking device include a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, a processing unit, a microprocessor, a microcomputer, and a processor) that executes a program. . The CPU 911 is connected to the ROM 913, the RAM 914, the communication board 915, the display device 901, the keyboard 902, the mouse 903, the FDD 904, the CDD 905, the printer device 906, the scanner device 907, and the magnetic disk device 920 via the bus 912, and the hardware. Control the device. Instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of a storage device or a storage unit.
The communication board 915, the keyboard 902, the scanner device 907, the FDD 904, and the like are examples of an input unit and an input device.
Further, the communication board 915, the display device 901, the printer device 906, and the like are examples of an output unit and an output device.

The communication board 915 is connected to the facsimile machine 932, the telephone 931, the LAN 942, and the like. The communication board 915 is not limited to the LAN 942 and may be connected to the Internet 940, a WAN (wide area network) such as ISDN, or the like. When connected to a WAN such as the Internet 940 or ISDN, the gateway 941 is unnecessary.
The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924. The programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922.

The program group 923 stores programs for executing operations described as “˜units” that operate in the file tracking system 1 and the file tracking device. The program is read and executed by the CPU 911.
In the file group 924, in the description of the embodiment described below, “to determination result”, “to calculation result”, “to processing result”, “to tracking result”, “to specific result”, “ Information, data, signal values, variable values, and parameters described as “instructions” are stored as items of “˜file” and “˜database”. The “˜file” and “˜database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, It is used for CPU operations such as calculation, calculation, processing, input, output, printing, display, determination, capture, and retrieval. Information, data, signal values, variable values, and parameters are stored in the main memory and cache memory during the CPU operation of extraction, search, reference, comparison, operation, calculation, processing, output, input, printing, display, extraction, and judgment. Or temporarily stored in the buffer memory.
In addition, the arrows in the flowcharts described in the following description of the embodiments mainly indicate input / output of data and signals. The data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic field. The data is recorded on a recording medium such as a magnetic disk of the disk device 920, another optical disk, a mini disk, and a DVD (Digital Versatile Disk). Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In addition, what is described as “to part” in the description of the embodiment described below may be “to circuit”, “to device”, “to device”, and “means”. It may be “step”, “˜procedure”, “˜processing”. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” described below. Alternatively, the procedure or method of “to part” described below is executed by a computer.

The trace back operation of the file tracking system 1 in FIG. 2 will be described.
In this embodiment, an example of tracing back whether a file derived from a file server is transmitted as an attached file by e-mail (external output) in a certain terminal “A” (hereinafter, terminal A) is shown.

The external input log file capturing unit 1101a reads the file server log stored in the file server log file as the external input log file 2101a. The file server log file may be acquired from the file server by an FTP command in a file tracking server equipped with the file tracking system 1, for example.
FIG. 18 shows log entries used by the file tracking system 1 and the file tracking apparatus. FIG. 18 is a diagram illustrating an example of a log entry used by the file tracking system 1 and the file tracking apparatus. In FIG. 18, the log entry 210 includes a time stamp 211, a terminal name 212, a process name 213, an operation command 214, an operation content 215, and an application name 216. The time stamp 211 stores the date and time when the log entry was generated, that is, the date and time when the operation was performed on the file, and has date and time information such as 2010/12/01 09:00:00. The terminal name 212 stores a terminal name that identifies the terminal that has operated the file. For example, the terminal name with the terminal A is stored. The process name 213 stores a process name that identifies a process being executed in the terminal A when an operation is performed on a file. For example, the process name with process A is stored. The operation command 214 stores a command representing an operation performed on the file. For example, when an operation for opening a file is performed, an operation command for opening is stored. The operation content 215 stores information indicating the content of the operation performed on the file. For example, when the file A is downloaded, the operation content that the file A is downloaded is stored. The application name 216 stores an application name that identifies the application that was being executed in the terminal A when an operation was performed on the file. For example, when the operation performed on the file is an operation performed by executing a spreadsheet program, the application name with the spreadsheet program is stored.
The external input log file capturing unit 1101a acquires a file server log file using an FTP command, further reads the file server log from the acquired file server log file, stores an operation command indicating that the operation command represents download, and Then, the file server log in which the terminal name stores the terminal A (condition 1) is extracted.
The file tracking system 1 uses the format definition information indicating what format and what item information is stored in the file server log stored in the external input log file 2101a as the file name of the file server log file. The file tracking system 1 stores the information in the storage device. The external input log file capturing unit 1101a inputs the format definition information stored in the storage device, and acquires information corresponding to each item of the operation command and the terminal name based on the input format definition information. The external input log file capturing unit 1101a extracts a file server log that satisfies the above condition 1, and outputs the file server log as the external input log 2201a to the external input file specifying unit 1102a. In the present embodiment, the external input log file capturing unit 1101a outputs an external input log 2201a having items “download date and time, identifier of downloaded terminal, download file name” from the file server log. The external input log 2201a is an example of the log entry 210 in FIG. 18. The external input log 2201a may have the same items as the log entry 210, or some of the items included in the log entry 210. You may have the item of. Specifically, “download date / time” is an example of the time stamp 211, “identifier of the downloaded terminal” is an example of the terminal name 212, and “download file name” is an example of the operation content 215.

The external input file specifying unit 1102a specifies the external input file name 2202a and the file input date / time 2203a based on the external input file specifying condition 2102a with respect to the external input log 2201a. In the present embodiment, “when terminal A downloads a file from the file server during the external input log search period” is designated as the external input file specifying condition 2102a. When the external input file specifying unit 1102a inputs the external input file specifying condition 2102a, the external input file specifying unit 1102a extracts a log entry corresponding to the record in which the terminal A downloaded the file from the file server, and sets the download date and the download file name to the external input log. Take out from 2201a. The extracted download file name is set in the external input file name 2202a. The extracted download date and time is set in the file input date and time 2203a. A terminal name 212 (“identifier of downloaded terminal”) included in the external input log 2201a indicates the terminal A. The “external input log search period” specified in the external input file specifying condition 2102a refers to a period in which the external input log 2201a is searched retroactively from the “end of doubt period” in the “external output file specifying condition 2102b” described later. It is what you specify. In the present embodiment, the number of days going back to the past is “31 days”. The external input file specifying unit 1102 a inputs “the number of days going back in the past” stored in the storage device of the file tracking system 1. For example, when the last date and time of the doubt period in the external output file specifying condition 2102b is 2010/12/01 17:00: The date and time 31 days after 2010/12/01 17:00: / 31 17:00:00. Thus, the “external input log search period” is a period having 2010/10/31 17:00: 00 as the start date and 2010/12/01 17:00: 00 as the end date.
The external input file specifying unit 1102a has an external input log 2201a having an external input log search period time stamp 211 and an external input 215 indicating an operation content indicating that the terminal A has downloaded a file from the file server. The log 2201a is extracted. It should be noted that the external input log search period is set to a trace target period (“trace target period” is an example of a process target period) described later, that is, a period including the trace target period.

The external output log file capturing unit 1101b captures a mail log stored in the mail log file as the external output log file 2101b.
The file tracking system 1 corresponds to the format definition information indicating what format and what item information is stored in the mail log stored in the external output log file 2101b with the file name of the mail log file. And stored in a storage device included in the file tracking system 1. The external output log file capturing unit 1101b inputs the format definition information stored in the storage device, and corresponds to each item of the operation command and the terminal name from the external output log file 2101b based on the input format definition information. Get information. The acquired mail log is output to the external output file specifying unit 1102b as the external output log 2201b. In this embodiment, the mail log and the external output log 2201b have items of “transmission date and time, transmission source mail address, destination mail address, attached file name, attached file size”. The external output log 2201b is an example of the log entry 210 in FIG. 18, and the external input log 2201a may have the same items as the items included in the log entry 210, or some of the items included in the log entry 210. You may have the item of. Specifically, “transmission date and time” is an example of the time stamp 211, and “source email address, destination email address, attached file name, attached file size” are part of information included in the operation content 215. is there.

The external output file specifying unit 1102b specifies the external output file name 2202b and the file output date 2203b based on the external output file specifying condition 2102b from the external output log 2201b. In the present embodiment, “when the attached file size of the mail transmitted by the user of the terminal A exceeds the threshold during the doubt period” is specified in the external output file specifying condition 2102b. The “threshold” may be a numerical value or a file name of a file storing the numerical value may be designated. When the external output file specifying condition 2102b specified as described above is input, the external output file specifying unit 1102b reads that “the transmission date and time is a suspicion period, and the transmission source email address = the email address of the user of the terminal A, and The mail log satisfying the condition that the attached file size exceeds the threshold is extracted, and the attached file name and the transmission date and time (time stamp) are extracted from the extracted mail log. The external output file specifying unit 1102b sets the extracted attached file name in the external output file name 2202b. The external output file specifying unit 1102b sets a transmission date / time (time stamp) of the extracted attached file by mail in the file output date / time 2203b.
The “question period” is a period in which external transmission of the confidential file from the terminal A is suspected. In the present embodiment, 2010/12/1 09:00:00 to 2010/12/1 17:00 8 hours is assumed as the period of doubt. The doubt period is stored in advance in a storage device included in the file tracking system 1. For example, the doubt period is stored in a storage device included in the file tracking system 1 by the administrator of the mail server or the operator of the file tracking system 1 when the leakage of the file is suspected from the terminal A and the leakage period is estimated. Is done. In addition, for example, an administrator of a mail server may have a confidential file managed as a confidential file by the file server, but the confidential file may be sent as an attachment to an external organization that cannot originally access the confidential file. In order to check whether or not the file tracking system 1 has a period during which the transmitted mail is to be checked periodically as a doubt period, the file tracking system 1 stores the period. The “question period” designated in the external output file specifying condition 2102b designates the file name of the file storing the doubt period stored in the storage device of the file tracking system 1.
The external output file specifying unit 1102b reads from the mail log having the time stamp of the doubt period from 2010/12/1 09:00:00 to 2010/12/1 17:00: The log entry that satisfies the condition of the user's email address and the attached file size exceeds the threshold is extracted, the attached file name is set in the external output file name 2202b, and the transmission date and time is set in the file output date 2203b. ,Output. In this embodiment, it is assumed that a mail log having a time stamp storing 2010/12/1 09:30:30 is found. The file output date 2203b is set to 2010/12/1 09:30:30.

  The operation log file capturing unit 1103 extracts a log entry from the operation log file 2103 of the terminal A according to the file format of the log entry that is defined in advance by the operator and stored in the storage device of the file tracking system 1, and serves as an operation log 2204. Output. In this embodiment, data is output in a format of “time stamp, user identifier, terminal identifier, file name, file operation content, application name”. It is assumed that the log entry stored in the operation log file 2103 has the items shown in FIG. “Time stamp” is the time stamp 211, “Terminal identifier” is the terminal name 212, “File name” is a part of the information stored in the operation content 215, “File operation content” is the operation content 215, and “Application name” is It is assumed that the application name 216 and the “user identification name” are not included in FIG. When retrieving the log entry from the operation log file 2103, the operation log file capturing unit 1103 extracts a log entry indicating that the operation is performed during the processing target period 2108 as the operation log 2204, and processes the extracted operation log 2204. Store in the target log storage unit 1109. The processing target period is input by the period input unit 1108 and stored in the storage device included in the file tracking system 1. Details of the processing target period and period input unit 1108 will be described in the description of the trace unit 1104.

The trace unit 1104 inputs a trace start condition 2104, a trace condition 2105, a trace end condition 2106, and a processing target period 2108 (in FIG. 2, the description of the line connecting the processing target period 2108 and the trace unit 1104 is omitted). ).
In this embodiment, the trace start condition 2104 designates information instructing to move in the trace back mode.
The trace condition 2105 designates information for instructing the copy and paste file specifying unit 1106 to perform an operation of “making a file having the same extension as the external output file name 2202b a tracking candidate”. For example, the external output file name 2202b is abc. In the case of csv, when the above-described information is designated as the trace condition 2105, the copy and paste file specifying unit 1106 has an extension of .csv. It operates so that a file which is csv is a tracking candidate.
In the present embodiment, the trace end condition 2106 is more specifically defined as “the result of tracing the external output file, and the process ends when the file is derived from the file server”. Specify as a condition of “Finish when the file downloaded from is reached”.

  The processing target period 2108 is a period having a start period and an end period input by the period input unit 1108 using the input device. The period input unit 1108 stores a period input by an operator of the file tracking system 1 from an input device such as a mouse or a keyboard as a processing target period in a storage device included in the file tracking system 1. The trace unit 1104 inputs the processing coping period stored in the storage device included in the file tracking system 1 as one of the trace end conditions.

Here, the relationship between the processing target period, the doubt period, and the external input log search period for tracing will be described. FIG. 5 is a diagram for explaining various periods used in the file tracking system.
In FIG. 5, as described above, the doubt period is determined by the mail server administrator or the file tracking system 1 operator when, for example, a file leakage due to mail is suspected from the terminal A and the leakage period is estimated. The file is input by an input device included in the file tracking system 1 and stored in a storage device. The doubt period is a period for the external output file specifying unit 1102b to narrow down the mail log to be extracted. In the above-described example, the doubt period is from 2010/12/01 9:00: 00 to 2010/12/01 17:00: 00.
The external input log search period is a period for the external input file specifying unit 1102a to narrow down the file server log to be extracted. The external input log search period starts from the “date and time of the suspicion period” as the start date and time, and the “date and time of the suspicion period” Is a period with end date and time. For example, when tracking which file is the source file of the attached file sent as an email attachment, the range of log entries to be tracked is the processing target period, and download is the processing target period. We think that it is performed before start date and time. Therefore, the date and time before the start date and time of the processing target period is set as the start date and time of the external input log search period. It is also considered that it is downloaded immediately before sending the attached file. For this reason, the end date / time of the suspicion period in which the e-mail transmission is suspected is set as the end date / time of the external input log search period.
The external input file specifying unit 1102a calculates a date and time that goes back from the last date and time of the doubt period previously stored in the storage device included in the file tracking system 1 to the number of days going back to the past stored in the storage device included in the file tracking system 1 And the start date and time of the external input log search period. The external input file specifying unit 1102a inputs the final date and time of the doubt period stored in advance in the storage device included in the file tracking system 1, and sets it as the end date and time of the external input log search period.
The processing target period is a period for the log unit 1104 to narrow down log entries to be traced (processing target). When inputting the processing target period 2108, the operator of the file tracking system 1 inputs a period included in the external input log search period. In this embodiment, since the attached file attached to the mail, that is, the original file that generated the file with the external output file name 2202b is traced, the end date / time of the processing target period is the date / time when the attached file was transmitted. The file output date 2203b may be used. The period input unit 1108 inputs the file output date / time 2203b from the external output file specifying unit 1102b, and sets the input file output date / time 2203b as the end date / time of the processing target period 2108. When the file output date / time 2203b is set as the end date / time of the processing target period 2108 in preference to the end date / time input from the operator, the operator may have a date / time such as “0000/00/00” as the end date / time. Enter no string. If the file with the external output file name 2202b is a file generated based on the file downloaded from the file server, it can be estimated that the file with the external output file name 2202b was generated after the file input date 2203a. The period input unit 1108 inputs the file input date / time 2203a from the external input file specifying unit 1102a, and sets the input file input date / time 2203a as the start date / time of the processing target period 2108. When the file input date / time 2203a is set as the start date / time of the processing target period 2108 in preference to the start date / time input from the operator, the operator may have a date / time such as “0000/00/00” as the start date / time. Enter no string. The period input unit 1108 inputs a file input date / time 2203a and a file output date / time 2203b when a date / time that is not possible as a date / time is input from the input device. If a plurality of file input dates 2203a are input, the file input date 2203a with the oldest date is set as the start date.
Note that if there are a plurality of mails that have sent attachment files from the terminal A within the pseudo period, the external output file specifying unit 1102b outputs a plurality of external output file names 2202b and file output date / time 2203b. When a plurality of files are output in this way, for example, the file output date / time 2203b in the set of the file external output file name 2202b and the file output date / time 2203b is output to the trace unit 1104 in order from the oldest file output date / time 2203b. . When tracing is completed for one set, the next set with the oldest file output date 2203b is output to the trace unit 1104 for tracing.

  The trace unit 1104 inputs and traces the log entries 210 from the processing target log storage unit 1109 that stores the log entries 210 having the time stamp of the trace target period in the order of the newest time stamps.

  In the trace unit 1104, first, an external output file name 2202b that is an output of the external output file specifying unit 1102b is input, and this is set as a trace target file name (the trace target file name is an example of a process target file name). That is, the attached file attached to the mail is an example of the processing target file). The trace target file name is a target for investigating whether the data of the file identified by the trace target file name originates from a confidential file (whether it is a file generated based on the confidential file). In this embodiment, the file server It is an object to investigate whether it is derived from a file downloaded from the file (a file stored and managed in the file server is a confidential file), that is, whether it is generated based on the downloaded file. Next, the process target period 2108 is input as a trace target period, the start date / time of the process target period 2108 is set as the trace start date / time, and the end date / time of the process target period 2108 is set as the trace end date / time. In this embodiment, file input date / time 2203a = 2010/11/1 09: 30: 30 = trace start date / time, and file output date / time 2203b = 2010/12/1 09: 30: 0 = trace end date / time.

Details of the operation of the trace unit 1104 will be described. In the following description, the determination result is written as lowercase letters yes and no, but in the flowchart, it is written as uppercase letters YES and NO. The same applies to other embodiments. In the following description, in the description of the flowchart diagram, the number of each step is described as a lowercase s, and in the flowchart diagram, the capital letter S is described.
FIG. 6 is a block diagram of the trace unit and the copy and paste file specifying unit.
FIG. 7 is a flowchart for explaining the operation of the trace unit.
As shown in FIG. 6, the trace unit 1104 includes a transfer determination unit 1114 and a transition determination unit 1124. The transfer determination unit 1114 determines whether or not the file with the external output file name 2202b is the file with the external input file name 2202a. That is, it is determined whether or not the file name of the attached file matches the file name of the download file. The transition determination unit 1124 takes over the information stored in the file of the external input file name 2202a to the file of the external output file name 2202b without changing the information stored in the file of the external input file name 2202a. It is determined whether or not it has been generated by a transition operation that generates. Details of the operations of the transfer determination unit 1114 and the transition determination unit 1124 will be described in the description of the flowchart of FIG.

First, the trace target period will be described. The trace target period is a period between the trace start date and time and the trace end date and time. Trace end date and time = 2010/12/1 09:30, and trace start date and time = 2010/11/1 09:30. In other words, the trace target period is the period from the trace start date / time = 2010/11/1 09:30 to the trace end date / time = 2010/12/1 09:30.
Hereinafter, the log in this flowchart indicates a log entry in the trace target period.

Before performing s101, the tracing unit 1104 sets an initial value for the final trace target file name 2206 set in s106 described later. The trace unit 1104 sets the external output file name 2202b as an initial value in the final trace target file name 2206. That is, the trace unit 1104 sets the trace target file name as an initial value in the final trace target file name 2206. In addition, the trace unit 1104 sets an initial value in the last transition date 2205a set in s107 described later. The trace unit 1104 sets the file output date 2203b as an initial value in the last transition date 2205a. That is, the trace unit 1104 sets the date and time when the file with the trace target file name is attached to the mail as the initial value in the last transition date and time 2205a.
In step s101, the trace unit 1104 indicates that the file identified by the trace target file name is “terminated when it reaches the file downloaded from the file server as a result of tracing the external output file” specified in the trace end condition 2106. Find out if it meets your requirements. This condition is a condition that the trace target file name is the file name of the file downloaded from the file server.
The download file name of the download file that the terminal A downloaded from the file server during the external input log search period has already been identified as the external input file name 2202a by the external input file specifying unit 1102a. Compare the download file name that is known and the file name to be traced.
If they match, the trace unit 1104 ends the process at this point. When the trace unit 1104 terminates, the result indicating that the external output file is derived from the file server is output as the determination result 2207. For example, a numerical code or message indicating that the external output file is derived from a file server is output.
The process of s101 is a transfer determination process performed by the trace unit 1104, particularly the transfer determination unit 1114 of the trace unit 1104.

In s101, when the trace target file name does not match the external input file name 2202a, the trace unit 1104 proceeds to s103.
In s103, the trace unit 1104 determines whether there are any log entries to be read from the processing target log storage unit 1109. If not, the trace unit 1104 outputs, as the determination result 2207, a result indicating that the external output file cannot be determined from the file server, and proceeds to s109. If it remains, the trace unit 1104 proceeds to s104.
In s104, the log entries stored in the processing target log storage unit 1109 are read in the reverse direction, that is, in order from the newest time stamp to the oldest. Normally, the entry log is recorded in chronological order from the oldest log entry to the newest log entry. Since this embodiment is a traceback, the log is traced in the reverse direction.
The log entry includes a record relating to a file operation, and includes items such as “time stamp, user identifier, terminal identifier, file name, file operation content, application name”. The log entry 210 shown in FIG. 18 is the format of the log entry stored in the processing target log storage unit 1109. In FIG. 18, there is no user name item corresponding to the user identifier, but it is assumed to be behind the terminal name 212. 18 does not have an item corresponding to the file name, but the file name is included in the operation content 215.

In s105, the trace unit 1104 determines whether or not the log entry represents a transition operation. A transition operation is a file operation that can be renamed, copied, moved, or transferred to a new file without changing the information stored in the original file. To create a simple file. The trace unit 1104 confirms whether the transition operation is recorded in the read log entry.
The transition operation is determined by determining whether the file name after the transition recorded in the operation content of the log entry is a trace target file name. In the rename, copy, and move transition operations, the file name before the transition operation (including the path) and the file name after the transition operation (including the path) are recorded in the operation content 215. When the trace target file name includes only the file name and does not include the path, the trace unit 1104 determines whether the trace target file name is included in the transitioned file name (including the path). Specifically, the trace target file name is aaa. doc, and the file name after the transition is c: \ work \ aaa. If it is doc, the traced file name is included in the file name after the transition. That is, the file name in the portion excluding the path name of the file name after the transition matches the trace target file name. In this case, the trace unit 1104 determines that the file name after the transition matches the trace target file name. As another example, the file name to be traced is aab. doc, and the file name after the transition is c: \ work \ aaa. If it is doc, the file name after the transition does not include the trace target file name. That is, the file name in the part other than the path name of the file name after the transition does not match the trace target file name. In this case, the trace unit 1104 determines that the file name after the transition does not match the trace target file name.
When the trace target file name includes the path of the file, the trace unit 11104 determines a match with the file name (including the path) after the transition on the log entry including the path. Specifically, the trace target file name is c: \ work \ aaa. doc, and the file name after the transition is c: \ work \ aaa. If it is doc, the file name after the transition matches the file name to be raced. In this case, the trace unit 1104 determines that the file name after the transition matches the trace target file name. As another example, the trace target file name is c: \ test \ aaa. doc, and the file name after the transition is c: \ work \ aaa. If it is doc, the post-transition file name including the path name does not match the race target file name including the path name. In this case, the trace unit 1104 determines that the file name after the transition does not match the trace target file name.
If the tracing unit 1104 determines that they match, the processing proceeds to s106. If it is determined that they do not match, the process returns to s103.

An example of the operation command of the log entry representing the transition operation and the operation content 215 is as follows.
Rename operation command: Rename File operation content: Rename Before rename = “c: ¥ work ¥ test1.doc” After rename = “c: ¥ work ¥ test2.doc”
Before renaming is before the transition and after renaming is after the transition.
Copy operation command: Copy File operation content: Copy Copy source = “c: \ work \ test1.doc” Copy destination = “c: \ work \ test2.doc”
The copy source is before the transition, and after the copy is after the transition.
・ Move operation command: Move File operation content: Move Before move = “c: ¥ work ¥ test1.doc” After move = “c: ¥ work2 ¥ test1.doc”
Before the movement is before the transition, and after the movement is after the transition.
The operation command representing the above transition operation is stored in the operation command 214, and the file name after the transition is stored in the operation contents of the log entry as the trace target file name, and the above file name determination matches. If the determination is made, the trace unit 1104 determines yes in the determination of s105.
In the case of yes, the trace unit 1104 proceeds to s106. If no, return to s103.

In s106, the trace target file is reset according to the transition operation, and the final trace target file name 2206 is set.
-When the operation command is renamed The current trace target file name is the file name after renaming, so the file name including the path before renaming is reset to the trace target file name, and the file including the path before renaming. The name is set to the final trace target file name 2206.
-When the operation command is copy The current trace target file name is the copy destination file name, so reset the file name including the copy source path to the trace target file name, and include the copy source path. The name is set to the final trace target file name 2206.
-When the operation command is move Since the current trace target file name is the file name after the move, reset the file name including the path before the move to the trace target file name, and include the path before the move The name is set to the final trace target file name 2206.

  When processing s106 for the first time, the trace target file name may be only the file name and there may be no file path. This is because, in the case of a mail log, the path of the file on the terminal A is not recorded even if the attached file name is known. Since the log entry related to the transition operation includes the file path, the file path can be acquired for the file before the transition. Therefore, in the second and subsequent processing of s106, the trace target file name is a file name including a path.

  Next, in s107, the trace unit 1104 sets the date and time when the transition operation occurred (log entry time stamp) as the final transition date and time 2205a. Specifically, the trace unit 1104 sets the time stamp 211 of the log entry determined as yes in s105 as the last transition date 2205a.

In s108, the trace unit 1104 terminates when the file identified by the current trace target file name reaches the file downloaded from the file server as a result of tracing the external output file specified in the trace end condition 2106. To see if it meets the conditions. The method is the same as s101.
If the trace unit 1104 determines in s108 that the file identified by the current trace target file name is a file downloaded from the file server (yes), the process ends. In this case, the trace unit 1104 outputs, as the determination result 2207, a result indicating that the external output file is derived from the file server. In s108, when the trace unit 1104 cannot determine that the file identified by the trace target file name is a file downloaded from the file server (no), the process returns to s103.
The processing of the trace unit 1104 is up to here. Steps s103 to s108 are transition determination processing performed by the trace unit 1104, in particular, the transition determination unit 1124 of the trace unit 1104.

When the trace unit 1104 outputs, as the determination result 2207, a result indicating that the external output file cannot be determined from the file server, the trace result determination unit 1105 inputs the determination result 2207, and performs copy and paste. A copy and paste investigation instruction 2208 is output to the file specifying unit 1106. The result indicating that it was not possible to determine whether the external output file originated from the file server, that is, it was not possible to determine whether the attached file sent by e-mail was a file downloaded from the file server. This indicates that there is a candidate file that can be estimated that the file is generated as a copy source file.
When the trace unit 1104 outputs a result indicating that the external output file is derived from the file server as the determination result 2207, the trace result determination unit 1105 inputs the determination result 2207, and the trace result 2107 is “external A message indicating that the output file was derived from the file server is output. This result is expressed by information that can be seen by humans, such as displaying it as a message on the display of the display device.

s109 is a process for further tracking the log entry when the external output file cannot be found from the file server only by the transition determination process of FIG. The process of s109 is processed by the copy and paste file specifying unit 1106. In s109, a copy and paste operation that does not appear in the file operation log is determined, and it cannot be determined that the attached file transmitted by mail is a file downloaded from the file server. This is a process of tracking whether or not a file estimated as an original file has been generated by a copy and paste (copy and paste) operation, and a log entry.
Upon receiving the copy and paste investigation instruction 2208, the copy and paste file specifying unit 1106 performs the processes shown in the flowcharts of FIGS. The copy and paste file specifying unit 1106 includes a squeezing period acquisition unit 1116 and a tracking candidate generation unit 1126 as shown in FIG. The squeezing period acquisition unit 1116 obtains a period for squeezing the log entry in order to track the estimated original file. The tracking candidate generation unit 1126 determines the original file that generated the file of the final trace target file name 2206b during the subtraction period obtained by the subtraction period acquisition unit 1116.
FIG. 8 is a flowchart showing the operations of the copy and paste file specifying unit 1106 and the additional trace determining unit 1107. FIG. 9 is a flowchart showing the operation of the squeezing period acquisition unit 1116 of the copy and paste file specifying unit 1106.

When the copy and paste file specifying unit 1106 inputs the copy and paste investigation instruction 2208 from the trace result determining unit 1105, the copy and paste file specifying unit 1106 inputs the operation log 2204 from the processing target log storage unit 1109, the last transition date 2205a, the trace start date 2205b, the trace The end date and time 2205 c and the final trace target file name 2206 are input from the trace unit 1104. Since the trace start date and time 2205b and the trace end date and time 2205c are processing target periods, the processing target period 2108 stored in the storage device may be input.
The final trace target file name 2206 is an example of a process target file name input by the squeezing period acquisition unit 1116. The last transition date and time 2205a is an example of the processing date and time input by the squeezing-in period acquisition unit 1116.

In FIG. 8, first, the copy and paste file specifying unit 1106 specifies the open / save date and time for the file (final trace target file) identified by the final trace target file name 2206 (s201). Specifically, it follows the flowchart of FIG.
In FIG. 9, the copy and paste file specifying unit 1106 sets a variable called the trace target file open date to NULL. Also, a variable called the trace target file save date is set to NULL. (S301).

Next, in s304, the copy and paste file specifying unit 1106 determines whether or not there is a log entry to be read from the processing target log storage unit 1109. If the log entry remains (no), the process returns to s303. If it does not remain (yes), the process is terminated.
In s303, the copy and paste file specifying unit 1106 inputs one log entry from the processing target log storage unit 1109 in the reverse direction (from the newest time stamp to the oldest one). At this time, the log entry 210 whose time stamp of the log entry 210 is from the trace start date 2205b to the last transition date 2205a is input.

  Next, in s305, the copy and paste file specifying unit 1106 records the operation for storing the file in the operation command 214 of the input log entry, and the file identified by the final trace target file name 2206 in the operation content 215. Determine if there is a saved record. When it is determined that there is (yes), the process proceeds to s306. If no, return to s304.

In s306, the copy and paste file specifying unit 1106 sets the time stamp 211 of the log entry 210 determined to be yes in s305 as the trace target file save date (an example of the save date).
In s308, the copy and paste file specifying unit 1106 determines whether or not there are any log entries to be read from the processing target log storage unit 1109. If the log entries remain (no), the process proceeds to s307. If it does not remain (yes), the process is terminated.
Next, in s307, the copy and paste file specifying unit 1106 inputs one log in the reverse direction.

  Next, in s309, the copy and paste file specifying unit 1106 records the operation command for opening the file in the operation command of the input log entry, and the file identified by the final trace target file name 2206 is stored in the operation content 215. Judge whether it is recorded that it was opened. If it is recorded (yes), the process proceeds to s310. If not recorded (no), the process returns to s308.

In s310, the copy and paste file specifying unit 1106 sets the time stamp 211 of the log entry 210 determined as yes in s309 as the trace target file open date (an example of the open date).
The process of s201 (s301 to s310) described above is performed by the copy and paste file specifying unit 1106. In particular, this is a squeezing period acquisition process performed by the squeezing period acquisition unit 1116 of the copy and paste file specifying unit 1106.

  Thus, by following the flowchart of FIG. 9, the date of opening or saving of the file identified by the final trace target file name can be known in the period from the trace start date to the last transition date. If neither has occurred, neither the trace target file open date nor the trace target file save date is set, but the initial value, that is, NULL.

Returning to FIG. Next, in s202, the copy and paste file specifying unit 1106 specifies a trace target candidate file name (an example of a tracking candidate log). The trace target candidate file name is the file name of the file that is estimated to be the copy source after copying the information stored in the file and pasting the copied information to the file identified by the final trace target file name 2206 It is.
The process of s202 will be described with reference to FIG. FIG. 10 is a flowchart showing the operation of the tracking candidate generation unit 1126 of the copy and paste file specifying unit 1106.

  First, in s401, the copy and paste file specifying unit 1106 determines whether the trace target file open date = NULL or the trace target file save date = NULL. This is a confirmation whether the file identified by the final trace target file name has been opened and saved during the period from the trace start date to the last transition date. In the case of yes, the copy and paste file specifying unit 1106 ends the process. In the case of no, the copy and paste file specifying unit 1106 proceeds to s402.

  In s402, the copy and paste file specifying unit 1106 sequentially inputs from the processing target log storage unit 1109 the log entries 210 of the squeezing period from the trace target file open date to the trace target file save date. Specifically, the copy and paste file specifying unit 1106 sequentially inputs log entries in which the time stamp 211 of the log entry 210 is a narrowing period.

Next, in s403, the copy and paste file specifying unit 1106 determines that the log entry 210 input in s402 satisfies the following conditions, and traces the log entry 210 determined to match as a tracking candidate log. The target candidate file list 2211 (an example of a file stored in a storage device included in the file tracking system 1) is stored.
A file name having the same extension as the last trace target file name 2206 is recorded in the operation content 215 (by referring to the trace condition 2105).
-The operation command 214 records the operation that opens (opens) or closes the file (closes). Copy / paste file identification by determining whether the above conditions are met While the file identified by the final trace target file name 2206 is opened and saved, the unit 1106 determines whether there is another file of the same type that has been opened separately, and can determine if there is a file. The log entry is added to the trace target candidate file list 2211 as a tracking candidate log. A file name included in the operation content 215 included in the tracking candidate log and the file name of the file determined to match is set as a trace target candidate file name (an example of a similar file name).
If the same type of file was opened while the file identified by the final trace target file name 2206 was opened and saved, copy and paste occurred from that other file to the final trace target file name 2206 Because there is a possibility, they are treated as candidate files to be traced. In addition, since there is a possibility that a plurality of files exist, a list is created (filed).
8 is performed by the copy and paste file specifying unit 1106. In particular, this is a tracking candidate generation process performed by the tracking candidate generation unit 1126 of the copy and paste file specifying unit 1106.

Returning to FIG.
In s203, the copy and paste file specifying unit 1106 checks whether the trace target candidate file list 2211 is empty. If it is empty (yes), the copy and paste file specifying unit 1106 ends the process. In this case, the copy and paste file specifying unit 1106 outputs “a result indicating that the copy source file is not specified” as the specifying result 2209.
The additional trace determination unit 1107 (an example of an additional tracking log determination unit) inputs the identification result 2209, and if the identification result 2209 indicates “result indicating that the copy source file is not specified”, the process ends and does not represent. In the case, the process proceeds to s204.

  In s204, the additional trace determination unit 1107 (an example of the additional tracking log determination unit) inputs the tracking candidate log in order from the top of the trace target candidate file list 2211.

In step s205, the additional trace determination unit 1107 determines whether the file identified by the trace target candidate file name is valid as a trace target.
There are the following determination methods.
The similarity between the “file identified by the trace target candidate file name” and the “file identified by the final trace target file name 2206” is examined. If they are similar, it is judged appropriate. As a method for determining similarity, a known file similarity comparison technique may be used.
For example,
Search whether the file identified by the trace target candidate file name contains a term indicating a preset confidential file. If it is included, it is judged appropriate. The term indicating the confidential file is a term included in the file of the file server.
-Input the tracking candidate information, which is the content of the "file identified by the trace target candidate file name", from the file identified by the trace target candidate file name, and the content of the "file identified by the final trace target file name 2206" Is input from the file identified by the final trace target file name 2206. A similarity indicating how much the generation source information matches the tracking candidate information is calculated, and the calculated similarity is compared with a threshold (similarity threshold) stored in the storage device of the file tracking system 1 in advance. Is determined to be appropriate when it is determined that is greater than the threshold. Specifically, if the source information is seven character strings “ABCDEFG” and the tracking candidate information is 15 character strings “XYZABCDEFFG12345”, the tracking candidate information includes all the source information. Since 7 characters out of the 15 character strings of the tracking candidate information match the generation source information, the similarity is calculated to be about 47% from 7/15 × 100. If the threshold value is 40%, the additional trace determination unit 1107 determines that it is appropriate. If the threshold value is 60%, the additional trace determination unit 1107 determines that it is not valid.

  If the additional trace determining unit 1107 determines in s206 that the file identified by the trace target candidate file name is appropriate as the trace target, the process proceeds to s207. If it is determined to be invalid, the process proceeds to s208.

  In s207, the additional trace determination unit 1107 adds the log entry 210 including the trace target candidate file name determined to be valid to the additional trace target file list 2210a (an example of the additional tracking log storage unit) as an additional tracking log. The file name included in the operation content of the additional tracking log and the trace target candidate file name determined to be valid is set as the additional trace target file name 2210b.

In s208, the additional trace determination unit 1107 determines whether processing has been performed for all the tracking candidate logs stored in the trace target candidate file list 2211. If it is determined that all the tracking candidate logs have been processed, the additional trace determination unit 1107 ends the process.
When the process ends, if the additional trace target file list is empty, a result indicating that the copy source file is not specified is output as the trace result 2107. If not empty, a result indicating that the copy source file is specified is output as the trace result 2107.
If the additional trace determination unit 1107 determines that all the tracking candidate logs have not been processed, the process returns to s204.

In this way, a file that may be a copy-and-paste copy source for the file identified by the final trace target file name 2206 is identified from the trace target candidate file list 2211, and the additional trace target file is identified. Add to list 2210a. The additional trace target file list 2210a is a list of file names to be additionally traced, and is a target for examining whether the file of the file server is derived.
8 is a process of the copy and paste file specifying unit 1106, and a part of s 203, s 204 to s 208 is an additional tracking log determination process of the additional trace determination unit 1107.
The additional trace determination unit 1107 outputs a trace result 2107 (whether or not the copy source file is specified) and an additional trace target file list 2210a.

When the copy source file is specified, that is, when one or more additional trace logs are stored in the additional trace target file list 2210a, the trace unit 1104 sequentially inputs the additional trace logs from the additional trace target file list 2210a. Then, the additional trace target file name 2210b included in the operation content of the additional trace log is acquired, and the trace processing of the tracking process of FIG. 8 is performed using the additional trace target file name 2210b as the new trace target file name.
When the copy source file is not specified, that is, when the additional trace log is not stored in the additional trace target file list 2210a, the trace unit 1104 does not perform processing.

The order of each process of the file tracking system 1 described with reference to FIGS. 7 to 10 will be described.
FIG. 17 is a flowchart showing an outline of processing of the trace unit, the copy and paste file specifying unit, and the additional trace determination unit.
In FIG. 17, the file tracking system 1 performs a transfer determination process by the transfer determination unit 1114 in S1. The transfer determination process is s101 in FIG.
In S <b> 2, the transition determination unit 1124 performs transition determination processing. The transition determination process is from s103 to s108 in FIG.
In S3, the trace result determination unit 1105 performs a trace result determination process.
In S4, the trace result determination unit 1105 performs a result output process. In the result output process, when it is confirmed that the file is derived from the file of the file server, or when it is confirmed that the file is not derived from the file of the file server, the confirmed result is output.
In S <b> 5, the narrowing period acquisition unit 1116 performs a narrowing period acquisition process. The squeezing period acquisition process is s201 in FIG.
In S6, the tracking candidate generation unit 1126 performs tracking candidate generation processing. The tracking candidate generation process is s202 in FIG.
In step S7, the additional trace determination unit 1107 performs an additional tracking log determination process. The additional tracking log determination process is a part of s203 in FIG. 8 and processes from s204 to s208. In the additional tracking log determination process, if there is an additional tracking log, the process is repeated from S1. If there is no additional tracking log, the process ends.

  When the file tracking system 1 confirms that the file finally identified by one or more trace target file names originates from the file server file, the external output file originates from the file server file. Judge that there is.

When the traceback of the additional trace target file name 2210b is returned to the trace unit 1104 as it is, the trace target period is investigated from the beginning. Since the investigation between the trace start date and time and the trace target file save date and time is sufficient, the following processing may be performed.
When adding the trace target candidate file name to the additional trace target file list in s207, the trace target file save date and time is also added to the list as reference information of the trace target candidate file name.
When the file identified by the additional trace target file name 2210b is traced back, the trace unit 1104 treats the trace target file storage date / time as the trace end date / time, and sets the period from the trace start date / time to the trace target file storage date / time as the trace target period. It may be traced back.

  In this embodiment, the file server log file is taken as an example of the external input log file, but another log file may be used. Further, although the mail log file is taken as an example of the external output log file, other log files may be used.

  According to the present embodiment, in the analysis of only the operation log (log entry), the traceback based on the file transition operation is performed, and even if the file originated from the file server cannot be confirmed, the last trace target file ( During the period when the last trace target file) is opened and saved, another file of the same type that has been opened separately is specified as the copy source, set as a new trace target file, and further trace backed. As a result, there is an effect that trace back corresponding to copy and paste of the contents of a file that could not be traced with the operation log alone can be realized. Furthermore, in specifying the copy source candidate file, the copy source candidate can be determined by searching for similarities between the copy source candidate file and the trace target file and keywords representing confidentiality.

In the present embodiment, a file tracking device that tracks an operation on a file including copy and paste of data between files from a plurality of logs such as a file operation log with respect to a file that is to be investigated whether it has been leaked as confidential information An example was described. In the traceback performed by the file tracking device, the file that was opened separately until the trace target file is opened and saved is used as the copy source candidate, and the file is copied by examining the similarity between the trace target file and the file. Identify original.
Further, in the present embodiment, a file tracking device that performs trace back of a file using a plurality of logs such as a file operation log and traces whether a certain file is derived from confidential information,
・ From the file operation log, select the file that was opened separately as the copy source candidate file during the period from when the trace target file is opened and saved ・ Included in the confidential file in the selected copy source candidate file If it is included, the copy source candidate file is used as a new trace target file. • The similarity between the selected copy source candidate file and the trace target file is checked and they are similar. Thus, an example of a file tracking device that performs processing for setting a copy source candidate file as a new trace target file has been described.

Embodiment 2. FIG.
In the present embodiment, execution of trace forward of a file operation log corresponding to copy and paste by the file tracking system 1 as an example of the file tracking apparatus of the present invention will be described.
As in the first embodiment, the external input log file is a file server log file, and the external output log file is a mail log file.

The configuration of the file tracking system 1 will be described.
Although the system configuration is the same as in FIGS. 2 and 6, the input / output contents for some components are different, so the difference will be described.
Trace part 1104
The determination result 2207 outputs the result of determining whether the external input file has been output to the outside of the terminal.
The trace start condition 2104 is designated to move in the trace forward mode in this embodiment.
The trace end condition 2106 is a condition for ending the trace, and designates a condition “end when mail is transmitted as an attached file as a result of tracing the external input file”.

Trace result determination unit 1105
If the external input file is traced and it is determined that the e-mail is not sent as an attached file, the data of the external input file or the file in which the external input file has changed is copied, and the copied data is pasted to another file. In order to determine whether there is any, a copy and paste investigation instruction 2208 is output.

The operation will be described.
The trace forward operation of the file tracking system 1 of FIGS. 2 and 6 will be described. In this embodiment, after downloading a file from the file server, an operation will be described in which tracing is performed to check whether this file has been mailed as an attached file.

  The external input log file capturing unit 1101a captures a file server log file as the external input log file 2101a. A log is extracted from the external input log file 2101a according to the specified format of the log file, and is output to the external input file specifying unit 1102a as the external input log 2201a. In the present embodiment, a log is output in a format having items of “download date / time (an example of a time stamp), identifier of a downloaded terminal (an example of a terminal name), and download file name (an example of operation content)”.

The external input file specifying unit 1102a specifies the external input file name 2202a and the file input date / time 2203a based on the external input file specifying condition 2102a with respect to the external input log 2201a. In the present embodiment, “when terminal A downloads a file from the file server during a specified period” is set in external input file specifying condition 2102a. In the present embodiment, the designated period is 8 hours from “2010/11/01 09:00:00 to 2010/11/01 17:00:00”. The external input file specifying unit 1102a extracts a log entry corresponding to the record in which the terminal A downloaded the file from the file server during the specified period, and extracts the download date and the download file name. Specifically, the external input log 2201a in which the download date and time included in the external input log 2201a is included in the specified period and the identifier of the downloaded terminal indicates the terminal A is extracted. Download date / time and download file name are acquired from the extracted external input log 2201a. In the present embodiment, it is assumed that terminal A downloads a file from the file server at 2010/11/01 09:30. The external input file specifying unit 1102a sets the downloaded file name in the external input file name 2202a, and the download date and time 2010/11/01 09:30 at the file input date and time 2203a.
The specified period is stored in advance in the storage device by the operator of the file tracking system 1 as the time to start the trace forward, and the external input file specifying unit 1102a inputs the specified period from the storage device. When the terminal A downloads the file from the file server a plurality of times within the designated period, the external input file specifying unit 1102a outputs a plurality of external input file names 2202a and file input date / time 2203a. When a plurality of outputs are output in this way, for example, the oldest file input date / time 2203a in the set of the external input file name 2202a and the file input date / time 2203a is output to the trace unit 1104 in order from the oldest, and the tracing is performed. When tracing is completed for one group, the group having the oldest file input date and time 2203a is output to the trace unit 1104 for tracing.

  The external output log file capturing unit 1101b captures a mail log file as the external output log file 2101b. The log is extracted from the external output log file 2101b according to the specified format of the log file, and is output to the external output file specifying unit 1102b as the external output log 2201b. In the present embodiment, “transmission date and time (an example of a time stamp), transmission source email address (an example of operation content), destination email address (an example of operation content), attached file name (an example of operation content), and attached file size (Example of operation content) A log is output in a format having an item “.

The external output file specifying unit 1102b specifies the external output file name 2202b and the file output date 2203b based on the external output file specifying condition 2102b for the external output log 2201b. A log corresponding to the transmission of an attached file from the user A's mail address is specified in the external output file specifying condition 2102b by specifying "when the user of the terminal A sends an attached file by mail during the external output log search period" The entry is extracted, and the attached file name and transmission date / time (time stamp) are extracted. Specifically, an external output log 2201b in which the transmission date and time of the external output log 2201b is included in the external output log search period and the transmission source mail address indicates the terminal A is extracted. The external output file specifying unit 1102b acquires the attached file name included in the extracted external output log 2201b, and sets the acquired attached file name in the external output file name 2202b. The external output file specifying unit 1102b acquires the transmission date and time of the extracted external output log 2201b, and sets the acquired transmission date and time (time stamp) in the file output date and time 2203b. If there are a plurality of external output logs 2201b, the most recent transmission date / time is set as the file output date / time 2203b. The external output log search period specifies a period for searching the external output log 2201b from the “first date and time of the specified period in the external input file specifying condition 2102a” to the future. In the present embodiment, it is assumed that the period toward the future is “31 days” and is stored in the storage device by the operator of the file tracking system 1 in advance. The first date and time of the specified period in the external input file specifying condition 2102a is set to be earlier than the download date and time 2010/11/01 09:30 at which the terminal A downloaded the confidential file from the file server. Here, assuming 2010/01/01 09:00:00, it will be calculated as 2010/12/02 09:00:00 after 31 days from 2010/11/01 09:00:00. The external output log search period is a period from 2010/11/01 09:00:00 to 2010/12/02 09:00:00. The external output file specifying unit 1102b reads the attached file from the mail address of the user of the terminal A from the recording of the external output log 2201b from 2010/11/01 09:00:00 to 2010/12/02 09:00:00. Extract sent log entries. Specifically, the transmission date and time of the external output log 2201b from the external output log 2201b is included in the period from 2010/01/01 09:00:00 to 2010/12/02 09:00:00, and The external output log 2201b whose sender mail address represents the user of the terminal A is taken out. Here, it is assumed that the external output log 2201b whose transmission date and time is 2010/12/01 09:30 is extracted.
As the external output log search period, a trace trace target period described later (“trace target period” is an example of a process target period) or more, that is, a period including the trace target period is set.

  The operation log file capturing unit 1103 (an example of the operation log input unit) extracts the operation log stored in the operation log file 2103 of the terminal A as the log entry 210 according to the format of the information stored in the operation log file 2103, and logs the log entry. When it is determined that the time stamp 210 includes in the processing target period 2108 stored in the storage device by the period input unit 1108, the determined log entry 210 is stored in the processing target log storage unit 1109 (an example of the processing target storage unit). Remember. In this embodiment, “time stamp (an example of time stamp 211), user identifier, terminal identifier (an example of terminal name 212), file name, file operation content (an example of operation content 215), and application name (application name 216). Example)) is output in the format "". A log entry 210 in FIG. 18 is an example of a log entry stored in the processing target log storage unit 1109. The log entry 210 in FIG. 18 does not have a file name or user identifier, but the file name and user identification name are included in the operation content 215.

The trace unit 1104 inputs a trace start condition 2104, a trace condition 2105, and a trace end condition 2106.
In this embodiment, the trace start condition 2104 designates information instructing to move in the trace forward mode.
The trace condition 2105 specifies information instructing to perform an operation of “trace a file having the same extension as the external input file name 2202a” used when the copy and paste file specifying unit 1106 operates. For example, the copy and paste file specifying unit 1106 determines that the external input file name 2202a is abc. If it is csv, the extension is. A csv file is set as a tracking candidate.
In the present embodiment, the trace end condition 2106 designates “end when the trace target file is sent as an attached mail by mail”.
The trace unit 1104 inputs the processing target period 2108 stored in the storage device by the period input unit 1108. The period input unit 1108 performs the same operation as in the first embodiment. The file input date 2203a is set to 2010/11/01 09:30. 2010/12/01 09:30:30 is set in the file output date 2203b. Therefore, the period input unit 1108 stores in the storage device the processing target period whose start date and time is 2010/11/01 09:30, and whose end date and time is 2010/12/01 09:30.
FIG. 11 illustrates various periods used by the file tracking system 1. During the designated period, the administrator of the file server or the operator of the file tracking system 1 stores in advance in the storage device of the file tracking system 1 using an input device. The designated period is a period during which it is estimated that the confidential file has been downloaded from the file server. Alternatively, in an environment where the downloaded confidential file is attached to an e-mail and periodically checked to see if it has been sent to a terminal that is not permitted to use the confidential file, the administrator or operator can specify an arbitrary period. Specify as.
The external output log search period is the number of days obtained by adding the number of days toward the future stored in advance in the storage device from the date and time before the start date and time of the specified period. The external output log search period is a period for tracking a file attached to an email and transmitted. The reason for starting the period is the date and time before the start date and time of the specified period because the confidential file becomes the original file of the attached file after the date and time when the confidential file was downloaded, and the period including the download date and time. is there.
In the processing target period (trace target period), the start date and time is the date and time when the confidential file is downloaded from the file server, and the end date and time is the date and time when the mail with the attached file is transmitted. As described in the first embodiment, the operator can specify any date and time for the start date and time and the end date and time. When specifying an arbitrary date and time, a period in which the processing target period is included in the external output log search period is specified.

The trace unit 1104 first inputs the external input file name 2202a output from the external input file specifying unit 1102a, and sets this as a trace target file name (an example of a process target file name). The trace target file name is a file name for identifying a file downloaded from the file server, and is a target for tracking whether the file is attached to a mail after being downloaded. In the present embodiment, it is an object to be tracked as to whether an email has been sent as an attached file.
Next, the process target period 2108 stored in the storage device by the period input unit 1108 is input as the trace target period. In this embodiment. The trace target period is start date / time = 2010/11/01 09:30, end date / time = 2010/12/01 09:30.

Details of the operation of the trace unit 1104 will be described.
FIG. 12 is a flowchart showing the operation of the trace unit.
The operation of the trace unit 1104 will be described with reference to the flowchart of FIG.

Before performing s101 ′, the tracing unit 1104 sets an initial value for the final trace target file name 2206 set in s106 ′ described later. The trace unit 1104 sets the external input file name 2202a as an initial value in the final trace target file name 2206. That is, the trace unit 1104 sets the trace target file name as an initial value in the final trace target file name 2206. In addition, the trace unit 1104 sets an initial value in the last transition date 2205a set in s107 ′ described later. The trace unit 1104 sets the file input date 2203a as an initial value in the last transition date 2205a. That is, the trace unit 1104 sets the date and time when the file with the trace target file name was downloaded as the initial value in the last transition date and time 2205a.
First, in s101 ′, it is checked whether or not the file identified by the trace target file name meets the condition “end when the trace target file is sent as an attached mail by mail” specified in the trace end condition 2106. Whether or not the trace target file has been sent as an attached mail is checked as follows.
The external output file specifying unit 1102b has already extracted the log entry corresponding to the transmission of the attached file from the mail address of the user of the terminal A, and the attached file name is the external output file name 2202b. (Time stamp) is set in the file output date 2203 b and is output to the trace unit 1104.

Therefore, it is only necessary to confirm whether the trace target file name matches the external output file name 2202b. If they match, it is determined that the trace target file has been mailed. At this time, the condition is that the file output date 2203b, which is the transmission date / time corresponding to the external output file name 2202b, is later than the trace start date / time.
If the external output file name 2202b includes only the file name without including the file path, the file name portion in the trace target file name (including the path) is checked for coincidence. The file name match determination is the same as in the first embodiment.

  If they match (yes in s101 '), the trace unit 1104 ends the process at this point. At this time, the trace unit 1104 outputs, as the determination result 2207, a result that the external input file has been mailed.

Next, processing when the trace target file name does not match the external output file name 2202b (no in s101 ′) will be described.
In s103 ′, the trace unit 1104 determines whether there are any log entries to be read from the processing target log storage unit 1109 remaining. When it is determined that there is no remaining (yes), the process proceeds to s109 ′. If it is determined that it remains (no), the process proceeds to s104 ′.
In s104 ′, the trace unit 1104 inputs a log entry 210 having a time stamp included in the trace target period stored in the process target log storage unit 1109.
The log entries are input in the forward direction, that is, sequentially from the oldest time stamp to the newest time stamp.
The log entry has a record relating to file operation and has the following format.
“Time stamp (an example of time stamp 211), user identifier, terminal identifier (an example of terminal name 212), file name (an example of operation content 215), file operation content (an example of operation content 215), application name (application name) 216 example) ”

In s105 ′, the trace unit 1104 determines whether there is a transition operation. The transition operation has the same definition as in the first embodiment.
The trace unit 1104 checks whether the file name before transition of the input log entry 210 is the name of the trace target file. In renaming, copying, and moving, the operation name 215 records the file name before the transition operation (including the path) and the file name after the transition operation (including the path). When the trace target file name is only the file name and does not include the path, the trace unit 1104 determines whether the name of the portion excluding the path in the file name before the transition (including the path) matches the trace target file name. To do. When the trace target file name includes the file path, the trace unit 1104 determines whether the file name (including the path) before the transition matches the trace target file name (including the path).
If there is a transition operation and the file name before transition on the log entry is the name of the file to be traced, the trace unit 1104 determines yes.
In the case of yes, the trace unit 1104 proceeds to s106 ′. If no, the trace unit 1104 returns to s103 ′.

In s106 ′, the trace unit 1104 resets the trace target file in accordance with the transition operation, and further sets the final trace target file name 2206.
When the operation command is renamed The current trace target file name is the file name before renaming, so the file name including the path after renaming is reset to the trace target file name, and the file including the path after renaming The name is set to the final trace target file name 2206.
-If the operation command is copy: Since the current trace target file name is the copy source file name, reset the file name including the copy destination path to the trace target file name, and include the copy destination path. The name is set to the final trace target file name 2206.
-When the operation command is move The current trace target file name is the file name before the move, so reset the file name including the path after the move to the trace target file name, and include the path after the move The name is set to the final trace target file name 2206.
When processing s106 ′ for the first time, the file name to be traced may be only the file name and there may be no file path. This is because, in the case of a file server log, although the download file name is known, the path of the file on the terminal A is not recorded. Since the log entry related to the transition operation includes the file path, the file path can be acquired for the files before and after the transition. Therefore, in the second and subsequent processing of s106 ′, the file name to be traced is a file name including a path.

  Next, in s107 ', the trace unit 1104 sets the date and time when the transition operation occurred (time stamp 211 of the log entry 210) as the final transition date and time 2205a.

Next, in s108 ′, the trace unit 1104 determines whether or not the file identified by the current trace target file name satisfies the condition “end when the trace target file is mailed as an attached file”. The method is the same as that shown in s101 ′.
If the file identified by the current trace target file name has been mailed (yes), the trace unit 1104 ends the process. At this time, in the determination result 2207, the external input file outputs a result indicating that the mail has been transmitted. When it is not possible to determine that it has been transmitted (no), the trace unit 1104 returns to s103 ′.
The processing of the trace unit 1104 is up to here.
s101 ′ is a process of the trace unit 1104, and in particular, a transfer determination process of the transfer determination unit 1114 included in the trace unit 1104.
s103 ′ to s108 ′ are processes of the trace unit 1104, and in particular, a transition determination process of the transition determination unit 1124 included in the trace unit 1104.

When proceeding to yes in s103 ′, the trace unit 1104 outputs, as the determination result 2207, a result indicating that the external input file has not been transmitted by mail.
When the trace unit 1104 outputs a result indicating that the external input file has not been sent by mail as the determination result 2207, the trace result determination unit 1105 inputs the determination result 2207, and the copy and paste file specifying unit 1106 In response to this, a copy and paste investigation instruction 2208 is output.
In addition, when the trace unit 1104 outputs a result indicating that the external input file has been sent by mail as the determination result 2207, the trace result determination unit 1105 inputs this determination result 2207, and the “external input” The result is that the file has been mailed. This result is expressed by information that can be seen by humans, for example, as a message on a display such as a display device.

s109 ′ is a process in the case where it is not possible to find out that the external input file has been mailed within the trace target period only by checking the file transition operation in FIG. The process of s109 ′ is processed by the copy and paste file specifying unit 1106. In s109 ′, copy and paste that does not appear in the operation log is investigated, and a copy destination file is specified.
Upon receiving the copy and paste investigation instruction 2208, the copy and paste file specifying unit 1106 performs the processing in the flowchart of FIG.
FIG. 13 is a flowchart showing the operations of the copy and paste file specifying unit 1106 and the additional trace determining unit 1107.
In FIG. 13, the copy and paste file specifying unit 1106 receives the final transition date 2205a, the trace start date 2205b, the trace end date 2205c, and the final trace target file name 2206 from the trace unit 1104. Since the trace start date 2205b and the trace end date 2205c are the processing target period 2108, the copy and paste file specifying unit 1106 may input the processing target period 2108 stored in the storage device.
The final trace target file name 2206 is an example of a process target file name input by the squeezing period acquisition unit 1116. The last transition date and time 2205a is an example of a processing target period input by the squeezing period acquisition unit 1116.

First, in s201 ′, the copy and paste file specifying unit 1106 specifies the open / close date and time for the file (final trace target file) identified by the final trace target file name. Specifically, for example, the flowchart of FIG. 14 is followed. FIG. 14 is a flowchart showing the operation of the squeezing period acquisition unit 1116 of the copy and paste file specifying unit 1106.
In s301 ′ of FIG. 14, the copy and paste file specifying unit 1106 sets a variable called the trace target file open date to NULL. Also, a variable called trace target file close date / time is set to NULL.

  Next, in s303 ', the copy and paste file specifying unit 1106 determines whether there is a log entry to be read from the processing target log storage unit 1109, and if it remains (no), the process proceeds to s304'. If it does not remain (yes), the process is terminated.

  Next, in s304 ′, the copy and paste file specifying unit 1106 starts from the log entry 210 stored in the processing target log storage unit 1109 in the period from the last transition date and time 2205a to the trace end date and time 2205c. The included log entry 210 is read in the forward direction (reading from the old log entry to the new log entry).

  Next, in s305 ′, the copy and paste file specifying unit 1106 records the operation for opening the file by the operation command 214 of the log entry 210, and the file identified by the final trace target file name 2206 in the operation content 215. Determine if there is a record opened. If the copy and paste file specifying unit 1106 determines that it exists (yes), the process proceeds to s306 '. If no, return to s303 '.

In s306 ′, the copy and paste file specifying unit 1106 sets the time stamp of the log entry indicating that the file identified by the final trace target file name is opened as the trace target file open date (an example of the open date). To do.
In s307 ′, the copy and paste file specifying unit 1106 determines whether there is any log entry to be read from the processing target log storage unit 1109, and if it remains (no), the process proceeds to s308 ′. If it does not remain (yes), the process is terminated.
Next, in s307 ′, the copy and paste file specifying unit 1106 reads one log. Here, read in the forward direction (read from the old entry to the new entry).

  Next, in s309 ′, the copy and paste file specifying unit 1106 records the operation command for closing the file in the operation command of the log entry 210, and the file identified by the final trace target file name 2206 in the operation content 215 It is determined whether or not it is recorded that has been closed. If recorded (yes), the process proceeds to s310 '. If no, return to s307 '.

In s310 ′, the copy and paste file specifying unit 1106 sets the time stamp of the log entry to the trace target file close date (an example of the close date).
FIG. 14 shows the processing of the copy and paste file specifying unit 1106, and in particular, the narrowing period acquisition processing of the narrowing period acquisition unit 1116 of the copy and paste file specifying unit 1106.

  By following the flowchart of FIG. 14 in this way, the date of opening or closing of the file identified by the final trace target file name 2206 can be known in the period from the last transition date 2205a to the trace end date 2205c. When neither of them occurs, neither the trace target file open date nor the trace target file close date is set and NULL is set.

Returning to FIG. Next, the copy and paste file specifying unit 1106 specifies the trace target candidate file name (s202 ′). The trace target candidate file name is the file name of the file that is considered to be the paste destination after copying the content of the file identified by the final trace target file name 2206 and pasting the copied content.
The process of s202 ′ will be described with reference to FIG. FIG. 15 is a flowchart showing the operation of the tracking candidate generation unit 1126 of the copy and paste file specifying unit 1106.

  First, in s401 ', the copy and paste file specifying unit 1106 determines whether the trace target file open date = NULL and the trace target file close date = NULL. This is confirmation of whether the file identified by the final trace target file name 2206 has been opened or closed during the period from the last transition date 2205a to the trace end date 2205c. In the case of yes, the copy and paste file specifying unit 1106 processing ends the processing. In the case of no, the copy and paste file specifying unit 1106 proceeds to s402 '.

  In s <b> 402 ′, the copy and paste file specifying unit 1106 sequentially inputs the log entries 210 of the squeezing period from the trace target file open date to the trace target file close date from the processing target log storage unit 1109. Specifically, the copy and paste file specifying unit 1106 sequentially inputs log entries in which the time stamp 211 of the log entry 210 is a narrowing period.

Next, in s403 ′, the copy and paste file specifying unit 1106 determines whether the input log entry 210 matches the following conditions, and uses the log entry 210 determined to match as a tracking candidate log as a trace target candidate file. The data is stored in a list 2211 (an example of a file stored in a storage device included in the file tracking system 1).
The extension is the same as the final trace target file name 2206 (by referring to the trace condition 2105).
The operation to save the file in the operation command is stored. By determining that the above condition is met, the copy and paste file specifying unit 1106 opens the file identified by the final trace target file name 2206. Check whether there is another file of the same type that has been saved separately, and if there is a file, trace target candidates that list the corresponding file names as trace target candidate file names (similar file names) It is added to the file list 2211. If the same type of file is saved while the file identified by the final trace target file name 2206 is opened and closed, copy and paste from the file identified by the final trace target file name 2206 to the other file Since these may have occurred, treat them as candidate files to be traced. In addition, since there is a possibility that a plurality of files exist, a list is created (filed).
The copy and paste file specifying unit 1106 performs s202 ′ in FIG. In particular, this is a tracking candidate generation process performed by the tracking candidate generation unit 1126 of the copy and paste file specifying unit 1106.

Returning to FIG.
In s203 ′, the copy and paste file specifying unit 1106 checks whether the trace target candidate file list 2211 is empty. If it is empty (yes), the copy and paste file specifying unit 1106 ends the process. In this case, the copy and paste file specifying unit 1106 outputs “a result indicating that the copy destination file is not specified” as the specifying result 2209.
The additional trace determination unit 1107 inputs the identification result 2209, and when the identification result 2209 represents "result indicating that the copy destination file is not specified" (yes), the process is terminated. If no, the additional trace determination unit 1107 proceeds to s204 ′.

  In s204 ′, the additional trace determination unit 1107 (an example of an additional tracking log determination unit) inputs the tracking candidate log in order from the top of the trace target candidate file list 2211 and is included in the operation content 215 of the input tracking candidate log. Get the trace target candidate file name.

Next, in s205 ′, the additional trace determination unit 1107 determines whether the file identified by the trace target candidate file name is appropriate as the trace target.
There are the following determination methods.
The generation source information that is the content of the “file identified by the final trace target file name 2206” is input from the file identified by the final trace target file name 2206, and the “file identified by the trace target candidate file name” Input the tracking information, which is the contents, from the file identified by the trace target candidate file name, calculate the similarity indicating how much the tracking candidate information and the source information match, and calculate the similarity and the file tracking system in advance When the threshold value (similarity threshold value) stored in one storage device is compared and it is determined that the similarity is greater than the threshold value, it is determined to be appropriate. A specific example is the same as in the first embodiment. The similarity determination method may use a known file similarity comparison technique.
Search whether the file identified by the trace target candidate file name contains a term indicating a preset confidential file. If it is included, it is judged appropriate. The term indicating the confidential file is a term included in the file of the file server.
The tracking candidate information that is the content of the “file identified by the trace target candidate file name” is input from the file that is identified by the trace target candidate file name, and the content of the “file that is identified by the external input file name 2202a” A certain generation source information is input from a file identified by the external input file name 2202a, a similarity indicating how much the tracking candidate information matches the generation source information is calculated, and the calculated similarity and the file tracking system 1 in advance are calculated. Are compared with the threshold values stored in the storage device, and if it is determined that the similarity is greater than the threshold value, it is determined to be valid. A specific example is the same as in the first embodiment. The similarity determination method may use a known file similarity comparison technique.

  If it is determined in s206 'that the file identified by the trace target candidate file name is valid as a trace target, the additional trace determination unit 1107 proceeds to s207'. If it is determined to be invalid, the process proceeds to s204 '.

  In s207 ', the additional trace determination unit 1107 adds the log entry 210 including the trace target candidate file name determined to be valid to the additional trace target file list 2210a (an example of an additional tracking log storage unit) as an additional tracking log. The file name included in the operation content of the additional tracking log and the trace target candidate file name determined to be valid is set as the additional trace target file name 2210b.

In s208 ′, the additional trace determining unit 1107 determines whether or not processing has been performed for all the tracking candidate logs stored in the trace target candidate file list 2211. If it is determined that all the tracking candidate logs have been processed, the additional trace determination unit 1107 ends the process.
When the process ends, if the additional trace target file list is empty, a result indicating that the copy destination file is not specified is output as the trace result 2107. If not empty, a result indicating that the copy destination file is specified is output as the trace result 2107.
If the additional trace determination unit 1107 determines that all the tracking candidate logs have not been processed, the process returns to s204 ′.

In this way, from the trace target candidate file list 2211, the file that may be the copy and paste destination for the file identified by the final trace target file name 2206 is identified, and the additional trace target file is identified. Add to list 2210a. The additional trace target file list 2210a is a list of trace target file names to be additionally traced, and is a target for checking whether an e-mail has been transmitted.
In FIG. 13, s203 ′ is a process of the copy and paste file specifying unit 1106 and the additional trace determination unit 1107, and s204 ′ to s208 ′ are an additional tracking log determination process of the additional trace determination unit 1107.
The additional trace determination unit 1107 outputs a trace result 2107 (whether or not the copy source file is specified) and an additional trace target file list 2210a.

When the copy source file is specified, that is, when one or more additional trace logs are stored in the additional trace target file list 2210a, the trace unit 1104 in FIG. 2 adds the additional trace log from the additional trace target file list 2210a. Are sequentially input, the additional trace target file name 2210b included in the operation content of the additional tracking log is acquired, and the trace processing of the tracking process in FIG. Do.
When the copy destination file is not specified, that is, when the additional trace log is not stored in the additional trace target file list 2210a, the trace unit 1104 does not perform processing.

  The file tracking system 1 determines that the file downloaded from the file server has been mailed when it can be confirmed that the file finally identified by one or more trace target file names has been mailed. .

When the trace forward of the additional trace target file name 2210b is returned to the trace unit 1104 as it is, the trace target period is investigated from the beginning. Since the investigation between the trace target file open date and time or the trace target file close date and time and the trace end date and time is sufficient, the following processing may be performed.
When adding the trace target candidate file name to the additional trace target file list 2210a in s207 ′, the trace target file open date / time or the trace target file close date / time is also added to the list as reference information of the trace target candidate file name.
When tracing the file identified by the additional trace target file name 2210b, the trace unit 1104 treats the trace target file open date / time or the trace target file close date / time as the trace start date / time, and trace target file open date / time or trace target file close date / time. The trace end date and time may be trace forwarded as the trace target period.

  In this embodiment, the file server log file is taken as an example of the external input log file, but another log file may be used. Further, although the mail log file is taken as an example of the external output log file, other log files may be used.

In the present embodiment, for a file to be investigated as to whether it has been leaked as confidential information, an operation for the file including copy and paste of data between files is traced from a plurality of logs such as a file operation log. In trace forward, specify a file that was saved separately during the period between opening and closing the trace target file as the copy destination candidate, and identifying the file as the copy destination by examining the similarity between the trace target file and the file To do.
Further, in the present embodiment, a file tracking device that traces how a file derived from confidential information is traced using a plurality of logs such as a terminal operation log, and includes the following: A file tracking device that operates is described.
-From the file operation log, select the file that was saved separately as the paste destination candidate file until the trace target file is opened and closed.
-Check whether the selected paste destination candidate file is similar to the file derived from confidential information, and if it is similar, the paste destination candidate file is set as a new trace target file.
The similarity between the selected paste destination candidate file and the trace target file is checked, and if they are similar, the paste destination candidate file is set as a new trace target file.
The selected paste destination candidate file is checked to see if the keyword included in the confidential file is included. If it is included, the paste destination candidate file is set as a new trace target file.

  According to the present embodiment, in the analysis of only the file operation log, the trace forward based on the file transition operation is performed, and the last trace target file is opened / closed even when the external transmission of the file cannot be confirmed. During the period, another file of the same type that has been opened separately is specified as the copy destination, set as a new trace target file, and further trace forward is performed. As a result, there is an effect that trace forward corresponding to copy and paste of the contents of a file that could not be traced using only the file operation log can be realized. Furthermore, in specifying the copy destination candidate file, the copy destination candidate can be determined by searching for similarities between the copy destination candidate file and the trace target file and keywords representing confidentiality.

Embodiment 3 FIG.
In this embodiment, as a method for determining that the paste to the file identified by the final trace target file name in Embodiment 1 has occurred, the file when the file identified by the trace target file name is opened It is determined that the paste has occurred when the file size at the time of saving greatly increases with respect to the size from the opening to the saving.

  As the operation of the copy and paste file specifying unit 1106, in trace back, the date and time when the file identified by the last trace target file name was opened and saved in the period from the trace start date to the last transition date and time in s201 of FIG. The date and time are extracted. In the present embodiment, the squeezing period acquisition unit 1116 acquires the file size when the file size is recorded in the log entry 210 when acquiring the date and time when the file was opened. This is the file size at opening (an example of an open size). Further, the squeezing period acquisition unit 1116 acquires the file size when the file date is stored and the file size is recorded in the log entry. This is the file size at the time of saving (an example of the saving size).

Let Δt be the time difference between the trace target file save date and time and the trace target file open date and time. Let Δs be the size difference between the saved file size and the opened file size.
Using the Δt and Δs, the copy and paste file specifying unit 1106 determines that the paste has occurred when the ratio of Δs to Δt is greater than or equal to a certain value. For example, if the file identified by the final trace target file name is a csv file, Δt is 30 seconds, and Δs is 1 MB, the data is typed with the keyboard to increase the csv file by 1 MB in 30 seconds. It can be determined that data has been copied from another file and pasted into the file. A reference value (ratio threshold) of the ratio between Δs and Δt for determining that the paste has occurred is determined in advance and stored in the storage device. The tracking candidate generation unit 1126 inputs the reference value from the storage device, and the reference It is determined whether Δs / Δt exceeds the value. The tracking candidate generation unit 1126 may determine that paste has occurred when it is determined that Δs / Δt exceeds the reference value. For example, when the reference value is stored in advance as 10 Kbytes / second, the tracking candidate generation unit 1126 determines that paste has occurred when Δs / Δt exceeds 10 Kbytes / second. This process is added to the condition of s403 in the first embodiment. As a result, when it is determined that Δs / Δt does not exceed the reference value and no paste is generated, the trace target candidate file list 2211 is always empty. Alternatively, as another example, before s402 in FIG. 10, processing is performed to determine whether Δs / Δt exceeds the reference value, and when it is determined that Δs / Δt has exceeded the reference value, the process proceeds to s402. If it is not determined that Δs / Δt exceeds the reference value, the process may be terminated.

  In the second embodiment as well, the increase in files per hour is similarly used for paste determination. The tracking candidate generation unit 1126 of the copy and paste file specifying unit 1106 in the trace forward adds the following processing to s403 'that is processing. In s403 ', the tracking candidate generation unit 1126 specifies another file that has been saved during the period from when the file identified by the final trace target file name is opened to when it is closed. The determination of another file is performed by determining whether or not an operation command representing a save operation is recorded in the operation command 214. In the log entry, the file size at the save date and time of the specified file (file size at save time) (an example of the save size) is acquired, and the file is opened most recently by going back to the save date and time. The date and time are checked, and the file size of the file at that time (open file size ') (an example of the open size) is acquired. The tracking candidate generation unit 1126 sets the difference between the file size when saved and the file size when opened as Δs, and the time difference between the saved and opened as Δt ', in the same way as when tracing back. , Δs ′ / Δt ′ reference value (ratio threshold) is stored in the storage device, the reference value is input from the storage device, and a process of determining whether Δs / Δt exceeds the reference value is performed. Check for an increase in file size in a short period of time. If it is determined that Δs / Δt has exceeded the reference value, it is determined that it has increased in a short period of time, it is determined that pasting has occurred, and the file name of the file is added to the trace target candidate file list 2211. Otherwise, the file name is not added to the trace target candidate file list 2211.

  The reference value of Δs / Δt at the time of trace back and the reference value of Δs ′ / Δt ′ at the time of trace forward may be designated by the trace condition 2105.

According to the present embodiment, during the traceback file open-save period at the time of traceback, the increase rate of the file size with respect to that period is examined, and if it is found that the file has increased in a short time, the file by paste Since it is determined that the size has increased, and it is determined that no paste has occurred when there is no increase in a short period of time, it is possible to exclude the trace target file that is considered to have no paste from the trace target. This has the effect of not requiring tracing.
Furthermore, in the same way, when tracing forward, the increase in the file size in the short term of another file that has been saved during the period from the opening to the closing of the trace target file is confirmed, and the occurrence of the paste is judged. Since it is possible to exclude a trace target file that is considered not to have occurred from the trace target, there is an effect that it is not necessary to perform extra tracing.

  In this embodiment, an example of a file tracking apparatus has been described in which a paste destination file is determined as a paste destination file when the paste destination candidate files have increased in a short time.

Embodiment 4 FIG.
In the first and second embodiments, as the trace condition 2105, the copy and paste file specifying unit 1106 traces a file having the same extension as the final trace target file. However, copy and paste does not always occur only between files of the same type. In the present embodiment, an example of a file tracking system 1 in which combinations of extensions that can cause copy and paste are defined in advance and unnecessary tracing is not performed by giving a score will be described.

  In the first and second embodiments, the tracking candidate generation unit 1126 of the copy and paste file specifying unit 1106 uses the file name condition to be added to the trace target candidate file list 2211 in s403 at the time of trace back or s403 ′ at the time of trace forward. The condition is that the final trace target file name and the extension are the same, but in the present embodiment, this condition is changed as follows.

FIG. 16 is a table showing combinations of paste destinations and copy source extensions and scores. For example, if the paste destination is. In the case of doc, the copy source is. In txt, a score (an example of extension score) is defined as 2. The paste destination is. In the case of doc, the copy source is. In doc, the score is defined as 3. The paste destination is. In the case of doc, the copy source is. In csv, the score is defined as 1. This score is processed as follows. The table may be embedded in the copy and paste file specifying unit 1106 or may be given by the trace condition 2105.
In the case of trace back, a condition is specified in which the score of the combination of extensions is 2 or more (point threshold) in the trace condition 2105. In s403, which is the process of the tracking candidate generation unit 1126 of the copy and paste file specifying unit 1106, the tracking candidate generation unit 1126 has the extension of the file name of the final trace target file as. In the case of doc, as a condition to be added to the trace target candidate file list 2211, a trace condition 2105 called a file having an extension with a score of 2 or more is referred to. Since the file identified by the final trace target file name is the paste destination, the extension of the paste destination in FIG. Referring to the line of doc, the extension of the copy source having a score of 2 or more is. doc and. txt. The tracking candidate generation unit 1126 has an extension of a file that has been opened, closed, or both, between the time the file identified by the final trace target file name is opened and saved. doc and. The file name of the txt file is added to the trace target candidate file list 2211. In the trace condition 2105, the threshold value of the combination of extensions may be other than 2.

  In the case of trace forward, for example, a condition is specified in which a combination of extensions of 3 or more (point threshold) is processed in the trace condition 2105. In s 403 ′, which is the process of the tracking candidate generation unit 1126 of the copy and paste file specifying unit 1106, the tracking candidate generation unit 1126 has an extension of the file name of the final trace target. In the case of doc, as a condition to be added to the trace target candidate file list 2211, a trace condition 2105 having a score of 3 or more is referred to. Since the file identified by the final trace target file name is the copy source, the extension of the copy source in FIG. Referring to the column of doc, the extension of the paste destination having a score of 3 or more is. doc. The tracking candidate generation unit 1126 has the extension of the file being saved between the time when the file identified by the final trace target file name is opened and the time when the file is saved being. The file name of the doc file is added to the trace target candidate file list 2211. In the trace condition 2105, the extension threshold score may be other than 3.

  According to the present embodiment, it is possible to trace a combination of extensions that are equal to or greater than a specified score threshold by setting in advance a score between extensions of files that may cause copy and paste. Therefore, it is not necessary to trace all combinations of extensions, and there is an effect that the tracing process is made efficient.

  In this embodiment, an example of a file tracking device that gives a score in advance to a combination of extensions of files to be traced and traces only a file having an extension exceeding a certain score has been described.

Embodiment 5 FIG.
In the traceback according to the first embodiment, in s402 and s403, the tracking candidate generation unit 1126 performs separate opening or closing or both during the period in which the file identified by the final trace target file name is opened to saved. Although the file name of the file has been added to the trace target candidate file list 2211, in this embodiment, the file that has been separately opened or closed during the period and the file that has been saved is traced. It is not added to the target candidate file list 2211. If the file is opened as a copy source, it is based on the expectation that editing and saving are rare. Whether or not the file is saved is searched for a log entry in the squeezing period in which the file identified by the final trace target file name is opened to saved, and whether or not the file is saved is confirmed.

  In the trace forward of the second embodiment, in s402 ′, the tracking candidate generation unit 1126 cuts out a log between the trace target file open date and time and the trace target file close date and time. However, in the present embodiment, If the file identified by the final trace target file name is saved during the opening to closing, the cut log is discarded, and in s403 ′, the trace target candidate file list 2211 is emptied and the process ends. This is based on the expectation that if a file identified by the final trace target file name is opened as a copy source, it is rarely edited and saved. The presence / absence of the storage is searched using the operation command 214 of the log entry 210 during the squeezing period in which the opening to closing is performed. It is determined whether an operation command indicating a save operation is stored in the operation command 214 and that the file identified by the final trace target file name is stored in the operation content 215.

  According to the present embodiment, when a file is referred to as a copy source of copy and paste, the file considered to be the copy source in both traceback and trace forward based on the expectation that editing and saving are rare. In the case of saving, by excluding it from the copy source candidates, there is an effect of eliminating waste of tracing a file that may not be the copy source.

  In this embodiment, if a copy source candidate file is stored, it is excluded from the copy source candidates. An example of a file tracking device that performs an operation of excluding a paste-destination candidate file from the candidate file when the file to be traced is stored in the specification of the paste-destination candidate file has been described.

Embodiment 6 FIG.
In the traceback according to the first embodiment, in s403, a file that is separately opened or closed or both during the squeezing period in which the file identified by the final trace target file name is opened to saved is the trace target candidate file list. In addition to 2211, in this embodiment, in s403, the tracking candidate generation unit 1126 is a file that is separately opened, closed, or both during the narrowing period, and is deleted immediately after the period. The entry is added to the trace target candidate file list 2211. This is because, when the contents of a file are copied and pasted maliciously, it is conceivable to hide the evidence by deleting the copy source file.
Among the log entries in the squeezing period, for log entries that are separately opened, closed, or both, the log entry immediately after the squeezing period is searched to check whether the deletion of the file is recorded. Immediately after is, for example, within 10 minutes. What is necessary is just to give with the trace condition 2105 about the period immediately after. The tracking candidate generation unit 1126 refers to the trace condition 2105.

  If the file name of the deleted file is included in the trace target candidate file list 2211 generated by the tracking candidate generation unit 1126, the additional trace determination unit 1107 cannot access the deleted file. I can't enter it. Therefore, when the file identified by the trace target candidate file name is deleted and cannot be accessed in s205, the additional trace determination unit 1107 does not perform the process of comparing the similarity described in the first embodiment. , S207, and the log entry 210 having the operation content 215 including the trace target candidate file name is added to the additional trace target file list 2210a.

In the trace forward of the second embodiment, in s403 ′, the file name of the separately stored file is stored in the trace target candidate file list 2211 during the squeezing period in which the file identified by the final trace target file name is opened to closed. Add. In this embodiment, in s403 ′, the tracking candidate generation unit 1126 saves the file identified by the final trace target file name immediately after the narrowing period as an additional condition. The added file is added to the trace target candidate file list 2211. The delete operation is determined to have been performed when an operation command representing the delete operation is stored in the operation command 214. This is because, when the contents of a file are copied and pasted maliciously, it is conceivable to hide the evidence by deleting the copy source file.
In the log entry of the squeezing period, the log immediately after the squeezing period is searched to confirm whether deletion of the file identified by the final trace target file name is recorded. Immediately after is, for example, within 10 minutes. What is necessary is just to give with the trace condition 2105 about the period immediately after. The tracking candidate generation unit 1126 refers to the trace condition 2105.

  If the file name of the deleted file is included in the trace target candidate file list 2211 generated by the tracking candidate generation unit 1126, the additional trace determination unit 1107 cannot access the deleted file. I can't enter it. Therefore, when the file identified by the trace target candidate file name is deleted and cannot be accessed in s205 ′, the additional trace determination unit 1107 does not perform the process of comparing the similarity described in the first embodiment. Then, the process proceeds to s207 ′, and the log entry 210 having the operation content 215 including the trace target candidate file name is added to the additional trace target file list 2210a.

According to the present embodiment, when a file is copied and pasted maliciously, in consideration of the possibility of deleting the copy source file and concealing evidence after copy and paste, as a condition to be added to the trace target candidate file list 2211, In the case of traceback, the file identified by the last trace target file name is a file that has been opened or closed separately during the period when it was opened and saved, or both that have been deleted immediately after that period. It was decided to add to the candidate file list 2211. In the case of trace forward, when the file identified by the last trace target file name has been deleted immediately after the period from opening to closing, the file name of another file saved during that period is traced. The target candidate file list 2211 is added.
As a result, the file names to be added to the trace target candidate file list 2211 can be narrowed down, and there is an effect that unnecessary tracing is not required.

  In this embodiment, when a copy source candidate file is deleted immediately after closing, it is determined as a copy source file. An example of a file tracking device that performs an operation of confirming a file as a paste-destination file when the trace target file for the paste-destination candidate file has been deleted immediately after closing has been described.

Embodiment 7 FIG.
When information leakage is taken into consideration, it is considered that the damage at the time of leakage increases as more data is included in the file sent (leaked) outside the organization. When copying and pasting data between files, if the copy source file is large, a large amount of data may be copied. Also, if the paste destination file is large, a large amount of data may have been pasted. In this embodiment, attention is focused on the file size of a file that is a copy source and paste destination candidate, and the trace target candidates are narrowed down.

  In the traceback according to the first embodiment, in s403 indicating the operation of the tracking candidate generation unit 1126 of the copy and paste file specifying unit 1106, the tracking candidate generation unit 1126 opens and saves the file identified by the final trace target file name. During the squeezing-in period, a file that is separately opened, closed, or both is added to the trace target candidate file list 2211. In the present embodiment, open, close, or both are separately performed during the squeeze-in period, and files having a certain file size or more are added to the trace target candidate file list 2211. This is based on the possibility that data can be copied if the file to be copied is a certain size (size threshold) or more. For example, 500 Kbytes or more is designated as the file size above a certain level. This file size condition may be specified by the trace condition 2105. The tracking candidate generation unit 1126 acquires the file size from the operation content 215. Further, the tracking candidate generation unit 1126 determines whether an operation command representing an operation for opening a file is stored in the operation command 214. The tracking candidate generation unit 1126 refers to the trace condition 2105.

  In the trace forward of the second embodiment, in s403 ′ indicating the operation of the tracking candidate generation unit 1126 of the copy and paste file specifying unit 1106, the tracking candidate generation unit 1126 opens or closes the file identified by the final trace target file name. A separately stored file is added to the trace target candidate file list 2211 during the squeezing period. In the present embodiment, a file that is separately stored and has a file size (size threshold) of a certain size or more is added to the trace target candidate file list 2211 during the narrowing period. This is based on the fact that data may be pasted if the file to be pasted is a certain size or larger. For example, 500 Kbytes or more is designated as the file size above a certain level. This file size condition may be specified by the trace condition 2105. The tracking candidate generation unit 1126 acquires the file size from the operation content 215. Further, the tracking candidate generation unit 1126 determines whether an operation command representing an operation for opening a file is stored in the operation command 214. The tracking candidate generation unit 1126 refers to the trace condition 2105.

  According to this embodiment, when copying and pasting data between files, it is assumed that a certain amount of data is copied and pasted, and in traceback, the file size of the copy source candidate is set to a certain size or more. In addition, in trace forward, by limiting the paste destination candidate file size to a certain size or more, the target file names to be traced can be narrowed down, so there is no need to perform extra tracing. .

  In this embodiment, when the copy source candidate file has a predetermined size or larger, it is determined as the copy source file. An example of a file tracking device that performs an operation of determining a paste-destination candidate file as a paste-destination file when the paste-destination candidate file has a certain size or more has been described.

Embodiment 8 FIG.
When performing copy and paste, even if the copy source file is opened, the contents are copied, and immediately closed, the copied contents are stored in a copy data storage area called a clipboard. After closing, it can be pasted into the destination file.

When the file name of the file that is opened or closed separately during the squeezing period in which the file identified by the final trace target file name is opened to saved as in the first embodiment is used as the trace target candidate file name The candidate file name to be traced is not found when the operation of “copy data in copy source file → close immediately → open paste destination file afterwards → paste → save” is performed. In the present embodiment, in the traceback of the first embodiment, s402 indicating the operation of the tracking candidate generation unit 1126 of the copy and paste file specifying unit 1106 is changed as follows.
s402: A log is cut back by n minutes from the trace target file save date and time.

  In this way, the start of the log to be extracted is not set as the trace target file open date and time, but is set as the date and time that is traced back by n minutes from the trace target file save date and time, so that the tracking candidate generation unit 1126 Cut out including the time log. Therefore, a file opened / copied / closed before the trace target file open date / time is also added to the trace target candidate file list 2211 in s403. However, n minutes is set so that the date and time traced back by n minutes from the trace target file save date and time is before the trace target file open date and time.

Depending on the designation of n minutes that is the time that goes back from the trace target file save date and time, a file that was opened, copied, or closed before the trace target file open date and time may not be extracted in s403. For example, consider a case where “open file A → copy data → close” and “open the file identified by the final trace target file name → paste → save after 10 minutes” two minutes later. When n = 10 minutes, the period from the opening to the closing of file A is not included in the log extracted in s402 even if it goes back 10 minutes from the trace target file save date and time.
However, since it is expected that it will rarely be left for a long time without copying and pasting, for example,
n minutes = "Trace target file save date-Trace target file open date" + △
In this case, Δ = 30 minutes may be set. In this way, a log 30 minutes before the trace target file open date is also cut out.

  According to the present embodiment, the file name of the file that has been separately opened and / or closed in the log that goes back a certain time from the trace target file save date and time is set as the trace target candidate file name. After “Open → Data Copy → Close”, it is possible to specify the file name as the trace target candidate file name even in the case of “Open → Paste → Save” as the file identified by the final trace target file name. There is an effect.

  1 file tracking system, 90 file server, 91 confidential file, 94 mail server, 96 log analysis server, 97 operation log, 210 log entry, 211 time stamp, 212 terminal name, 213 process name, 214 operation command, 215 operation content, 216 Application name, 901 display device, 902 keyboard, 903 mouse, 904 FDD, 905 CDD, 906 printer device, 907 scanner device, 910 system unit, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 communication board, 920 magnetic Disk device, 921 OS, 922 window system, 923 program group, 924 file group, 931 telephone, 932 facsimile machine, 940 Internet, 41 Gateway, 942 LAN, 1101a External input log file capturing unit, 1101b External output log file capturing unit, 1102a External input file specifying unit, 1102b External output file specifying unit, 1103 Operation log file capturing unit, 1104 Trace unit, 1105 Trace result Determination unit, 1106 copy and paste file specifying unit, 1107 additional trace determination unit, 1108 period input unit, 1109 processing target log storage unit, 1114 transfer determination unit, 1116 constriction period acquisition unit, 1124 transition determination unit, 1126 tracking candidate generation 2101a external input log file, 2101b external output log file, 2103 operation log file, 2201a external input log, 2201b external output log, 2102a external Input file specification condition, 2102b external output file specification condition, 2104 trace start condition, 2105 trace condition, 2106 trace end condition, 2107 trace result, 2108 processing target period, 2202a external input file name, 2202b external output file name, 2203a file input Date / time, 2203b File output date / time, 2204 Operation log, 2205a Last transition date / time, 2205b Trace start date / time, 2205c Trace end date / time, 2206 Final trace target file name, 2207 Judgment result, 2208 Copy and paste investigation instruction, 2209 Specific result, 2210a Trace Target file list, 2210b Additional trace target file name, 2211 Trace target candidate file list.

Claims (19)

In a file tracking device that estimates the original file that generated the file to be processed by tracking multiple log entries,
An operation log storage unit that stores a plurality of log entries each including an operation command, an operation content including the file name of the operated file, and a time stamp indicating the date and time when the operation was performed;
An operation for inputting the processing target file name of the processing target file and saving the processing target file using an operation command and operation contents of the log entry from a plurality of log entries stored in the operation log storage unit. A log entry indicating that the processing has been performed is extracted, and the time stamp of the extracted log entry is acquired as the storage date and time, and the log entry indicating that the operation to open the processing target file is performed by the acquired storage date and time. Extracting, acquiring a time stamp included in the extracted log entry as an open date, and outputting a squeeze period acquisition unit having the acquired open date and the storage date and time;
The squeezing period output by the squeezing period acquisition unit is input, and the squeezing that is input using the time stamp, operation command, and operation content of the log entry from the plurality of log entries stored by the operation log storage unit. One or more log entries indicating that any one of an operation of opening and closing a file having a similar file name similar to the file name to be processed in the period is extracted, and each of the extracted one or more A tracking candidate generator for storing the log entry in the storage device as a tracking candidate log;
The tracking candidate generation unit sequentially inputs the tracking candidate log stored in the storage device, and inputs the information stored in the file represented by the similar file name included in the operation content of the input tracking candidate log as the tracking candidate information. Whether or not to estimate the original file that generated the similar file with the similar file name by tracking a plurality of log entries is determined using the input tracking candidate information, and the tracking candidate log determined to be estimated An additional tracking log determination unit that outputs
An additional tracking log storage unit that stores the tracking candidate log output by the additional tracking log determination unit as an additional tracking log;
The similar file name included in the operation content of the additional tracking log stored in the additional tracking log storage unit is input, the original file that generated the similar file with the input similar file name is changed to the processing target file. A file tracking apparatus comprising: a tracking unit that tracks and estimates a plurality of log entries as a generated original file. In a file tracking device that estimates another new file generated as an original file to be processed by tracking a plurality of log entries,
An operation log storage unit that stores a plurality of log entries each including an operation command, an operation content including the file name of the operated file, and a time stamp indicating the date and time when the operation was performed;
The processing target file name of the processing target file is input, and the operation target file is opened from the plurality of log entries stored in the operation log storage unit using the operation command and operation content of the log entry. The log entry indicating that the file to be processed is extracted and the time stamp of the extracted log entry is acquired as the open date and time. Acquiring a time stamp included in the extracted log entry as a closing date and time, and a squeezing period acquisition unit that outputs a squeezing period including the acquired opening date and time and the closing date and time,
The squeezing period output by the squeezing period acquisition unit is input, and the squeezing that is input using the time stamp, operation command, and operation content of the log entry from the plurality of log entries stored by the operation log storage unit. One or more log entries indicating that an operation for storing a file with a similar file name similar to the processing target file name during the period is extracted, and each of the extracted one or more log entries is used as a tracking candidate log A tracking candidate generator for storing in a storage device;
The tracking candidate generation unit sequentially inputs the tracking candidate log stored in the storage device, and inputs the information stored in the file represented by the similar file name included in the operation content of the input tracking candidate log as the tracking candidate information. Whether or not another new file generated from a similar file with the similar file name is estimated by tracking a plurality of log entries, is determined using the input tracking candidate information, and tracking is determined to be estimated An additional tracking log determination unit that outputs candidate logs;
An additional tracking log storage unit that stores the tracking candidate log output by the additional tracking log determination unit as an additional tracking log;
The similar file name included in the operation content of the additional candidate log stored in the tracking log storage unit is input, and another new file generated from the similar file with the input similar file name is input to the processing target file. A file tracking apparatus comprising a tracking unit that tracks and estimates a plurality of log entries as another new file generated as an original file. The file tracking device further includes:
A period input unit for inputting a processing target period having a start date and time and an end date and time for specifying a period to be processed;
The operation log storage unit stores, as the plurality of log entries, a plurality of log entries whose time stamps are included in the processing target period,
The squeezing period acquisition unit inputs a processing target date and time representing the date and time when the processing target file is generated, and from a plurality of log entries stored in the operation log storage unit, from the start date and time input by the period input unit One or more log entries having a time stamp included in the period up to the processing target date and time, having an operation command indicating an operation for saving a file, and having an operation content including the processing target file name Extracting and selecting a log entry having a time stamp closest to the end date and time from the extracted one or more log entries, obtaining the time stamp of the selected log entry as the save date and time, and the operation log storage unit Has a time stamp included in a period from the start date and time to the save date and time from a plurality of log entries stored, One or more log entries having an operation command representing an operation for opening a file and having an operation content including the file name to be processed are extracted, and the end date and time are extracted from the extracted one or more log entries. Select the log entry with the closest time stamp, get the time stamp that the selected log entry has as the open date and time,
The tracking candidate generation unit has a time stamp included in the squeezing period from a plurality of log entries stored in the operation log storage unit, and one of an operation for opening a file and an operation for closing a file One or more log entries having an operation command representing the operation and having an operation content including a similar file name similar to the processing target file name are extracted, and each of the extracted one or more log entries is tracked The file tracking apparatus according to claim 1, wherein the file tracking apparatus is stored in a storage device as a candidate log. The file tracking device further includes:
A period input unit for inputting a processing target period having a start date and time and an end date and time for specifying a period to be processed;
The operation log storage unit stores, as the plurality of log entries, a plurality of log entries whose time stamps are included in the processing target period,
The squeezing period acquisition unit inputs a processing target date and time representing the date and time when the processing target file was generated, and the period input unit starts from the processing target date and time from a plurality of log entries stored in the operation log storage unit. Extract one or more log entries that have a time stamp included in the period up to the input end date and time, have an operation command indicating an operation to open a file, and have an operation content including the file name to be processed The log entry having the time stamp closest to the start date and time is selected from the extracted one or more log entries, the time stamp of the selected log entry is acquired as the open date and time, and the operation log storage unit There is a time stamp included in the period from the open date and time to the end date and time from the stored log entries. One or more log entries having an operation command representing an operation for closing a file and having an operation content including the file name to be processed are extracted, and the start date and time are extracted from the extracted one or more log entries. Select the log entry having the time stamp closest to, and obtain the time stamp that the selected log entry has as the closing date and time,
The tracking candidate generation unit has an operation command representing an operation of storing a file, having a time stamp included in the squeezing period, from a plurality of log entries stored in the operation log storage unit, And extracting at least one log entry having an operation content including a similar file name similar to the processing target file name, and storing the extracted one or more log entries in the storage device as the tracking candidate log. 3. The file tracking apparatus according to claim 2, wherein The additional tracking log determination unit inputs, as generation source information, information stored in the processing target file indicated by the processing target file name input by the squeezing period acquisition unit, and compares the tracking candidate information with the generation source information. Then, the similarity to the generation source information of the tracking candidate information is obtained, it is determined whether or not the obtained similarity is larger than a preset similarity threshold, and a tracking candidate log determined to be larger is output. The file tracking device according to claim 1. The said additional tracking log determination part determines whether the preset term is contained in the said tracking candidate information, and outputs the tracking candidate log which determined that it was contained. 5. The file tracking device according to any one of 1 to 4. The operation log storage unit stores a file name including a log extension representing a file type as a file name included in the operation content of each log entry,
The tracking candidate generation unit inputs a file name including a processing target extension representing a file type as the processing target file name, and determines whether or not the log extension matches the processing target extension. 5. The file tracking apparatus according to claim 1, wherein a file name including a log extension determined to match is used as the similar file name. The file tracking device further stores in advance an extension score in which each combination extension of a plurality of combination extensions obtained by combining each extension of a plurality of extensions representing file types is associated with a score. With a score storage unit,
The operation log storage unit stores a file name including a log extension representing a file type as a file name included in the operation content of each log entry,
The tracking candidate generation unit inputs a file name including a processing target extension representing a file type as the processing target file name, and expands the log from a plurality of extension scores stored in the extension score storage unit. When the score corresponding to the combination of the child and the extension to be processed is acquired, the acquired score is compared with a preset score threshold, and it is determined that the acquired score is larger than the score threshold, the log extension 5. The file tracking apparatus according to claim 1, wherein a file name including the file name is the similar file name. The operation log storage unit stores a log entry having a file size representing the size of the operated file as each log entry of the plurality of log entries,
The squeezing period acquisition unit acquires a file size as a storage size from a log entry having a time stamp as the storage date and time, acquires a file size as an open size from a log entry having the time stamp as the open date and time,
The tracking candidate generation unit obtains a size difference between the storage size and the open size acquired by the squeezing period acquisition unit before extracting the tracking candidate log, and calculates a date difference between the storage date and time and the open date and time. It is determined whether the ratio of the size difference to the calculated date difference is equal to or greater than a preset ratio threshold, and if it is determined that the ratio is equal to or greater than the ratio threshold, the tracking candidate log is extracted. The file tracking device according to claim 1 or 3. The operation log storage unit stores a log entry having a file size representing the size of the operated file as each log entry of the plurality of log entries,
The tracking candidate generation unit sets a log entry having the similar file name as a similar log entry, acquires a file size of the similar log entry as a storage size, acquires a time stamp as a storage date and time, and acquires the acquired storage date and time. A log entry having a log entry indicating that an operation for opening a file with a similar file name having an older time stamp is performed from a plurality of log entries stored in the operation log storage unit. Extract using the stamp, operation command, and operation content, acquire the file size of the extracted log entry as a similar open size, acquire the time stamp as a similar open date, and store the saved size and the similar open size The size difference between Determine the date / time difference from the open date / time, determine whether the ratio of the size difference to the calculated date / time difference is greater than or equal to a preset ratio threshold, and if it is determined that the ratio is greater than or equal to the ratio threshold, track the similar log entry 5. The file tracking apparatus according to claim 2, wherein the file tracking apparatus stores the candidate log in a storage device. The tracking candidate generation unit sets a log entry having the similar file name as a similar log entry, and the file having the similar file name is stored in the log-in period in the plurality of log entries stored in the operation log storage unit. Whether or not there is a log entry indicating that an operation to store is performed is determined by using a time stamp, an operation command, and an operation content of the log entry. 4. The file tracking device according to claim 1, wherein the file tracking device is stored in a storage device as a tracking candidate log. The tracking candidate generation unit stores the file with the processing target file name in the squeezing period in the plurality of log entries stored in the operation log storage unit before extracting the tracking candidate log. Whether or not there is a log entry indicating that the above operation has been performed is determined using the time stamp, the operation command, and the operation content of the log entry. If it is determined that there is no log entry, the tracking candidate log is extracted. 5. The file tracking device according to claim 2, wherein the file tracking device is a file tracking device. The tracking candidate generation unit sets a log entry having the similar file name as a similar log entry, and stores the file with the similar file name after the storage date and time in the plurality of log entries stored by the operation log storage unit. It is determined whether or not there is a log entry indicating that an operation to be deleted is performed using a time stamp, an operation command, and an operation content of the log entry. Store it in the storage device as a tracking candidate log,
The said additional tracking log determination part stores the said tracking candidate log in the said additional tracking log memory | storage part as said additional tracking log when the said similar file is deleted and cannot be accessed. File tracking device. The tracking candidate generation unit sets a log entry having the similar file name as a similar log entry, and adds a file having the similar file name after the closing date and time among the plurality of log entries stored by the operation log storage unit. It is determined whether or not there is a log entry indicating that an operation to be deleted is performed using a time stamp, an operation command, and an operation content of the log entry. Store it in the storage device as a tracking candidate log,
5. The additional tracking log determination unit, when the similar file is deleted and cannot be accessed, stores the tracking candidate log as the additional tracking log in the additional tracking log storage unit. File tracking device. The operation log storage unit stores a log entry having a file size representing the size of the operated file as each log entry of the plurality of log entries,
The tracking candidate generation unit acquires a log entry having the similar file name as a similar log entry, acquires the file size of the similar log entry as a storage size, and whether the acquired storage size is equal to or larger than a preset size threshold value. The file tracking apparatus according to claim 1, wherein if it is determined whether or not the size is equal to or larger than a size threshold value, the similar log entry is stored in the storage apparatus as the tracking candidate log. A processing target file comprising a processing device, an operation command, an operation log storage unit that stores a plurality of log entries each including an operation content including a file name of the operated file, and a time stamp indicating the date and time when the operation was performed A file tracking method in a file tracking device that estimates an original file generated by tracking a plurality of log entries,
The processing device inputs the processing target file name of the processing target file by the squeezing period acquisition unit, and uses the operation command and the operation content of the log entry from the plurality of log entries stored in the operation log storage unit. The log entry indicating that the operation for saving the processing target file is performed is extracted, the time stamp of the extracted log entry is acquired as the storage date and time, and the processing target file is opened by the acquired storage date and time. A squeezing period acquisition step of extracting a log entry indicating that an operation has been performed, acquiring a time stamp of the extracted log entry as an open date and time, and outputting a squeezing period having the acquired open date and time and the storage date and time When,
The processing device inputs the squeezing period output by the tracking squeeze period acquisition step by the tracking candidate generation unit, and the time stamp, operation command, and operation content of the log entry from the plurality of log entries stored in the operation log storage unit Are used to extract one or more log entries indicating that either an operation of opening or closing a file with a similar file name similar to the processing target file name was performed during the input squeezing period. A tracking candidate generation step of storing the extracted one or more log entries in the storage device as a tracking candidate log;
The processing device sequentially inputs the tracking candidate log stored in the storage device by the additional tracking log determination unit by the additional tracking log determination unit, and stores it in the file represented by the similar file name included in the operation content of the input tracking candidate log. The input information is input as tracking candidate information, and it is determined by using the input tracking candidate information whether the original file that generated the similar file with the similar file name is estimated by tracking a plurality of log entries. An additional tracking log determination step for outputting the tracking candidate log determined to be estimated as an additional tracking log;
The original file in which the processing device inputs the similar file name included in the operation content of the additional tracking log output by the additional tracking log determination step by the tracking unit, and generates a similar file with the input similar file name And a tracking step of tracking and estimating a plurality of log entries as the original file that generated the processing target file. A processing target file comprising a processing device, an operation command, an operation log storage unit that stores a plurality of log entries each including an operation content including a file name of the operated file, and a time stamp indicating the date and time when the operation was performed A file tracking method in a file tracking device that estimates another new file generated as an original file by tracking a plurality of log entries,
The processing device inputs the processing target file name of the processing target file by the squeezing period acquisition unit, and uses the operation command and the operation content of the log entry from the plurality of log entries stored in the operation log storage unit. , Extracting a log entry indicating that an operation for opening the processing target file has been performed, obtaining a time stamp of the extracted log entry as an open date, and closing the processing target file after the acquired open date A log entry indicating that the log entry is performed, obtaining a time stamp of the extracted log entry as a closed date and time, and outputting a squeezed period having the obtained open date and time and the closed date and time; ,
The processing device inputs the squeezing period output in the squeezing period acquisition step by the tracking candidate generation unit, and the time stamp, operation command, and operation content of the log entry from the plurality of log entries stored in the operation log storage unit Are used to extract one or more log entries indicating that an operation for storing a file with a similar file name similar to the processing target file name is performed during the input squeezing period, and one or more extracted log entries A tracking candidate generation step of storing each log entry in the storage device as a tracking candidate log;
The processing device sequentially inputs the tracking candidate log stored in the storage device by the use tracking log determination unit by the use tracking log determination unit, and stores it in the file represented by the similar file name included in the operation content of the input tracking candidate log. Whether or not to estimate another new file generated from the similar file with the similar file name by tracking a plurality of log entries using the input tracking candidate information. An additional tracking log determination step of outputting the tracking candidate log determined to be determined and estimated as an additional candidate log;
The processing unit inputs the similar file name included in the operation content of the additional candidate log output by the additional tracking log determination step by the tracking unit, and generates another new file generated from the similar file with the input similar file name. A file tracking method comprising: a tracking step of tracking and estimating a plurality of log entries as another new file generated from the processing target file as an original file. A processing target file comprising a processing device, an operation command, an operation log storage unit that stores a plurality of log entries each including an operation content including a file name of the operated file, and a time stamp indicating the date and time when the operation was performed Is a file tracking program that causes a computer to execute a process of tracking and estimating a plurality of log entries.
The processing device inputs the processing target file name of the processing target file, and uses the operation command and the operation content of the log entry from the plurality of log entries stored in the operation log storage unit to store the processing target file. A log entry indicating that a save operation has been performed is extracted, the time stamp of the extracted log entry is acquired as the save date and time, and the operation to open the processing target file is performed by the acquired save date and time. A log entry representing, extracting a time stamp of the extracted log entry as an open date and time, and outputting a squeeze period having the acquired open date and the save date and time;
The processing device inputs the squeezing period output by the squeezing period acquisition process, and uses the time stamp, operation command, and operation content of the log entry from the plurality of log entries stored in the operation log storage unit, One or more log entries indicating that either an operation of opening or closing a file having a similar file name similar to the processing target file name is performed during the input squeezing period are extracted, and the extracted 1 A tracking candidate generation process for storing two or more log entries in the storage device as a tracking candidate log;
The processing device sequentially inputs the tracking candidate log stored in the storage device by the tracking candidate generation process, and the information stored in the file represented by the similar file name included in the operation content of the input tracking candidate log is the tracking candidate. Whether to estimate the original file that generated the similar file with the similar file name by tracking multiple log entries using the input tracking candidate information, and determining to estimate Additional tracking log judgment processing for outputting the tracking candidate log as an additional tracking log,
The processing device inputs the similar file name included in the operation content of the additional tracking log output by the additional tracking log determination process as the processing target file name, and creates a similar file with the input similar file name A file tracking program that causes a computer to perform tracking processing for tracking and estimating a plurality of log entries, using the original file as the original file that generated the processing target file. A processing target file comprising a processing device, an operation command, an operation log storage unit that stores a plurality of log entries each including an operation content including a file name of the operated file, and a time stamp indicating the date and time when the operation was performed Is a file tracking program that causes a computer to execute processing to estimate another new file generated as an original file by tracking a plurality of log entries,
The processing device inputs the processing target file name of the processing target file, and uses the operation command and the operation content of the log entry from the plurality of log entries stored in the operation log storage unit to store the processing target file. Indicates that a log entry indicating that an open operation has been performed is extracted, the time stamp of the extracted log entry is acquired as an open date, and that the operation target file is closed after the acquired open date A log period acquisition process that extracts a log entry, acquires a time stamp of the extracted log entry as a close date, and outputs a squeeze period having the acquired open date and the above close date;
The processing device inputs the squeezing period output by the squeezing period acquisition process, and uses the time stamp, operation command, and operation content of the log entry from the plurality of log entries stored in the operation log storage unit, One or more log entries representing that an operation for storing a file having a similar file name similar to the processing target file name is extracted during the input squeezing period, and the one or more extracted log entries are A tracking candidate generation process to be stored in a storage device as a tracking candidate log;
The processing device sequentially inputs the tracking candidate log stored in the storage device by the tracking candidate generation process, and the information stored in the file represented by the similar file name included in the operation content of the input tracking candidate log is the tracking candidate. Whether or not to estimate another new file generated from a similar file with the same file name as information by tracking a plurality of log entries and using the input tracking candidate information An additional tracking log determination process that outputs the tracking candidate log that has been determined as an additional candidate log;
The processing device inputs the similar file name included in the operation content of the additional candidate log output by the additional tracking log determination process, and creates another new file generated from the similar file with the input similar file name. A file tracking program for causing a computer to execute tracking processing for tracking and estimating a plurality of log entries as another new file generated from the processing target file.

Images