JP2013137740A - Secret information identification method, information processor, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To identify secret information included in a log stored by a server, etc.SOLUTION: An information processor comprises: a cluster section 214 that reads messages from a log and cluster-divides the messages in response to the similarity of the messages; a variable part specification section 216 that specifies a variable part between the messages; an attribute determination section 218 that attempts to determine a security attribute of the variable part using a preset rule; and an attribute estimation section 220 that, when there is a part of which the security attribute cannot be determined by the rule, determines the security attribute using a correspondence relation of appearance positions in the message, or, estimates the security attribute of the part of which the security attribute cannot be determined using a co-occurrence relation between the part of which the security attribute is determined and the part of which the security attribute cannot be determined.

Description

  The present invention relates to a technique for identifying confidential information, and more particularly to a technique for identifying confidential information included in a log accumulated by an information processing apparatus.

  In recent years, various types of information are shared through networks such as the Internet, an intranet, and a LAN, and the usability and accessibility of information is increasing. In order to manage information on the Internet and provide information to information users, a server for managing contents to be provided is used. The server receives access from a client device connected via a network, and performs processing such as provision of requested content, user registration, and registration / change of personal information.

  The server connected to the network is not particularly limited, but is a mail server that enables transmission / reception of electronic mail using SMTP, and CGI for performing web services using HTTP protocol. In addition to a web server, an FTP server, and the like, a database server that manages various data and provides data in response to an access request can be used. Each time these servers execute processing, they accumulate information on users who have accessed them, authentication results, data contents sent for processing, execution results, and the like. Although the contents of the information vary depending on the type of server, the IP address of the access source, the domain name of the access source, the date and time of access, the file name accessed, the URL of the link source page, the visitor's URL It includes the web browser name, OS name, processing time, number of received bytes, number of transmitted bytes, service status code, and the like. Hereinafter, a file that is accumulated by an operation of an information processing apparatus such as a server and that stores messages related to the operation, such as a file or a database, is simply referred to as a log.

  As described above, the log generated by the server contains high-use-value information in high density, and through log analysis, for example, a history of malicious attacks such as distributed DoS attacks and unauthorized access It can be applied to market analysis by statistical analysis of history and access contents.

  In addition, the logs are information on time-series and target transitions of attackers on the network by analyzing logs acquired by multiple organizations in relation to unauthorized access to the server that has occurred frequently in recent years. It can also be used to more accurately grasp However, since the log includes basic network information and personal information as described above, if you request an external analyst for log analysis, or if the log spans multiple domains, it is a reliable domain. Even if there is, there is a risk of leakage due to log disclosure.

  FIG. 10 illustrates an exemplary access log 1000 for a web server and an FTP server transaction log 1100 that are illustratively implemented using Apache 2.0. In FIG. 10, network information, private information, and port information are replaced with an asterisk “*” for the purpose of concealment. As shown in FIG. 10, the log includes server critical information such as a fixed IP address of the server, a used port number, and a directory hierarchical structure, as well as private information such as a user ID and highly confidential information such as a password. It is. However, there is a problem that the location where highly confidential information is included in a log where various types of information may be registered differs depending on the content of the log.

  For example, if the log shown in FIG. 10 is output to the outside as it is, network information, server information, personal information, etc. of the company or organization are taken out to the outside. In addition, if the log is leaked to a malicious attacker, high-value-added information accumulated by the company may be destroyed or stolen by hacking, and it may be targeted as a DoS attack. It is done.

  For this reason, providing a log to external analysis as it is for companies and organizations that use the server as a price to obtain useful information, such as confidential information leakage, privacy information leakage, information leakage due to unauthorized access to the server, etc. , Was supposed to pose a high risk. For this reason, even if the purpose is to analyze the access history to the server and reflect it in the function of the server, there is a high barrier that cannot be covered by the confidentiality agreement in the disclosure of the log to a third party. It was an impediment to flexible log analysis. Even if highly confidential information can be identified from log information, if the highly confidential information is replaced with asterisks all at once, the identity of the accessor and the identity of the accessed data will be lost. In order to conceal the log information, it is preferable that the attribute and identity of the original data can be recognized.

  Until now, a method for determining the confidentiality of logs has been known. For example, Japanese Patent Application Laid-Open No. 2009-116680 (Patent Document 1) provides a simple and easy-to-use data type such as the presence / absence of confidentiality of input / output data in a computer. For the purpose of providing technologies that detect with high accuracy and contribute to the appropriate management of data, I / O data reading means, data content acquisition means for acquiring character strings included in I / O data, character strings, A feature type extraction unit that extracts a predetermined character group included therein as a feature, and a data type of the feature by referring to a data type learning result obtained by machine learning using teacher data whose data type is known in advance in an external storage device There is described a technique for determining a data type with high accuracy by machine learning by providing a data type determination means for determining the above.

  The technique disclosed in Patent Document 1 can also determine the confidentiality of information in the log. However, the confidentiality of information that is not included in the teaching data for using the teaching data cannot be determined, and there is a possibility that confidential information may be leaked. In addition, the technology for detecting confidential words using regular expressions and word lists is limited in terms of registering regular expression types and registering word lists, which requires a lot of labor for data construction and word leakage. Is not enough. It is also possible to predefine a complete schema for logs and anonymize confidential information accordingly. However, due to the diversity of logs created, it is also possible to create various schemas completely. Not right. Moreover, even if the word list and schema are supplemented, there are any number of unusual names, and it is also possible to correspond to a log in which information entered by mistake such as user ID, password typo or input location error is registered. Was needed.

JP 2009-116680 A

  The present invention has been made in view of the above-described problems of the prior art. By identifying confidential information included in a log, the utility of the log can be extended without deteriorating the usefulness of the log. It is an object of the present invention to provide a confidential information identification method, an information processing apparatus, and a program that can be performed.

In order to solve the above problems, the present invention identifies whether or not individual information in a log is confidential information. The confidentiality of individual information in the log is determined by clustering log messages according to the similarity of the messages and comparing the messages contained in each cluster. Identify. For each variable part, the confidentiality is determined with reference to code information defined as a word, a string string, or a regular expression registered in the determination rule. The position where the character string determined to be confidential by the word, string string, or code information registered in the determination rule appears as a portion to be classified in the message in the cluster. This determination is propagated to other messages in the cluster. That is, in other messages in the cluster, a character string corresponding to a portion to be kept confidential is determined to be confidential even if it is not determined to be confidential by the determination rule.
Furthermore, by registering a character string corresponding to a confidential part in another message in the cluster in the determination rule, even if the same character string appears in another message, it is determined that it is confidential. to enable.

  The area determined to be a confidential area is replaced with another display in a format suitable for individual information. If the information is completely masked, the amount of information is reduced as shown in FIG. 10 and the usefulness as a log is remarkably reduced. Therefore, the replacement has the same type or meaning as the original information as much as possible. It can be replaced with an equivalent display. By replacing with the same type or meaning display as the original information, the information type can be determined and replaced in an identifiable form. For example, in the case of a person name, another name, for example, “Alice” → “Cathy”, “Bob” → “David” is mapped to an alias.

  In the case of an IP address, for example, only a specific part of the network structure of the IP address is left and the other part is replaced with code information having a certain rule given by a regular expression constituting a private IP address or the like. be able to.

  Further, in the present invention, for information that is not registered in the determination rule, the secret attribute of the area where the confidential attribute cannot be determined from the determination rule using the co-occurrence relationship with the appearance position in the message and the confidential word is estimated. Thus, it is possible to improve log usability while preventing the confidential area of the log from leaking outside.

The figure which shows embodiment of the information processing system 100 of this embodiment. The functional block diagram of the secure log production | generation part 200 used by this embodiment. The figure which shows the log 300 made into analysis object by this embodiment. The figure which shows the list | wrist of variable parts, such as the word registered in the determination rule 224 of this embodiment, a string string, or a regular expression. The figure which shows the data format of the flowchart and log analysis of the log analysis method of this embodiment. 6 is a flowchart of processing subsequent to FIG. 7 is a flowchart of confidentiality estimation processing described in FIG. 6. The figure which showed the confidentiality judgment aspect 800 used by this embodiment corresponding to the log 810 made into object. The figure which shows embodiment of the replacement process which the display replacement part 222 of this embodiment performs. FIG. 3 is a diagram illustrating an access log 1000 of a web server and a transaction log 1100 of an FTP server implemented using Apache 2.0 as an example.

  Hereinafter, although this invention is demonstrated with embodiment, this invention is not limited to embodiment mentioned later. FIG. 1 shows an embodiment of an information processing system 100 to which the confidential information identification method of this embodiment is applied. The server function unit 120 is connected to the network 110, and provides a web service, a storage service, a search service, etc. to the client device 112 in response to a request from the client device 112 connected to the network 110. To do.

  The server function unit 120 includes a server device 122 and a database 124 in which data is managed by a database application installed in the server device 122 or the like. In addition to managing the content to be provided, the database 124 can include security information such as user registration, user information change, and access control information.

  The server apparatus 122 shown in FIG. 1 can be configured from an information processing apparatus such as a blade server, a rack mount server, or a general-purpose computer. The WINDOWS (registered trademark) 200X, UNIX (registered trademark), and LINUX (registered trademark) are available. ) Or the like. Further, the server device 122 may be implemented as a proxy server, a gateway server, or the like for distributed computing as long as it can process a search request from the client device 112 and return a processing result to the client device 112. It can be implemented as a web server.

  The client 102 can be implemented as a personal computer or workstation including a microprocessor such as any single-core processor or dual-core processor, RAM, a hard disk device, and the like. The client device 112 can also be implemented as a PDA or a smartphone. The client device 112 can be controlled by any operating system such as WINDOWS (registered trademark), UNIX (registered trademark), LINUX (registered trademark), MAC OS (registered trademark), ANDOROID (registered trademark), or the like.

The client device 112 and the server function unit 120 can be connected via a network 110 using a transaction protocol such as TCP / IP. Data transactions between the client device 112 and the server device 122 are RMI (Remote Method Invocation), RPC (Remote Procedure Call), and EJB (Enterprise).
It can be constructed using a distributed computing environment such as Java (registered trademark) Beans) or CORBA (Common Object Broker Architecture).

  In another embodiment, the HTTP protocol is used between the server device 122 and the client device 112, a web browser is used on the client device 112 side, a CGI (Common Gateway Interface), a servlet, a database application, etc. on the server device 122 side. It is also possible to implement and configure a server program. In still another embodiment, an FTP server application may be installed on the server device 122 side, and the client device 112 may be used as an FTP client to perform a data transaction.

  The server device 122 holds the log 126 in an appropriate storage space of the server device 122 or the database 124. In this specification, the log 126 can simply refer to a file that stores messages about the operation of the information processing apparatus accumulated by the operation of the information processing apparatus such as a server as a log. For example, the log 126 is generated by sequentially recording information representing the operation of the server device 122 among transactions performed with the client device 112.

  Although the log 126 is recorded in a text base in many cases, although the information is high value-added, it can be accessed from the outside in various ways. It is not preferable from the viewpoint of security that a person other than the above accesses the raw log. Therefore, in this embodiment, the server function unit 120 is not directly accessed to the log, but a secure log that shields important basic information and personal information included in the log is generated, and the secure log is accessed. The function unit to be implemented is mounted on the server device 122. Further, in this specification, the secure log refers to a data file that is modified so that the confidential information included in the log 126 is identified according to the present invention, and the confidential information is shielded or replaced so that the confidential information is not displayed. .

  FIG. 2 is a functional block diagram of the secure log generation unit 200 used in this embodiment in order to identify a highly confidential area from the log. The secure log generation unit 200 illustrated in FIG. 2 can be created using a program that can be executed by the server device 122, such as C ++, Java (registered trademark), Perl, Ruby, PHP, and the like. The server apparatus 122 can be implemented as a filter module or the like that controls access to the log by a method different from the above method.

  The secure log generation unit 200 illustrated in FIG. 2 reads the log 126 generated by the server device 122 from the storage space where the log is recorded using an appropriate input interface, and identifies highly confidential information. By applying various processes, it is shielded as confidential information. The data file in which the confidential information is shielded is used as a secure log 126a, and can be output via an output interface or the like. When reading the log 126, if encryption is set in the log, a password and a decryption key prepared for calling the secure log generation unit 200 can be input. The format for outputting the secure log 126a is not particularly limited, but is displayed on the desktop screen, structured documents such as HTML and XML, text documents, and external storage such as a hard disk device for the created files. Storage on a medium, transmission over a network, etc. can be included. In FIG. 2, for convenience of explanation, the input / output interface is omitted.

  The secure log generation unit 200 of this embodiment will be further described with reference to FIG. The secure log generation unit 200 can include a confidential information identification unit 210 and a display replacement unit 230. The confidential information identification unit 210 provides a function of identifying confidential information existing in the log 126, and the display replacement unit 230 replaces the display of the log 126 identified by the confidential information identification unit 210 with another character or the like. I will provide a.

  The confidential information identification unit 210 includes a message analysis unit 212, a cluster unit 214, and a variable unit identification unit 216. The message analysis unit 212 includes a parser that parses the log. The message analysis unit 212 quantifies the text similarity of the message included in the log 126 by, for example, comparison with a template, and sorts the messages in the order of similarity. The cluster unit 214 clusters the sorted messages using similarity. The variable part specifying unit 216 specifies a fixed part that is a fixed and non-changing area among message areas included in a specific cluster and a variable part that is a changing area for each message by comparing the messages, Among the messages belonging to the cluster, the position of the variable part to be processed as a variable is identified. Hereinafter, among the areas in the message, an area that changes for each message is referred to as a variable part, and an area that does not change even if the message is changed is referred to as a fixed part.

  Further, the confidential information identification unit 210 includes an attribute determination unit 218 and an attribute estimation unit 220. The attribute determination unit 218 refers to the determination rule 224 for attributes related to confidentiality, such as a word (word) identified as a variable part in a message, a string string, and code information having a certain rule given by a regular expression. to decide. For example, it is searched whether a word, a string string, and a regular expression in an area identified as a variable part are registered in the determination rule 224, and the currently determined variable part is secretly registered in the determination rule. If so, the variable part is marked as a variable to be masked or replaced as confidential information.

  In addition, the attribute estimation unit 220 determines to estimate the confidentiality of variables that are not registered in the determination rule 224. In the first embodiment of the estimation determination, the variable part determined to be confidential according to the determination rule 224 and the variable having the same position in the message are the same as the variable part determined to be confidential by the determination rule 224. Estimated to have a confidential level. Further, in the second embodiment of the estimation determination, the co-occurrence relationship between the variable part determined to be confidential and the variable part whose attribute is unknown is used, and the confidential level of the variable part whose attribute is unknown is determined according to the co-occurrence relation mode. It is embodiment which estimates this.

  The attribute estimation unit 220 according to the present embodiment does not use only the determination rule 224 but uses the result of the syntax analysis in the message for estimation of the confidential level, thereby registering the word, string string, Not only the regular expression but also the determination rule 224 enables processing of an unknown word, a string string, and a regular expression (hereinafter referred to as an unknown part in this embodiment).

  The display replacement unit 230 replaces the original display with another display such as a different word, a string string, or a normalized expression while maintaining the semantics of the variable unit for the variable unit determined or estimated as confidential. The term “preserving semantics” means selecting a replacement word that is the same as or similar to the semantic content or conceptual content of the variable part. For example, in the case of a person name, “Alice” → “Cathy”, “Bob” → “David”, etc. are replaced. Further, in the case of a regular expression such as an IP address, “192.168.1.1” → “192.1.2.1.2”, “10.1.55.6” → “167.5.7.8”, etc. Replace with the code information. Also, the place name, landmark name, port number, and other variable parts are replaced with the same or similar substitute words.

  In the case of a port number or email address, there is a high possibility that a third party using the email address exists even if a fake name or a different number is used. You may be using a port. For this reason, in the present embodiment, in the case of information such as a mail address and a port number, leaving trace information to the extent that it is known that it is a mail address and a port number, otherwise, the original information is replaced with characters other than numerical values, You can replace words with asterisks, # signs, and other appropriate symbols.

  In addition, any anonymization method or concealment method known so far, such as encryption and other replacement methods, can also be used. In addition, when converting the variable part, it is preferable to assign the same replacement word or value if the word or value of the variable part is the same in order to obtain coincidence with the appearance history of the original word or the like.

  After the variable part determined to be confidential by the display replacement unit 230 is replaced, it can be output as a data file indicated by the secure log 126a. The secure log 126a created by the display replacement unit 230 can be transmitted as a transmission medium such as a file via an appropriate output interface, or can be used as a portable recording medium such as a hard disk device, a USB memory, or a flexible disk. By storing, it can be output.

  The secure log generated as described above can minimize the occurrence of corporate risk even when an external contractor accesses it for log analysis or provides a file to an external contractor. To improve the network system. In addition, when accessing the raw log, it is possible to ensure the accessibility to the log and the confidentiality of the log analysis by using another highly secure application. Since the application for doing this is not the gist of the present application, detailed description thereof is omitted.

  FIG. 3 shows a log 300 to be analyzed in this embodiment. The log 300 shown in FIG. 3 includes a person name 310, a city name 320, and an e-mail address 330. In addition to the login message, the message exemplified in the log 300 includes locale information related to a specific person name, such as Tokyo and Osaka, and information related to the update of the mail address. Also included is “Sachiko” 340, which is a string string that seems to be a Japanese name. Including all of these personal information, information that may be personal information, or information that should be kept confidential in relation to personal information in the determination rule 224 is a variety of log types and programming for creating the determination rule 224 It is not realistic considering the effort.

  In addition, for example, in the judgment rule 224 in which only the names “Alice” 310 and “Bob” in the Indo-European language are registered, for example, “Sachiko” that seems to be a Japanese name has an unknown secret level. It is classified as an unknown part, and sufficient confidentiality cannot be guaranteed. For this reason, this embodiment improves the detection of the confidentiality of the log 300 by estimating the confidential level of an unknown part through analysis of the message structure.

  FIG. 4 shows a list of variable parts such as words, string strings, or regular expressions registered in the determination rule 224 of the present embodiment. In the determination rule 224, an attribute and an area display such as a word / string string / regular expression are associated as a field for each record of the confidential part. The attribute is a category corresponding to the semantics of the confidential part, and the replacement word can be selected based on the category of the variable part. Further, the IP address is given by a regular expression, and when replacing the IP address, for example, it can be replaced with an expression in a format in which a part of the original IP address is left out of the private address.

  In addition, in FIG. 4, an e-mail address is also registered as an attribute. In the case of an e-mail address, the actual e-mail address is simply changed by simply replacing the string string to the left of “@”. For example, anonymizing a string within a range that can be recognized as an e-mail address, such as “*” (asterisk) or “!” (Exclamation mark). Can do.

  In addition, a non-confidential message can be registered in the determination rule 224. The non-confidential message is not data that should be inevitably entered in the determination rule 224, but the non-confidential message can be registered in an application that requires efficient parsing by the parser.

  The confidential information identification processing and secure log generation processing of this embodiment will be described using the flowchart of FIG. 5 and the data format of log analysis. 5 starts from step S500. In step S501, the message analysis unit 212 reads log data in units of messages, divides the log into messages, and calculates an edit distance for each message. In step S502, messages are sorted according to similarity using the edit distance. The message structure 510 obtained in step S502 is generated as a sorted structure corresponding to the similarity based on the edit distance of the message. In the embodiment shown in FIG. 5, a user profile update message and a login message are generated. Is recognized as a message type without similarity. In the message structure 510, variable parts 512 and 514 in the message are exemplarily shown. Other character strings such as “User Profile for” and “is updated” are fixed parts.

To explain in detail, the sentence “Use Profile”
The word “Alice” between “for” and “is updated” is an individual name, and “Tokyo” and “alice@foo.com” are a city name and an email address, respectively. It is identified as a variable part together with a variable name indicating a value. As can be seen from the message structure 510, the variable part of a message having a high degree of similarity has a feature that appears in the same order in the sentence structure.

  To explain again using the flowchart, in step S503, the cluster unit 214 clusters the sorted messages according to the similarity determined from the edit distance. Clustering is not always necessary depending on the degree of similarity ranking by sorting. However, by recognizing variable parts and fixed parts in units of clusters, the recognition and recognition accuracy of variable parts can be improved. Can do. FIG. 5 shows a cluster structure 520 for the clustering process of the message structure 510 generated by the process of step S503. In the described embodiment, a cluster containing a user profile update message and a cluster containing a login message are identified.

  Further, in step S503, the structure of the fixed part and variable part of the message forming the cluster is registered as a template structure 530, and the variable part in each cluster = the place where the variable exists, that is, the variable in each message in the same cluster. Then, a template associated with the message is generated and registered in an appropriate working storage space. At this time, the cluster of the message can be indexed as, for example, [cluster identification value, edit distance range, template identification value], and an appropriate storage area for the determination rule 224 is secured and the cluster index is registered. Can be kept.

  Although the template structure can be generated for each log process, the same message is often used for the same server function unit 120. For this reason, once the cluster index is generated, it is registered as a message template in association with the cluster identification value in the decision rule 224, and the cluster to be classified from the editing distance is identified by reading the message to be processed. However, it can also be implemented to immediately evaluate the sensitivity of the variable part in the message to be processed.

  In the template structure 530 shown in FIG. 5, the variable part is shown as “<?>”, But the display of the variable part of the template structure 530 in FIG. 5 is exemplary, and the tag of the structured document is displayed. It does not mean that they are attached and identified. The variable part identification unit 216 is responsible for identifying the variable part in the template. For example, the number of words from the beginning, the number of spaces, and during double quotations to identify variables, may be appropriately determined by programming for a specific purpose. You can choose. In step S504, the identified variable part is set as a search key for collation of the determination rule 224, and the process proceeds from point A to the next process.

  FIG. 6 is a flowchart of processing subsequent to FIG. In the process of FIG. 6, the attribute determining unit 218 searches the determination rule 224 in step S601 to determine the sensitivity of the variable unit. Thereafter, in step S602, the sensitivity obtained as a result of the search is linked to the template as the sensitivity of the variable portion at the position of the variable portion currently determined. Linking can be done by parsing the template, creating a hierarchical structure of words / strings / regular expressions, and as a structured document such as XML, or more simply [template identification value, number of words from top, confidential , Number of words from the top, non-confidential, number of words from the top, confidential].

  FIG. 6 shows a result of the attribute determination unit 218 determining the sensitivity of the variable unit using a template. In the message structure 610, “Alice” and “Bob” after “User Profile for” are registered in the determination rule 224 and are determined to be confidential as they are. On the other hand, “Sachiko” is not registered in the determination rule 224 in the embodiment to be described, and the attribute determination unit 218 returns a value “false” as a search result.

  The situation is similar for login messages. When the attribute determination unit 218 returns value = false in step S <b> 602, the secure log generation unit 200 calls the attribute estimation unit 220. In step S603, the attribute estimation unit 220 determines the position of the variable unit whose confidential attribute is unknown on the template, and uses the sensitivity of the appearance position assigned to the template as the sensitivity to be assigned by the attribute determination unit 218. It is set and used for processing of the display replacement unit 230 described later. This process is described in the template structure 620.

  In the template structure 620, in the user profile update template, the position of the variable part indicated by <Red> has already been registered as a confidential attribute, so even if an unknown part corresponding to the position of <Red> appears, The confidential attribute of the unknown part can be set as confidential. For the login template, the unknown part at the position indicated by <Red> is set to confidential attribute = confidential.

  Also, the attribute estimation unit 220 performs sensitivity analogy processing of the variable part at any position using information other than the appearance position at step S604 for the variable part at an arbitrary position present in the message. Sensitivity analogy processing, which will be described in more detail later, estimates the confidential attribute of an unknown part at any position in the message using the presence or absence of the confidential part in the message or the co-occurrence relationship with the confidential part. Perform the process. After the processing of step S604, the setting of the confidential level of the unknown part with the unknown confidential level in the specific message is updated in step S605, the process is passed to the display replacement unit 230, and the variable part is determined in step S606. Refer to the rules and replace them with different displays to generate a secure log. After that, in step S607, the secure log 126a is output so as to be usable by another device via an appropriate output interface, and the process is terminated.

  FIG. 7 is a flowchart of the confidentiality estimation process described in FIG. The confidentiality estimation process is a process for the secure log generation unit 200 shown in FIG. 2 to estimate the security level of the variable unit at an arbitrary position that can be included in the message. In the confidential information identification method of this embodiment, the confidentiality analogy is performed in two embodiments, and the first analogy method uses the presence of the confidential part in the message (steps S604 → S700 → S605). The second analogy method uses the co-occurrence relationship between the confidential part and the unknown part to dynamically infer the confidential attribute in the message (steps S604 → S710 → S711 → S712 → S605). It is. In the present embodiment, the term “co-occurrence relationship” means that two or more values of the variable part included in the message appear in the same message. The term “co-occurrence frequency” means the frequency at which a specific variable part appears in the message.

  More specifically, for example, consider a case where an individual's name and a specific date appear simultaneously in different variable parts in the same message. The name is a confidential part with high confidentiality, and the date appearing immediately after that is highly likely to be a day having a special meaning for the individual corresponding to the name, such as a birthday. In addition, assuming that such a co-occurrence occurs is that the birthday of the individual is specified, regarding the different individuals, the co-occurrence of these variables is extremely similar to the {same name probability * same birth probability}. Considering that it is only a low probability, it can be said that this is a reasonable analogy method. That is, it is reasonable to estimate the variable part appearing in the same message as the confidential part as “confidential” even if the confidential attribute is unknown.

  For this reason, in the present embodiment, when the co-occurrence relationship is used to estimate the confidentiality, the co-occurrence frequency based on the confidential part is used, and the condition of the co-occurrence frequency is set, thereby setting the unknown part function. Analogize density. As a condition for this, a specific logical condition regarding the co-occurrence frequency can be set.

  Hereinafter, the confidentiality analogy processing of this embodiment will be described with reference to FIG. Sensitivity analogy processing is started by passing the processing from step S603, and in step S700 which is the first embodiment, it is determined whether or not a confidential part is included in the message. The variable parts co-occurring in the message are collectively set as confidential, and the process is passed to step S605.

  The second embodiment will be described below. In the second embodiment, in step S710, the variable part included in the message is listed from the message. In step S711, variable parts appearing together with variable parts classified into the same attribute in the log are listed up, the co-occurrence frequency is calculated, and associated with the variable parts.

  In step S712, the co-occurrence frequency of the confidential part character string (A) of the confidential part and the variable part character string (B) of the unknown part is equal to or higher than the threshold value TH1, and at the same time, the variable part character string (B) When the frequency of occurrence of characters other than the character string of the confidential portion (superscript bar A) at the same time is equal to or lower than the threshold value TH2, the currently determined unknown portion is estimated as confidential. The reason for adopting the processing based on this logical condition is that, for example, when the value of the variable part is a name that is confidential information, a character string that frequently co-occurs with this name (eg, birthday, e-mail address, this person) Passwords, etc.) should be considered confidential.

  FIG. 7 shows exemplary conditions for confidentiality analogy based on the co-occurrence frequency. The condition 730 is used in the first embodiment in which the variable part co-occurring with the confidential part is processed as confidential. Under the condition 730, it is presumed that the character string “Tokyo” co-occurring with the personal name “Alice” and the e-mail address “alice@foo.com” are both highly variable variable parts. Depending on the estimation result, character replacement or the like is applied as described above to protect confidential information. The condition 740 is a condition used in step S712 of the second embodiment.

  On the other hand, although the condition 740 requires a plurality of co-occurrence determinations, it is possible to estimate the secret more precisely based on the relationship with the unknown secret part. Each of these determination conditions can be implemented in the information processing apparatus according to the type and purpose of the log.

  The determination as in condition 740 is necessary in the following cases. In other words, the character string that appears at the same time as the confidential variable part is very general and may appear in other messages. For example, the name of a country where a person lives may appear at the same time as the name of that person, but there are many other people living in the same country, and that country name It can appear at the same time. In such a case, the sensitivity of the country name itself is low and it is not necessary to replace the country name. (In other words, assuming that the country's population is sufficiently large, it is not easy to identify an individual from the country name alone, and it is considered that the privacy of the individual hardly leaks from the country name). In this example, a country name not only appears at the same time as a specific person name A, but also appears at the same time as a person name other than A (superscript bar A). be able to. In the case of other embodiments, desired thresholds can be provided by appropriately setting the above-described threshold value so as to appropriately provide sensitivity in a specific application.

  Hereinafter, another embodiment of the present invention will be described in the context of FIG. In this embodiment, the confidentiality estimation process is started after the process is passed from step S604. In step S700, the attribute estimation unit 220 selects one of the following two modes as follows. The first mode is the simplest approach, where the attribute estimator 220 determines all variable parts in a message that is classified and any one or more variable parts in the message are determined to be confidential. If so, the process advances to step S605. This is a simplified determination method, although some variable parts may be excessively classified as confidential even if the variable part is not confidential. If the second mode is selected, the attribute estimation unit 220 lists variable units included in the message in step S710. In step S711, the attribute estimation unit 220 lists a set of variable parts that appear in each message, and then calculates the co-occurrence frequency of each variable part.

  In step S712, the co-occurrence frequency of the unknown part and the specific confidential part is greater than or equal to a predetermined threshold value TH1, and the co-occurrence frequency of the variable part that is the unknown part with the confidential part excluding the specific confidential part is the threshold. When the value is lower than the value TH2, the attribute estimation unit 220 determines that the variable part is confidential. This process is used for the following reason. For example, since the variable part is a personal name that is confidential information, strings that appear with a high co-occurrence frequency (for example, birthdays, email addresses, personal passwords) can also be considered confidential. It is.

  In this embodiment, the first mode corresponds to setting the appearance frequency threshold for determining the unknown part as “confidential” to 0 in the co-occurrence relationship between the confidential part and the variable part. . In other words, all variable parts that appear once or more together with the confidential part are judged as confidential, and when there are a confidential part and an unknown part in the message as in the first embodiment, the unknown part It can be said that this is an alternative process that keeps the department confidential. As in the first embodiment, the first mode is a simplified determination method in that some of the variable parts may be overclassified as confidential even though they are not. However, this method does not require a co-occurrence frequency check. Therefore, this embodiment can be a process selected by the attribute estimation unit 220 when reducing the overhead of the information processing apparatus. After step S712, the attribute estimation unit 220 proceeds to step S605 and ends the confidentiality estimation process of FIG. Additionally, a different value can be used as a threshold value of the co-occurrence frequency depending on the attribute of the variable part to be determined for co-occurrence.

  Depending on the message, there is a possibility that the confidential attribute of the variable part in the message cannot be determined at all by the determination rule 224. In this case, the confidential information identification unit 210 estimates the confidential attribute using the appearance position of the unknown part, and then further estimates and determines the confidential attribute of the unknown part using the co-occurrence relationship. It is possible to prevent confidential information from being displayed in the secure log as it is. Furthermore, in another embodiment, after the confidential attribute is estimated for a word, a string string, a character string, a numeric string, code information, etc. that once appeared at a position identified as an unknown part, the word estimated by the determination rule 224 By additionally registering data such as strings, character strings, and code information, the determination rule 224 can be learned, and the determination process of confidential information can be made more efficient.

  FIG. 8 is a diagram showing the confidentiality determination mode 800 used in the present embodiment in association with the target log 810. The open rectangular frame is a fixed part, the variable part in the cloud frame is a confidential area, the hatched rectangular frame is an estimated confidential area, and the underlined variable part is in the template. This is a confidential attribute area determined using the appearance position.

  As shown in FIG. 8, the fixed message (non-confidential) and the variable portion set 820 in the cloud frame are those in which the confidential attribute is directly determined using the determination rule 224. On the other hand, the set 830 is a variable part classified as an unknown part in the determination rule 224. In the present embodiment, regarding the variable part classified as the unknown part, the confidential attribute is determined using the co-occurrence relation of the variable part and the appearance position in the message.

  The variable part in which the confidential attribute is inferred or estimated using the co-occurrence relationship is the date for the name and the city name. Also, the variable part = passw0rd is determined using the appearance position of the variable part. This variable part is an unknown part in which a password is erroneously entered in an attempt to enter a user ID, and a typo is superimposed on the password. This variable part constitutes an unknown part because it is erroneously input to the part where the user ID is to be input and there is a typo. Of course, this explanation is given only for explanation, and the variable part corresponding to the password is not registered in the determination rule. In the present embodiment, using the appearance position of the variable part in the message within the same cluster, for example, the confidential attribute area appears immediately after the variable part “UserID” on the first line of the log 810. Is used to determine that unknown part = passw0rd is confidential.

  As described above, in the present embodiment, the security level can be set even for the variable part that is not registered in the determination rule 224, and the log usability is improved by reducing the company / group risk.

  FIG. 9 shows an embodiment of replacement processing executed by the display replacement unit 230 of the present embodiment. The original log 900 includes a plurality of confidential areas such as person names, city names, and e-mail addresses. The display replacement unit 230 of this embodiment replaces the variable part of the message registered as confidential according to the set protocol. Specifically, for the person name / city name, another value of the same attribute in the determination rule 224 is selected and replaced. At this time, if the original variable part is the same, the same different expression value is assigned. Also, the e-mail address is changed to another character or number with another expression to the extent that the e-mail address is identified.

Specifically, regarding the personal name, “Alice”, “Bob”, and “Sachiko” in the log 900 are replaced with “Mary”, “Nic”, and “John” in the secure log 910, respectively. As for city names, “Tokyo”, “Osaka”, “Naha” are “New” respectively.
“York”, “Washington”, “Toront.” Furthermore, the e-mail address is ****@***.*** so that it can be recognized that it has a representation that conforms to the SMTP protocol. The domain name area other than identifying an individual can be left unreplaced from the viewpoint of the amount of information.

  Further, although not shown in FIG. 9, for the IP address or the like, the confidential information is replaced by replacing the global IP address with an appropriate private IP address while using a part of the original number. Note that the rules for replacement are stored as a table or list in an appropriate storage space managed by the secure log generation unit 200, and inversely converted in response to a request from a high-level administrator such as a server administrator. It can also be used to reproduce the original log.

  In the present invention, in order to facilitate understanding of the invention, each functional unit and the processing of each functional unit are described with specific functional units. However, in the present invention, the specific functional unit described above performs specific processing. In addition to execution, a function for executing the above-described processing can be assigned to any functional means in consideration of efficiency such as processing efficiency and implementation programming.

  The above-described functions of the present invention include C ++, Java (registered trademark), Java (registered trademark) Beans, Java (registered trademark) Applet, Java (registered trademark) Script, Perl, Ruby, PYTHON, and other object-oriented programming languages, SQL, etc. Can be realized by a device-executable program described in a search-dedicated language or the like, stored in a device-readable recording medium, and distributed or transmitted for distribution.

  Although the present invention has been described with specific embodiments, the present invention is not limited to the embodiments, and other embodiments, additions, changes, deletions, and the like can be conceived by those skilled in the art. It can be changed within the range, and any embodiment is included in the scope of the present invention as long as the effects and effects of the present invention are exhibited.

DESCRIPTION OF SYMBOLS 100 Information processing system 102 Client 110 Network 112 Client apparatus 120 Server function part 122 Server apparatus 124 Database 126 Log 126a Secure log 200 Secure log generation part 210 Confidential information identification part 212 Message analysis part 214 Cluster part 216 Variable part specification part 218 Attribute determination unit 220 Attribute estimation unit 224 Determination rule 230 Display replacement unit

Claims (18)

A method for identifying confidential information in a log accumulated by an information processing apparatus, the method comprising:
Reading a message about the operation of the information processing device from a log, and clustering the messages in relation to the similarity of the messages;
Identifying a variable portion between messages of messages included in the cluster;
Attempting to determine the variable portion of the confidential attribute using a preset rule;
Determining a confidential attribute of a portion for which the confidential attribute cannot be determined by estimating from the portion for which the confidential attribute is determined when there is a portion for which the confidential attribute cannot be determined by the rule.   The method of claim 1, further comprising replacing a display of a variable portion in the message with another display in response to the determined confidentiality attribute to generate a secure log.   The step of estimating and determining the confidential attribute is a step of estimating using a correspondence relationship between an appearance position of a part in which the confidential attribute cannot be determined in the message and an appearance position of a part for which the confidential attribute is determined. The method of claim 1 comprising:   The method according to claim 1, further comprising: estimating a confidential attribute of a portion where the confidential attribute cannot be determined from a co-occurrence frequency of a portion where the confidential attribute is determined and a portion where the confidential attribute cannot be determined.   The method according to claim 1, further comprising the step of quantifying the similarity of the message using edit distances of characters, characters, and spaces constituting the message.   The method according to claim 1, wherein the variable part is code information described according to a rule provided by a word, a string string, or a regular expression constituting the message.   The method according to claim 1, wherein the rule classifies and registers code information described according to a rule given by a word, a string string, or a regular expression to be classified for each semantic of the part. Estimating using the correspondence relationship between the appearance position of the part where the confidential attribute cannot be determined in the message and the appearance position of the part where the confidential attribute is determined,
Collating a template that associates an appearance position with a confidential attribute for a variable part of the message included in the cluster;
4. The method of claim 3, comprising determining a portion of the template at the same occurrence position as a confidential attribute of the template.   The step of estimating and determining the confidential attribute sets the confidential attribute of the portion where the confidential attribute cannot be determined to be confidential based on a condition in the co-occurrence frequency of the portion that should be confidential and the portion where the confidential attribute cannot be determined. The method of claim 1 including the step of:   The method according to claim 1, further comprising the step of additionally registering and learning the data of the portion whose confidential attribute is estimated and determined in the rule.   Estimating and determining the confidentiality attribute estimates the confidentiality attribute of the variable portion of the template as confidential if any of the same cluster messages for the variable portion of the template includes at least one confidential portion. The method of claim 1.   The step of replacing the display of the variable part in the message with another display to generate a secure log includes selecting and replacing another display that retains the semantics of the variable part. The method according to 1.   The method of claim 1, comprising selecting the same separate display if the display of the original portion in the message is the same.   The method according to claim 2, further comprising an output step of transmitting only the secure log to the outside of the information processing apparatus. An information processing apparatus for identifying confidential information in a log, wherein the information processing apparatus includes:
A cluster unit that reads a message about the operation of the information processing apparatus from a log and clusters the messages in relation to the similarity of the messages;
A variable part specifying unit for specifying a variable part between messages among messages included in the cluster;
An attribute determination unit that attempts to determine the confidential attribute of the variable part using a preset rule;
When there is a portion where the confidential attribute cannot be determined by the rule, the estimation is performed using the correspondence between the appearance position of the portion where the confidential attribute cannot be determined in the message and the appearance position of the portion where the confidential attribute is determined. Or an attribute estimation unit that estimates and determines the confidential attribute of the portion where the confidential attribute cannot be determined from the co-occurrence frequency of the portion where the confidential attribute is determined and the portion where the confidential attribute cannot be determined;
Including information processing apparatus. further,
A message analyzer that reads the messages from the log and sorts the messages in order of similarity of the messages;
A display replacement unit for generating a secure log by replacing the display of the variable part in the message with another display in response to the determined confidential attribute;
The information processing apparatus according to claim 15, wherein the message analysis unit quantifies the similarity of the message using edit distances of characters, characters, and spaces that form the message.   The information processing apparatus according to claim 15, wherein the variable part is code information described according to a rule provided by a word, a string string, or a regular expression constituting the message.   An apparatus-executable program for an information processing apparatus to execute the method according to any one of claims 1 to 14.