JP2016111555A - Information processing system, confidential information leakage prevention method, and confidential information leakage prevention program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a confidential information leakage prevention system configured to prevent attribute information relating to a document from being deteriorated even after repeated printing.SOLUTION: A confidential information leakage prevention system includes: storage means which registers a first image, which is an image of a document to be printed, and registers attribute information relating to the document to be printed, in association with the first image, when an image output apparatus prints the document to be printed; receiving means which receives at least a part of a printed matter, as a second image, after printing; and specifying means which specifies attribute information to be associated with the second image, by use of the second image, from the attribute information associated with the first image stored in the storage means.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an information processing system, a security leak prevention method, and a security leak prevention program.

  When document information in a printed material is leaked, some security software searches stored information in a database by using characters such as a printing date and time, a document creator, and a character string included in the document as a search key.

  However, in the search using the search key, it is difficult to identify a leaked document when a page containing only images and not including letters and numbers is leaked. Since the character string included in the document cannot be used as a search key, it is difficult to determine the print date and document creator of the leaked document.

  Further, as another measure for preventing document leakage due to printed matter, in Non-Patent Document 1, when printing a document, information such as “who printed this document when and where” is embedded in the document “digital watermark” The technology is already known. With this technology, even if the document is the same, if the print date / time, printer, printer, etc. are different, the embedded watermark information will also be different. Information can be extracted. In the unlikely event that a confidential document leaks to the outside, the information such as “who printed this document when and where” is extracted from the document, and the outflow route of the document is specified.

  However, when there are a plurality of digital watermark methods, the processing cost and time required for reading embedded watermark information increases. In order to solve this problem, a technique for storing a part of information necessary for reading a digital watermark in an external database (meta information database) is disclosed (Patent Document 1).

  Here, when the digital watermark is used, there is a case where the watermark information is deteriorated due to a slight change in the print image on the printed matter by repeating copying, and the embedded digital watermark information cannot be read.

  In view of the above circumstances, an object of the present invention is to realize an information processing system in which attribute information related to a document does not deteriorate even when printing is repeated.

In order to solve the above problem, in one embodiment of the present invention, when a document to be printed is printed by the image output apparatus, the information processing system displays a first image that is an image of the document to be printed. Storage means for registering and registering attribute information related to the document to be printed in association with the first image;
Receiving means for receiving, as a second image, at least a part of the printed material after the printing;
And specifying means for specifying attribute information associated with the second image using the second image from attribute information associated with the first image stored in the storage means.

  According to one aspect, in an information processing system, attribute information related to a document does not deteriorate even when printing is repeated.

1 is a schematic diagram of a network configuration related to a security leakage prevention system according to a first embodiment of the present invention. It is a figure of the example of a function structure of the server of FIG. 1, client PC, and administrator PC. It is explanatory drawing of the data recorded on the database. It is a sequence diagram of an example of operation in a 1st embodiment of the present invention. FIG. 4B is a detailed sequence diagram of an example of the operation of the server in FIG. 4A. It is the schematic of the network structure of the security leak prevention system which concerns on the 1st modification of 1st Embodiment of this invention. It is the schematic of the network structure of the confidential leakage prevention system which concerns on the 2nd modification of 1st Embodiment of this invention. It is the schematic of the network structure of the security leak prevention system which prohibits reprinting based on 2nd Embodiment of this invention. It is a figure of the example of a function structure of the server of FIG. 7, and a client PC. It is a sequence diagram of an example of operation in a 2nd embodiment. It is the schematic of the network structure of the confidential leakage prevention system which concerns on the 1st modification of 2nd Embodiment. It is the schematic of the network structure of the confidential leakage prevention system which concerns on the 2nd modification of 2nd Embodiment. It is a schematic explanatory drawing about the area where the confidential leakage prevention system which determines the propriety of taking out printed matter based on 3rd Embodiment of this invention is utilized. It is the schematic of the network structure of the confidential leakage prevention system which concerns on 3rd Embodiment. It is a sequence diagram of an example of operation in a 3rd embodiment. It is the schematic of the network structure of the confidential leakage prevention system which copes with the misplacement of the document based on 4th Embodiment of this invention. It is a sequence diagram of an example of operation in a 4th embodiment.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings.

<< First Embodiment >>
FIG. 1 is a schematic diagram of a network configuration showing a security leakage prevention system (information processing system) 1 according to a first embodiment of the present invention. The information processing system 1 according to the present embodiment is a basic information leakage prevention system according to the present invention in which all documents to be printed are registered together with a print history and can be searched at the time of information leakage.

  In the security leakage prevention system 1, a client PC 10 connected to an image output device (output printer) 20 is connected to a server 30 via a network 90 and is managed by an administrator PC (administrator PC) 40. ing.

  The client PC 10 is a client device that uses a program and data provided by the server 30 and is, for example, an information processing apparatus (information processing terminal) used by an employee or the like in a corporate network. The client PC 10 is operated by a user (operator or in-house member) and transmits a print image converted from print target data to be printed to the server 30.

  The server 30 functions as an image matching server 38 that registers a printed material as an image and can search for a predetermined image from the registered image later. In the server (information management server) 30, a processing unit 34 that performs information processing is connected to storage means (database: Data base DB) 33 that holds document data.

  The storage means 33 is a nonvolatile semiconductor memory (ROM or the like) that can retain internal data even when the power is turned off. Further, in order to secure the storage capacity, the storage means 33 may be an external memory such as an HDD (Hard Disk Drive).

  The image output device 20 receives information from the client PC 10. In the present embodiment, the image output device 20 is a printer having at least a printer function and the like. Further, the image output device 20 may be a digital multifunction peripheral having a scanner function, a fax function, a printer function, or the like, or a multifunction peripheral device (Multifunction Peripheral: MFP) which is a multifunction peripheral having a plurality of these functions. Good.

  The administrator PC 40 is an information processing apparatus for managing information in the server 30 and the client PC 10 connected to the network and monitoring information leakage, for example, in a security department in a company or the like.

  FIG. 2 is a diagram illustrating an example of functional configurations of the server 30, the client PC 10, and the administrator PC 40 illustrated in FIG. The client PC 10 includes a print job reception unit 11, a printer driver 12, a print image / print history extraction unit 13, and a print image / print history transmission unit (communication unit) 14.

  The print job reception unit 11 receives a print job input from a user. Here, the print job instructed by the user includes a file name as attribute information together with print target data that is a document file. Further, the personal computer name (device name of the client device), the user name (login ID of the client PC), the printing time, and the like are automatically included as attribute information by the function of the client PC 10 that is the information processing apparatus.

  The printer driver 12 includes a print data generation unit 121 and a print data transmission unit 122. The printer driver 12 converts the print target data of the print job received from the print job reception unit 11 into print data that can be interpreted by the printer, and transmits the print data to the image output device 20 to output a printed matter. .

  Specifically, the print data generation unit 121 converts the data of the electronic file (command) of the instructed print target data into print data described in a page description language (PDL) that can be interpreted by the printer. Convert.

  The data to be printed includes, as file formats, HPGL (Hewlett-Packard Graphics Language), TIFF (Tagged Image File Format), Calcomp, JPEG (Joint Photographics Group (registered trademark), W Group trademark, W group trademark, W group trademark, W group trademark, W group trademark, W group trademark, and W trademark) (Registered trademark).

  Further, as an example of PDL, there can be PS (Post Script) format data. When generating PDL from print target data, adjust the text and size of the print image to match the page at the time of printing, and the URL, date, title, The number of pages, the name of the printer, etc. may be assigned.

  The data for printing may have, for example, a print control command and a drawing command. After the PDL is generated or created, a process such as generation of a raster image by rastering or a vector image is performed, and this process is performed. The processed data may be used as print data.

  The print data transmission unit 122 outputs the print data obtained by the print data generation unit 121 to the image output device 20. Then, the image output device 20 forms an image based on the printing data and outputs (prints out) the printed matter.

  The print image / print history extraction unit 13 extracts an image for each page of the printed matter to be output from the print data obtained from the print data generation unit 121 as a print image (first image).

  At the same time, in the present embodiment, the print image / print history extracting unit 13 displays the file name input by the user and the attribute information such as the personal computer name, the user name, and the print time added by the client PC 10 with “who is It is extracted as a print history “when and what was printed”. The attribute information can include a security level.

  The print image / print history transmission unit 14 serving as the communication unit transfers the print image and attribute information acquired from the print image / attribute information extraction unit 13 to the server 30.

  The server 30 includes a processing unit 34 and a storage unit 33 as a hardware configuration. The processing unit 34 includes a communication unit 31 that communicates with the client PC 10 and the administrator PC 40, and a search control unit 32 that is related to image search in a print image.

  The communication unit 31 includes a print image / attribute information receiving unit 311, a read image receiving unit 312, and an attribute information transmitting unit 313.

  The print image / attribute information receiving unit 311 is connected to the print image / print history transmitting unit 14 of the client PC 10 via the network 90 and receives the print image / attribute information. The print image / attribute information receiving unit 311 transfers the print image and the print history to the feature detection / index generation unit 35, and the attribute information including the print history is transferred to the print history access unit 362.

  The read image reception unit 312 and the print history transmission unit 313 are connected to the administrator PC 40 via the network 90, and when information leaks, the scanned image of the leaked document is received and the specified print history is transmitted.

  The search control unit 32 includes a feature detection / index generation unit (generation unit) 35, a database access unit (DB access unit) 36, and a data search unit 37.

  The feature detection / index generation unit 35 extracts a feature amount from the print image and generates an index. Details will be described with reference to FIG.

  The DB access unit 36 includes a print image access unit 361 and a print history access unit 362. The DB access unit 36 performs transmission / reception with the feature detection / index generation unit 35 and the data search unit 37, and the print image database (DB) 331, index DB 332, and print history DB 333 included in the storage unit 33.

  When searching for attribute information at the time of information leakage, the data search unit 37 searches the databases 331, 332, and 333 by image matching. The data search unit 37 includes a print image search instruction unit 371, an image matching unit 372, and an attribute information acquisition unit 373.

  The print data instruction unit 371 instructs to search for a print image and receives a search pointer (see FIG. 3).

  The image matching unit 372 searches the print image DB 331 and the index DB 332 via the print image access unit 361 and performs image matching. In the image matching, the feature amount of the received image is extracted, and the received image (read image) is searched from the registered print images using the feature amount. That is, by extracting the feature amount of the received second image and performing image matching using the feature amount, an image that matches the received second image from the registered first images Search for.

For example, as an example of image matching, an outline of RVS (Ricoh Visual Search) is disclosed in the following Web page and Japanese Patent Application Laid-Open No. 2010-140250.
http://www.ricoh.co.jp/about/company/technology/tech/044.html

  The attribute information acquisition unit 373 searches the print history DB 333 via the print history DB access unit 362 using the pointer, and acquires attribute information including the print history.

  The storage unit 33 includes a print image DB 331, an index DB 332, and a print history (attribute information) DB 333. When printing, the storage unit 33 registers the print image (first image) and attribute information in association with each other, so that when an image matching request is received at the time of subsequent information leakage, the corresponding image is searched. Attribute information can be specified. Here, the time of printing may be somewhere from the print instruction to the actual printing (in parallel with the printing) or after the actual printing is output as shown in the following flow. Also good. The storage means 33 will be described in detail later with reference to FIG.

  In this configuration, when information is leaked, the information leak search unit of the administrator PC 40, the data search unit 37, the read image receiving unit 312 and the attribute information transmission unit 313 in the server 30 serve as a leaked document search program.

  The administrator PC 40 has a leaked document search instruction unit (leaked document search unit) 41 that executes a leaked document search program. The leaked document search instruction unit 41 includes a read image transmission / reception unit 411, an attribute information reception unit 412, and a user interface 413.

  Further, the administrator PC 40 may include a security level setting unit 42 that can change the security level after registering the print image. For example, when an unpublished product is announced or sold and becomes publicly known, the administrator operates the security level setting unit 42 later to store the security level of the registered document, and the storage unit 33 later. It is also possible to change the data in the print history DB 333.

  FIG. 3 is an explanatory diagram of data recorded in the database. The print image DB 331 includes print image data 334 and page data 335.

  The print image data area 334a of the print image data 334 is acquired by the print image / print history receiving unit 311 of the server 30 through communication to acquire the print image (first image) extracted for each page of the printed matter in the client PC 10. It is recorded when you do.

  The print image identifier data area 334b of the print image data 334 is recorded when the feature extraction / index generation unit 35 extracts a feature amount from the print image and generates an index. Specifically, data relating to an identifier for specifying the acquired print image page (information leakage page) is recorded in the print image identifier data area 334b. In a plurality of embodiments of the present invention, data obtained by extracting the feature amount of the print image by the feature extraction / index generation unit 35 is recorded as a print image identifier.

  The page data 335 includes a page identifier, a print image identifier, and a spare area. This page data 335 is recorded when the feature extraction / index generation unit 35 extracts a feature amount from a print image and generates an index.

  In the page identifier data area 335a, data relating to an identifier for specifying each element (sentence, drawing, etc. constituting the page) included in each page of each print image is recorded.

  In the print image identifier data area 335b, data relating to an identifier for specifying a page of the print image associated with the print image data 334 is recorded.

  The spare area 335c may include, for example, related data such as coordinates for specifying an area in which elements (texts and drawings constituting the page) are arranged on each page, or may be transmitted next. It also becomes a preliminary area for the preparation of the printed image to be received.

  Since recording is performed in this way, the data recorded in the print image DB 331 can be regarded as a print image with an identifier by associating the print image 334b with the print image identifiers 334a and 335b.

  The index DB 332 includes index data 336 serving as an index for specifying a print image page. The index data 336 includes an upper index, a lower index, a page identifier, a print history pointer (attribute information pointer), and other data related to coordinates. The index data 336 is recorded when the feature extraction / index generation unit 35 extracts the feature amount from the print image and generates the index except for the attribute index.

  In the upper index and lower index data areas 336a and 336b, an index assigned by a feature amount calculated using the mixed media reality technique disclosed in US Pat. No. 7,702,673 is recorded. .

  In the present embodiment, a tree structure is provided, which is expanded into detailed lower indexes associated with typical upper indexes.

  In the page identifier data area 336c, an identifier for specifying the page of the page on which the feature amount is calculated is recorded with respect to the lowermost lower level index. Further, it may include a coordinate data area in which data relating to coordinates for specifying the position is recorded.

  As shown in FIG. 3, since the page identifier is included in both the print image DB 331 and the index DB 332, the print image data 334 and the index data 336 can be associated with each other. That is, an index for indexing can be added to the print image (first image).

  The print history pointer data area 336d is used to associate the index DB 332 with the print history DB 333. The print history pointer is an index indicating where the desired print history is in the index DB 332. It becomes.

  In the present embodiment, the print history DB 333 includes print history data (attribute information data) 337 including a user name (login name).

  The print history data area 337a of the print history data 337 is recorded when a print history extracted from a print job in the client PC 10 is acquired by the print image / print history receiving unit 311 of the server 30 through communication. In the present embodiment, the print history includes the name of the user who instructed printing, the date and time of printing, the document name, the printer name, and the computer name of the client PC. In the present embodiment, a print history can be acquired from a scan image of a leaked document when information leaks.

  In this embodiment, the attribute information is a print history including the name of the user who has printed, but in the second embodiment, the reprint status is checked, and in the third embodiment, the attribute information is taken out of a predetermined security management area. In the fourth embodiment, a printed user name can be included.

  The index pointer data area 337b associates the index DB 332 with the print history DB 333. The index pointer is an index indicating where the desired index is in the print history DB 333.

  Thus, the index DB 332 and the print history DB 333 are associated with each other by the print history pointer 336d of the index DB 332 and the index pointer 337b of the print history DB 333. As a result, the print image data 334 and the print history data 337 are associated with each other, and the print history can be searched from the registered print images.

  FIG. 4A is a sequence diagram of an example of operation in the first embodiment of the present invention. FIG. 4B is a detailed sequence diagram of an example of the operation of the server in FIG. 4A. With reference to FIG. 4A and FIG. 4B, the flow at the time of registration of information leakage and information leakage will be described.

((When printing starts))
In S101 of FIG. 4A, the user inputs a print job on the client PC.

  In S102, the client PC 10 generates print data. More specifically, the print data generation unit 121 converts data to be printed into print data such as a PDL format.

  In step S <b> 103, the generated print data is transferred to the image output device 20 by the print data transmission unit 122. Then, the image output device 20 forms an image based on the print data and outputs (prints out) the printed matter (S104).

  In parallel with the printout operation or after the printout operation, the generated print data is sent to the print image / print history extraction unit 13 in the client PC 10.

  In S <b> 105, the print image / print history extraction unit 13 extracts a print image (first image) for each page from the print data, and extracts attribute information by the function of the client PC 10.

  The print image is transferred to the server 30 by the print image / attribute information transmission unit 14 together with the extracted attribute information (print history in the present embodiment) (S106).

  More specifically, in S1 of FIG. 4B, the server 30 performs bidirectional communication with the client PC 10, and the print image / attribute information acquisition unit 311 of the communication unit 31 acquires the print image and attribute information (S1). Then, the print image / attribute information acquisition unit 311 transmits the print image and attribute information to the feature extraction / index generation unit 35 (S2), and transmits the attribute information to the print history access unit 362 of the search control unit 32. (S3).

  In S107 (FIG. 4B, S4), the feature extraction / index generation unit 35 extracts the feature amount of the acquired print image, and uses the extracted feature amount and the acquired attribute information for indexing each file. (See FIG. 3). As a result, a print image with an identifier, an index, a page identifier, and a pointer (attribute information pointer, index pointer) are generated and sent to the storage unit 33 (FIG. 4B, S5).

  In S108 (FIGS. 4B and S6), a print image with an identifier, an index, a page identifier, and a pointer, and separately acquired attribute information (print history) are a print image DB 331, an index DB 332, and a print history DB (attribute information DB). 333 is registered. As described above, by storing in the storage unit 33, when a subsequent image matching request is received, an image corresponding to the read image can be searched for in the registered print image.

((When information is leaked))
Assume that information leakage occurs in S200. In step S <b> 201, the administrator scans a printed matter (page) in which information is leaked with the scanner 50. The scanner 50 transmits the read image to the administrator PC 40 (S202).

  The administrator activates the leaked document search program on the administrator PC 40. Note that the administrator PC 40 may be configured to automatically start the leaked document search program in response to reception of a read image from the scanner 50 by setting in advance.

  In S203 (FIGS. 4B and S7), the administrator PC 40 performs two-way communication with the server 30, and the read image transmission / reception unit 411 of the administrator PC 40 is scanned by the read data reception unit 312 of the communication unit 31 of the server 30. An image (second image) is transmitted. In addition, an image matching request is also transmitted so as to search from the registered print image.

  In the server 30, the read image receiving unit 312 that receives the scanned image (read image, second image) transmits the read image and a request for image matching to the data search unit 37 (S 8 in FIG. 4B).

  As described above, printing is instructed and print images of all documents (print target data) to be printed are registered in the storage unit 33 for each page and each print job (document).

  In the search, the data search unit 37 requests the storage unit 33 to read the print image via the print image access unit 361 of the DB access unit 36 (FIG. 4B, S9). Then, a print image with an identifier and an index are acquired from the storage means 33 (S10).

  Then, using the image matching technique, a print image matching the scanned image is searched in the print image DB 331, and the print image data 334 is specified (S204, S11).

  When a print image that matches the scanned page image (image in which information is leaked) is specified, the data search unit 37 reads the storage means 33 in FIGS. 4B, S12, and S13, and acquires attribute information (print history). To do.

  In S205, the data search unit 37 uses the attribute information of the specified print image data (image) 334 (in this embodiment, the user name, the print date and time “who printed the information”), the page identifier, It specifies using a pointer (S205, FIG. 4B, S14).

  Thereafter, the data of the attribute information (user name, printing date) determined in S206 is transmitted to the leaked document search instruction section (program) 41 of the administrator PC 40 that is the transmission source (FIG. 4B, S15, S16).

  The processes of S105 to S108 and S202 to S206 described above are executed by a security leakage prevention program.

  As described above, by using the confidential leakage prevention system 1 according to the embodiment of the present invention, it is possible to specify a leaked document using a scanned image.

  As described above, in the embodiment of the present invention, the print image of the document to be printed is stored in the server in association with the information of “who printed this document when and where”, and the image matching is performed from the scan image of the leaked document. The print image of the document on the server is identified by technology. Accordingly, it is possible to acquire information on “who printed this document with which printer” and corresponding to this document.

  Note that the print image of the document to be printed registered in the server 30 does not necessarily have to be all pages. For example, when a print image is registered in the storage unit, a document with a high confidential level may be selectively stored. Specifically, when printing a general-purpose public Internet screen, the server does not store the print image of the document to be printed, and when printing confidential information disclosed only within the in-house network, You may set so that a printing image may be memorize | stored. Such selective registration can be applied, for example, in the first embodiment and the second embodiment.

  Furthermore, in the embodiment of the present invention, since the print image of the original document can be automatically found based on the scanned image and the print history information can be acquired, the character string search key is not used. The leaked document can be identified even if the document is leaked.

<Modification 1>
FIG. 5 is a schematic diagram of a network configuration of a security leakage prevention system according to a first modification of the first embodiment of the present invention. In the above-described embodiment, the printer driver is provided in the client PC. However, the printer driver may be provided in the server.

  When the printer driver 39A is installed on the server side, the print image / print history extraction unit 39B is also installed on the server side, so the server 30A instructs the operations of the processes S102 to S105 in FIG. 4A.

  In this case, the print job transmission / reception unit 15 of the client PC 10A transmits the print job before being converted into a print image to the server 30A.

  Further, the administrator PC 40A may be a mobile terminal (information processing terminal) 40A such as a smartphone, a tablet terminal, a notebook PC (Personal Computer), and a business wireless terminal, which includes the camera 43 as a photographing unit.

  In yet another system, the server 30A on which the printer driver 39A is installed may be combined with the administrator PC 40 that is the information processing apparatus of the first embodiment using a scanner.

  Since other operations and configurations are the same as those in the above-described embodiment, description thereof is omitted.

<Modification 2>
FIG. 6 is a schematic diagram of a network configuration of a security leakage prevention system according to a second modification of the first embodiment of the present invention.

  In the above-described embodiment, the printer driver provided in the client PC 10B transmits a print document to the server when executing printing. However, when the PDF creation unit 16 creates a PDF, It may be sent to the server.

  The PDF creation unit 16 operates according to an instruction from the printer driver 12 or is installed in the printer driver 12, for example, various PDF creators (PDF creation software) set by download or package.

  In this configuration, when PDF documents such as various words, Excel, and PowerPoint (registered trademark) are PDF, a PDF image is transmitted to the server 30 and a confidential document is prevented from being leaked by the PDF.

  It should be noted that such identification of the operator by PDF may be combined with identification of the printer by printing by printout as described above so that it can be searched when information leaks.

  Also in the present embodiment, when information leaks, an image that matches the read image can be specified from the scanned image, the PDF image, and / or the print image by image matching.

<< Second Embodiment >>
FIG. 7 is a schematic diagram of a network configuration of the confidential information prevention system (information processing system) 2 according to the second embodiment.

  In the present embodiment, the information processing system 2 is a system that prohibits reprinting, copying, and scanning of a document that has been printed once. The administrator PC 40C includes a reprint permission / inhibition setting unit 44. Note that the administrator PC 40C may include the leaked document search instruction unit 41 as in the first embodiment.

In the present embodiment, the attribute information further includes information indicating whether or not reprinting is possible. Specifically, the following check boxes are added to the setting items of the printer driver.
□ Prohibit reprinting, copying, and scanning of this document (A)
FIG. 8 is a diagram illustrating an example of functional configurations of the server 30C, the client PC 10C, and the administrator PC 40C in FIG. Only differences from the first embodiment will be described.

  The client PC 10C includes a user interface 18 for selecting a check box, and the check status selected by the user interface and the print job are transmitted to the server 30C by the print job transmission / reception unit 15.

  In the present embodiment, as in the modification of FIG. 5, a printer driver 39A and a print image / print history extraction unit 39B are provided on the server 30C side. Therefore, at the time of printing, the client PC 10C performs communication before creating print data, and transmits a print job to the server 30C by the print job transmission / reception unit 15.

  The printer driver 39A provided in the server 30C includes a print data temporary storage area 393 in addition to the print data generation unit 391 and the print data transmission unit 392. In this embodiment, even if printing data is generated, printing may not be permitted. Therefore, after the printing data generated by the printing data generation unit 391 is created, the printing data temporary storage area is temporarily stored. 393 is saved. When the printout is permitted according to the following flow, the print data temporary storage area 393 transmits the print data to the print data transmission unit 392 and the image output apparatus 20 performs the printing.

  The client PC 10 </ b> C includes a print disable receiving unit 17 that receives a print disable instruction when printing is not possible, and displays on the user interface 18 that printing is not possible.

FIG. 9 is a sequence diagram of an example of operation in the second embodiment.
First, it is assumed that the user performs a document printing operation on the client PC 10C (S301).
The user selects whether or not to check the “prohibit reprinting, copying, and scanning of this document” check box in the above (A) when instructing normal printing (S302).

  The selection status of the print job and the check box is transferred when the client PC 10C and the server 30C communicate in S303. Thereafter, in the server 30C, print data is generated (S304), and the print image / attribute information extraction unit 39B extracts the print image (S305).

  In the present embodiment, the generation of print data and the extraction of the print image need to be checked before printout, so it is more preferable to be on the server 30C side because the number of communications is not increased. However, if the function for transmitting print data is connected to the data search unit 37 that performs image matching, a print data generation function and a print image extraction function may be provided in the client PC 10C.

  In the printer driver 39A, the print data generated by the print data generation unit 391 is temporarily stored in the print data temporary storage area 393 (S304).

  Then, the data search unit 37 searches for a match between the image to be printed this time (second image) and the print image (first image) printed before and registered in the database. Matching is performed (S306).

  In image matching, if a past print image registered in the print image DB 331 of the server 30C does not have a print image that matches the image to be printed this time (S307), that is, a document desired to be printed this time is stored in the past. If it has never been printed, printing is allowed. Therefore, the print image is transmitted to the image output apparatus 20 (S308).

  In the case where there is at least one print image of the document that matches the past print image registered in the storage unit 33, the process proceeds to S309. If there is at least one piece of print history information in which the check box of (A) is on, the print corresponding to the print image is not permitted. If reprinting is not permitted and printing is not permitted, the server 30C notifies the client PC 10C that printing is not permitted (S310).

  The client PC 10C displays “Printing of this document is prohibited” in the user interface unit (S311).

  In S309, if the history corresponding to the print image is all the past print histories in the print history database 333 and the check box (A) is off, reprinting is permitted. Therefore, the print image is transmitted to the image output device 20 (S312).

  In S308 and S312, when printing (reprinting) is permitted, the printing data stored in the temporary storage area 393 is transmitted to the image output apparatus 20, and printout is executed (S313).

  When a document becomes confidential after printing in the storage unit 33 by an operation from the reprint permission setting unit 44 of the administrator PC 40C, the confidential document registered in the storage unit 33 is checked later, It is also possible to remove the check after a predetermined period.

  When the printout is performed through S308 or S312 (S313), the feature extraction / index generation unit 35 extracts the feature amount of the acquired print image, and based on the extracted feature amount and the acquired attribute information. , An index for each file is attached. Then, the storage unit 33 registers the identifier-added print image, the index, the page identifier, and the pointer, and separately acquired attribute information (print history) (S314, S315).

  As described above, when printing is actually performed, the image is stored in the storage unit 33, and when an image matching request is received later, an image corresponding to an image desired to be printed this time is registered in the registered print image. You can search.

  This prohibition of reprinting can prevent both reprinting by the same user and printing across a plurality of users.

  Therefore, by restricting the reprinting of the confidential document after the printout, it is possible to prevent the confidential document from being leaked, and when the confidential document is leaked, it becomes easier to identify the person who leaked it first.

  The control of this embodiment for prohibiting reprinting in this way can also be applied to the following modifications.

<Modification 1>
FIG. 10 is a schematic diagram of a network configuration of a security leakage prevention system 2-1 according to a first modification of the second embodiment.

  In this modification, the network 90 is connected to the copying machine 60 in addition to the second embodiment. The copying machine 60 only needs to have a copying function, and may be operated as a copying machine in a multifunction machine such as an MFP having other functions (printer, scanner, FAX, etc.). Other configurations are the same.

In the present modification, as in the second embodiment, the attribute information further includes information indicating whether reprinting (rescanning) is possible for the purpose of information leakage. Specifically, as described above, the following check boxes are added to the setting items of the printer driver.
□ Prohibit reprinting, copying, and scanning of this document (A)
In this modification, it is assumed that the same or another user tries to copy a printed matter printed out while registering with the server by the method of the second embodiment of the present invention using the copying machine 60.

  In the document reading unit 61, the copying machine 60 once scans the document, transmits a document image (second image) to the server 30D, and issues a request for image matching.

  From here, as in S307 to S312 of the flow of FIG. 9, if the same document has been printed out in the past and the check box of (A) is on in the print history information, The server 30D transmits “copy prohibited” to the communication unit 62 of the copying machine 60.

  At this time, the copying machine 60 displays “copying of this document is prohibited” on the operation panel (display unit) 64, and does not perform output at the output unit 63 that forms an image, and stops copying. .

  In this way, by restricting the reproduction of the printed matter of the confidential document, it is possible to prevent leakage of the confidential document.

<Modification 2>
FIG. 11 is a schematic diagram of a network configuration of a security leakage prevention system 2-2 according to a second modification of the second embodiment.

  In this modification, in addition to the second embodiment, the network 90 is connected to another second client PC 10D.

  Assume that another user tries to convert a document to PDF in the PDF creation unit 16 such as a PDF creator in the second client PC 10D.

  The PDF creation unit 16 once converts the document into a PDF, and then transmits a PDF-converted image (second image) of the document to the server, and issues an image matching request.

  From here, as in S307 to S312 of the flow of FIG. 9, if the same document has been printed out in the past and the check box of (A) is on in the print history information, The server 30D transmits “PDF prohibition” to the communication unit of the second client PC 10D.

  At this time, the second client PC 2 displays “This document is prohibited from being converted to PDF” on the display (display unit), and does not perform output in the PDF creation unit 16, and stops the PDF conversion.

  As described above, by restricting the confidential document to be PDF, leakage of the confidential document can be prevented.

  In the present modification, an example in which a document in a personal computer is converted to PDF has been shown, but the same control is performed when a document already printed out is scanned by a scanner connected to the client PC 2. In this example, the leakage of the confidential document can be prevented by restricting the reading of the confidential document by scanning the printed matter.

  In the second embodiment and its modifications 1 and 2, any information leakage prevention measures by reprinting by printout, copying by copying a printed material, PDF conversion of data in a PC, and scanning after printout are arbitrarily selected. Combinations may be supported.

<< Third Embodiment >>
FIG. 12 is a schematic explanatory diagram of an area where the information leakage prevention system (information processing system) 3 according to the third embodiment is used. The information processing system 3 of this embodiment is a system that determines whether or not a printed material can be taken out from a predetermined security management area.

  The security leakage prevention system 3 of the present embodiment assumes a conference area (predetermined security management area) such as a bank having a high security level. As an example, in order to prevent leakage of confidential information such as personal information and money amount, at the entrance 81 of the conference area 80, the participant of the conference deposits 所 (all possessions including 鞄) at the organizer and exits. After leaving 82, you will receive the bag you deposited.

  In addition, at the exit of the conference area, the distributions distributed at the meeting tend to be confiscated as confidential. However, the distributions have various security levels, and some of them may be taken home. It can be assumed that it would be a hindrance that you could not take it home.

  Therefore, the present embodiment provides a security leakage prevention system that can automatically determine whether or not a printed material can be taken out according to the security level.

  FIG. 13 is a schematic diagram of a network configuration of the security leakage prevention system 3 according to the third embodiment. The configuration is similar to that of the first embodiment according to FIG. 1 described above, except that the client PC 10 is the organizer PC 10E and the administrator PC 40 is the exit PC 40E. In FIG. 13, the leaked document search unit 41 of the administrator PC 40 in FIG. 1 functions as a takeout availability search unit 45 of the exit side PC 40E, and the attribute information searched by the takeout availability search unit 45 is out-of-area takeout availability information. .

Further, it is preferable that the exit-side PC 40E is connected to at least the scanner 50 and is also connected to the document sorter 71. These are collectively referred to as a takeout availability determination device (outside area takeability determination device) 70. For example, an MFP having an ADF function and having a plurality of paper discharge trays may function as the scanner 50 and the document sorter 71.
Further, near the exit side PC 40E, the document sorter 71 may shred the document classified as confidential on the spot. Alternatively, the organizer's security officer may be arranged near the exit 82, and the document determined to be confidential may be manually sorted and collected.

  FIG. 14 is a sequence diagram illustrating an example of an operation according to the third embodiment.

((At the time of organizing the organizer materials))
First, it is assumed that the organizer's material creator performs a document printing operation on the organizer PC 10E (S401). As an example, it is assumed that the following check boxes are added to the setting items of the printer driver 12 of the organizer PC 10E.
□ Permit this document to be taken out of range (B)
The material creator who is the organizer selects whether the check box (B) is checked or not at the same time as the printing operation, so that the document can be taken out of the conference area 80. (S402).

The printer driver 12 of the organizer PC 10E creates print data from the print job, transmits it to the image output device 20, and prints it out. (S403, S404, S405)
Simultaneously with this printout operation, attribute information including a print image (first image) and out-of-area carry-out availability information is extracted from the print data and transmitted to the server 30E (S406, S407). In this embodiment, the printer driver 12 is provided on the organizer PC 10E side in FIG. 13, but the printer driver may be provided on the server 30E side as shown in FIG.

  The server 30E extracts the feature amount of the acquired print image, and attaches an index for each file based on the extracted feature amount and the acquired attribute information (see FIG. 3) (S408).

  A print image with an identifier, an index, a page identifier, and a pointer, and information on whether or not to carry out of the area as part of separately acquired attribute information are registered (stored) in the storage unit 33 (S409).

((Area exit))
Referring to FIG. 12, when a conference participant goes out of conference area 80 from exit 82, in the vicinity of exit 82, the printed distribution is sure to be scanned by carrying-out determination device 70. A guard is standing at Alternatively, a dedicated gate may be installed such that participants cannot pass through the exit unless the distribution is scanned, such as an automatic ticket gate.

  In FIG. 14, at the exit 82 of the conference area 80, a conference participant or a guard who has received a distribution from the participant reads all pages of the distribution with a scanner. As an example of a scanner, all pages may be automatically read by ADF (S501).

  In the take-out availability determination device 70, the exit-side PC 40E that has received the scanned image sends the scanned image to the server 30E and requests image matching (S502, S503).

  Then, the server 30E searches the print image DB 331 for a print image (first image) that matches the scanned image (second image) using an image matching technique (S504).

  Here, as a result of the search, when there is no scanned image (and a matching print image in the print image DB 331 of the server 30E (S505), a prohibition of taking out the printed material outside the conference area 80 is transmitted ( At this time, if the image scanned this time does not match the printed image of the registered printed matter, it is determined that there is some writing, and the writing during the meeting is the content obtained at the meeting. This is because the content is often confidential.

  Further, in image matching, if there is a print image that matches the scanned image in the print image DB 331 of the server 30E (Yes in S505), the attribute information is read (S507), and it is confirmed whether or not it can be taken out of the area. To do.

  If there is a registered print image that matches the scanned image and out-of-area information (attribute information) associated with the print image is not available (No in S507), out-of-area Is sent so as to be prohibited (S508).

  If there is a registered print image that matches the scanned image and out-of-area information associated with the print image is available (Yes in S507), allow out-of-area take-out (S509).

  In S506, S508, and S509, the prohibition / permission of taking out of the area is transmitted, and the document sorter 71 that receives the instruction is different depending on whether or not the takeout is allowed to be carried out so as to sort out whether or not the distribution item can be taken out for each page. Sort to tray (S510). Note that the server 30E directly instructs the document distributor 71, but the information may be gathered via the exit PC 40E and then instructed to the document distributor 71.

  Participants receive the distribution in the take-out permission tray. Alternatively, the security guard may receive a handout that can be taken out and give it to the participant.

  In the present embodiment, it is possible to determine whether to take out a document in a printed distribution according to the security level. In other words, when the security level is higher than the standard (confidential) or the stored print image cannot be searched, take-out is not permitted, and only those that are determined to have no problem with the security level are permitted. Therefore, it is possible to discriminate the security level registered in advance and to prevent document leakage due to writing.

<< Fourth Embodiment >>
FIG. 15 is a schematic diagram of a network configuration of a security leakage prevention system (information processing system) 4 according to the fourth embodiment.

  The information processing system 4 according to the present embodiment is a document management system that deals with misplaced printouts and mistakes, and the network configuration is similar to that of the first embodiment.

  In this embodiment, when the printer misplaces or misplaces the printed matter that has been printed out, not at the time of information leakage, the acquired document discoverer passes it to the administrator to return it to the original printer, and the administrator Is different in that it searches. The leaked document search unit 41 in FIG. 1 functions as a misplaced document search unit 46 in FIG.

  FIG. 16 is a sequence diagram of an example of operation in the fourth embodiment. Since the printing flows S101 to S108 are the same as those in FIG. 3 of the first embodiment, a description thereof will be omitted.

  In S600, it is assumed that the user A finds a misplaced (printed-out print that has been left out) on the printer that is the image output apparatus 20, or has accidentally picked up a print-out printed by another person. However, the user A who is a document discoverer does not know who the acquired printed matter belongs to, and therefore does not know who to deliver it to.

  Therefore, in order to search for the original printer, the user A who is the document discoverer takes the misplaced printed matter to the security administrator.

  The security administrator scans the printed material that has been left unattended (S601). Alternatively, when the document discoverer (user A) is away from the security administrator, the document discoverer scans the printed material that has been printed out and sends the scanned image to the security administrator.

  The security administrator gives an instruction from the administrator PC 40F (S603), and the scanned image (second image) among the registered print images (first image) on the server 30F by the image matching technique. The search is performed (S604). In the system of this embodiment, from the viewpoint of preventing document leakage, the search in image matching can be executed only by the administrator PC 40F for the security administrator, and the document discoverer who is the user performs the search by image matching. It cannot be executed.

  Then, using the image matching technique, a print image that matches the scanned image is searched in the print image DB 331, and data (image) 334 is specified (S604).

  When a print image that matches the scanned page image (a misplaced document) is specified, the data search unit 37 in the search control unit 32 reads the storage unit 33 and acquires the print image.

  In step S <b> 605, the data search unit 37 determines the attribute information (user name in the present embodiment) of the specified print image data (image) (334) using the page identifier.

  Thereafter, in step S606, the data of the determined attribute information (user name in the present embodiment) is transmitted to the leaked document search instruction unit (program) 41 of the administrator PC 40F that is the transmission source.

  In this way, the administrator PC 40F can specify a person (for example, user B) who has left a document on the printer using the scanned image. Since the data is output to the same printer, there is a high possibility that the document discoverer (user A) and the printer (user B) are close to each other.

  Based on the search result, the security administrator returns the printed matter that has been printed out to user B who is the original printer. Alternatively, when the administrator is far from the users A and B, the administrator notifies the document discoverer (user A) that the document has been printed by the user B, and the document discoverer (user A) Return the printed matter printed out to user B who is the printer.

  In the present embodiment, it is possible to prevent a misplaced and misprinted printed matter from being lost using a scanner, and return the printed matter to a printer (user B) who has performed printing.

  Therefore, by preventing a document including a confidential document from being left on the printer, leakage of confidential information due to the document can be prevented.

  As described above, the technology of the information leakage system of the first embodiment can be applied to the second to fourth embodiments. In any of the embodiments, storage means can be provided in the server, image matching can be performed, and additional hardware for watermarking is unnecessary, so that the entire system can be introduced at low cost. Furthermore, the attribute information related to the document does not deteriorate even when printing is repeated, and the information is not embedded in the printed matter itself, so that the amount of information related to the document can be eliminated.

  Further, since the server stores the information, the secret designation can be canceled after a period when the confidential document is required to be confidential due to product announcement or the like.

  As mentioned above, although this invention has been demonstrated based on each embodiment, this invention is not limited to the requirements shown in the said embodiment. With respect to these points, the gist of the present invention can be changed without departing from the scope of the present invention, and can be appropriately determined according to the application form.

1,1-1,1-2,2,2-1,2-2,3,4 The security leakage prevention system 10, 10A, 10B, 10C, 10F Client PC (member PC)
20 Image output device 30, 30A, 30B, 30C, 30F Server (print server)
40, 40A, 40B, 40C, 40F Administrator PC
50 Scanner 11 Print Job Accepting Unit 12 Printer Driver 13 Print Image / Print History Extraction Unit (Print Image / Attribute Information Extraction Unit)
14 Print image / print history transmission unit (communication unit)
31 Communication Unit 32 Search Control Unit 33 Storage Unit 34 Management Unit 38 Image Matching Server 41 Leaked Document Search Instruction Unit (Leaked Document Search Unit)
42 Security Level Setting Unit 311 Print Image / Print History Receiving Unit 312 Read Image Receiving Unit (Accepting Unit)
313 Print history transmission unit 35 Feature extraction / index generation unit 36 Database access unit (DB access unit)
361 Print image access unit 362 Print history access unit (attribute information access unit)
37 Data search unit 371 Print image search instruction unit 372 Image matching unit 373 Print history acquisition unit 331 Print image database 332 Index database 333 Attribute information database (print history database)
334 Print image data (image)
15 Print Job Transmission / Reception Unit 17 Unprintable Reception Unit 18 User Interface 39A Printer Driver 393 Print Data Temporary Storage Area 39B Print Image / Print History Generation Unit 60 Copier 61 Original Reading Unit 62 Communication Unit 63 Output Unit 64 Display Unit 10D Second Client PC
11A PDF job reception unit 16 PDF creation unit 80 Conference area (predetermined security management area)
81 Entrance 82 Exit 10E Organizer PC
30E Organizer server 70 Take-out availability determination device (out-of-area take-out availability determination device)
40E Exit PC
45 Take-out availability search unit 71 Document sorter 90 Network

JP 2002-016781 A

http://www.hitachi.co.jp/products/it/portal/info/magazine/uvalere/uvalue_seed/seed02/index03.html

Claims (12)

When a document to be printed is printed by the image output apparatus, a first image which is an image of the document to be printed is registered, and attribute information related to the document to be printed is registered in the first Storage means for registering in association with the image of
Receiving means for receiving, as a second image, at least a part of the printed material after the printing;
Specifying means for specifying attribute information associated with the second image using the second image from attribute information associated with the first image stored in the storage unit;
Information processing system. The attribute information includes whether or not it can be taken out of a predetermined security management area,
The storage means registers information indicating whether or not the information can be taken out of the security management area in association with the first image;
The information processing system according to claim 1. The information processing system
A server comprising the storage means, the accepting means, and the specifying means;
An out-of-area availability determination device disposed near the exit of the security management area,
The apparatus for determining whether or not to take out of the area reads the page of the printed matter as a second image by a scanner near the exit, and transmits the read second image to the server.
The server searches the registered first image for an image that matches the read second image,
The out-of-area carry-out availability determination device determines whether or not each printed page can be taken out of the security management area according to a search result.
The information processing system according to claim 2. When searching for an image matching the read second image from the registered first images,
If there is no image that matches the read second image in the registered first image, it is determined that there is a writing in the printed material, and the printed material is taken out of the security management area. Is not allowed,
The security management area registered in association with the matched first image, in the case where an image that matches the read second image exists in the registered first image Information on whether or not to take out is impossible, does not allow taking out the printed matter outside the security management area,
In the case where there is an image that matches the read second image in the registered first image, the predetermined confidential information registered in association with the matched first image Information on whether or not it is possible to take it out of the management area is permitted;
The information processing system according to claim 3. The attribute information includes a print history including a user name that executed printing, a printing date and time, and a document name,
The storage means registers the print history in association with the first image;
The information processing system according to claim 1. When a document leak is detected,
Reading at least a part of a page of the document leaked by the reading unit as a second image, searching the registered first image for an image that matches the read second image, Obtaining the print history by specifying,
The information processing system according to claim 5. When misplaced or misplaced printed matter is detected in the image output device,
The misplaced / misplaced printed matter is read as a second image by a reading means, and an image that matches the read second image is searched from the registered first images, and the image is specified. To obtain the name of the user who executed the printing,
The printed matter can be returned to the user who executed the printing.
The information processing system according to claim 5. The attribute information includes whether or not reprinting is possible.
The storage unit registers information indicating whether or not reprinting is possible in association with the first image;
The information processing system according to claim 1. When trying to print a document printed by an image output device,
Create a second image of the printed output for the document to be printed this time,
Search for images matching the second image to be printed this time from the first images registered in the past,
If there is no image that matches the second image to be printed this time among the first images registered in the past, the printing of the current printed matter is permitted,
The first image registered in the past includes an image that matches the second image to be printed this time, and is registered in association with the matched first image. If the information on whether or not reprinting is possible is reprinting, the printing of this printed matter is permitted,
The first image registered in the past includes an image that matches the second image to be printed this time, and the image registered in association with the matched image If the information on whether or not reprinting is possible is not possible to reprint, prohibit printing of this printed matter.
The information processing system according to claim 8. Whether the reprinting included in the attribute information can be changed after registration in the storage unit.
The information processing system according to claim 8 or 9. When a document to be printed is printed by the image output apparatus, a first image which is an image of the document to be printed is registered, and attribute information related to the document to be printed is registered in the first Registered in association with the image of
After the printing, at least a part of the printed matter by the printing is received as a second image,
From the attribute information associated with the registered first image, the attribute information associated with the second image is identified using the second image.
Security leak prevention method. By an information processing system comprising a storage means, a receiving means, and a specifying means,
When a document to be printed is printed by the image output apparatus, a first image which is an image of the document to be printed is registered, and attribute information related to the document to be printed is registered in the first Processing to register in association with the image of
After the printing, a process of receiving at least a part of the printed material as the second image,
A process of identifying attribute information associated with the second image using the second image from the attribute information associated with the registered first image;
Security leak prevention program.

Images