JP2016224506A - Information leak detection device, information leak detection system, and information leak detection program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information leak detection device, an information leak detection system, and an information leak detection program that can appropriately detect information leak regardless of known or unknown malware without requiring to update virus patterns.SOLUTION: An information leak detection device comprises: a program action and operation check function unit 15A that checks to see if input operation into a program is operation by a person; a file/registry/DB access check function unit 15B that checks to see if the program is accessing a storage area; an external communication check function unit 15C that checks to see if the program is communicating to an external address; and a malware determination function unit 15E that determines whether the program is malware on the basis of contents checked by the program action and operation check function unit 15A, file/registry/DB access check function unit 15B, and external communication check function unit 15C.SELECTED DRAWING: Figure 4

Description

  The present invention relates to an information leak detection device, an information leak detection system, and an information leak detection program, and in particular, confidential information in a computer used in a closed network such as an in-house is leaked by a malicious third party attack. It relates to technology to detect and prevent.

  In recent years, leakage of information caused by electronic attacks has become a problem (see Patent Documents 1 and 2). Information leaks when information in the PC is transmitted to the attacker's server without the victim's intention. As a method for dealing with this problem, “pre-startup detection” such as a pattern matching method and a reputation method and “post-startup detection” such as a behavior detection method and an outflow detection method are representative.

JP 2013-246463 A JP 2005-275669 A

  However, in the pattern matching method and the reputation method classified as detection before activation, it is necessary to list and possess virus candidate patterns, and it has not been possible to deal with unknown ones. On the other hand, even in the behavior detection method and the outflow detection method classified as post-startup detection, it is necessary to list patterns that are candidates for viruses but list them. In addition, unlike the detection before start-up, non-invalid items may be blocked, which may hinder business.

  Thus, the current information leakage detection method is a method for detecting malware by collating with a pre-registered virus pattern. For this reason, there is a problem that it is necessary to always update the virus pattern and a problem that information leakage due to processing and functions other than the registered pattern cannot be detected.

  In view of the above-described conventional technology, the present invention provides an information leak detection apparatus, an information leak detection system, and an information leak detection system that can appropriately detect information leak regardless of known / unknown malware without the need to update virus patterns. The purpose is to provide an information leak detection program.

  In order to achieve the above object, the invention according to the first aspect is an information leak detection device that detects an information leak caused by a malicious third party attack, and whether the input operation to the program is a human operation. A first check unit for checking, a second check unit for checking whether the program is accessing a storage area, a third check unit for checking whether the program is communicating with an external address, the first check unit, The gist of the present invention is to include a determination unit that determines whether the program is malware based on the contents checked by the second check unit and the third check unit.

  The invention according to a second aspect is the invention according to the first aspect, wherein the determination unit is configured such that an input operation to the program is not a human operation, the program accesses a storage area, and the program has an external address. The gist is to determine that it is malware when communicating to the Internet.

  The invention according to a third aspect is the invention according to the first aspect, further comprising a binding unit for binding related program groups, wherein the determination unit is bound by the binding unit. The gist is to determine whether the program group is malware or not.

  The invention which concerns on a 4th aspect is an information leak detection system, Comprising: The information leak detection apparatus which concerns on any one 1st-3rd aspect, The network apparatus which operate | moves in cooperation with the said information leak detection apparatus, It is a summary to provide.

  The gist of the invention according to the fifth aspect is an information leak detection program for causing a computer to realize each functional unit according to any one of the first to third aspects.

  According to the present invention, there is provided an information leak detection device, an information leak detection system, and an information leak detection program capable of appropriately detecting information leak regardless of known / unknown malware without the need to update virus patterns. Is possible.

It is a figure for demonstrating the outline | summary of the information leakage detection system which concerns on embodiment of this invention. It is a figure for demonstrating the information leakage pattern by malware. It is a system configuration figure of an information leak detection system concerning an embodiment of the invention. It is a functional block diagram of the detection / protection software according to the embodiment of the present invention. It is a sequence diagram of the information leakage detection system which concerns on embodiment of this invention. It is a flowchart of the related process binding function part which concerns on embodiment of this invention. It is a flowchart of the program operation / operation check function unit according to the embodiment of the present invention. It is a flowchart of the file / registry / DB access check function part which concerns on embodiment of this invention. It is a flowchart of the external communication check function part which concerns on embodiment of this invention. It is a flowchart of the malware determination function part which concerns on embodiment of this invention. It is a block diagram of process tie information leakage detection judgment DB which concerns on embodiment of this invention. It is a figure which shows the malware judgment pattern which concerns on embodiment of this invention. It is a block diagram of program operation and operation DB which concerns on embodiment of this invention. It is a block diagram of file / registry / DB access DB concerning an embodiment of the invention. It is a block diagram of external communication DB which concerns on embodiment of this invention. It is a block diagram of group ID management DB which concerns on embodiment of this invention. It is a figure which shows a mode that the process binding information leak detection judgment DB which concerns on embodiment of this invention is updated. It is a figure which shows a mode that the process binding information leak detection judgment DB which concerns on embodiment of this invention is updated. It is a figure which shows a mode that program operation and operation DB which concern on embodiment of this invention are updated. It is a figure which shows a mode that the file / registry / DB access DB which concerns on embodiment of this invention is updated. It is a figure which shows a mode that the external communication DB which concerns on embodiment of this invention is updated. It is a figure which shows a mode that the group ID management DB which concerns on embodiment of this invention is updated.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. The following embodiments exemplify an information leak detection system for embodying the technical idea of the present invention, and the configuration of the apparatus and the configuration of data are limited to the following embodiments. It is not a thing. In the following embodiments, terms such as program, application, software, thread, and process may be referred to as “program” without particular distinction.

≪Overview≫
The present invention is an information leakage prevention technique using user behavior. In other words, the application is started regardless of the operator's intention, and after startup, the file, registry, and database are accessed regardless of the operator's intention, such as keyboard and mouse input, and the IP address other than the IP address of the computer used When communication is performed, it is determined as malware and the corresponding process is stopped. As a result, false detection and non-detection can be eliminated and attention can be paid only to the behavior, so that it is not necessary to list a plurality of patterns that are candidates for abnormality.

  Fig.1 (a) is a figure for demonstrating the outline | summary of the information leakage detection system which concerns on embodiment of this invention. Leakage information collection server 41 and computer (PC) 11 are connected via a network. The computer 11 performs a check process for the following check points 1 to 3 in order to prevent confidential information from being collected by the leaked information collection server 41.

(Checkpoint 1)
The operator activates the application with the intention, and the operator performs a keyboard or mouse input operation on the activated application, and confirms that the process is operating according to the intention of the operator. In addition, an application or process that automatically starts regardless of the operator's intention and that operates without any keyboard or mouse input and operates regardless of the operator's intention is specified. The computer 11 registers in the process trace information that a keyboard or mouse input operation has been performed.

(Checkpoint 2)
A behavior of a process of a running application performing read processing and select processing to a base (storage area) holding data such as a file, a registry, and a database is grasped. By this operation, the process that is the previous stage of the file information leakage is determined. The computer 11 registers in the process trace information that there has been DB access, text file reading, and registry access operations.

(Checkpoint 3)
Check if a certain amount of data is being sent outside the IP address of the computer being used. The computer 11 registers in the process trace information that there has been a communication operation other than the IP address of the computer 11 (external).

  FIG. 1B shows an example of process trace information of the computer 11 shown in FIG. As shown in this figure, the relationship between the running program and process, including the program thread and the parent-child relationship of the program, is bundled. In this way, it is possible to stop the process when there is no keyboard or mouse input in the process of the group to which the grouping is performed, there is access to the DB / text / registry, and communication is performed to the outside. .

  FIG. 2 is a diagram for explaining an information leakage pattern by malware. For example, as shown in FIG. 2A, information may be transmitted from a virus-infected computer to an external server prepared by an attacker based on a virus program (pattern 1). Further, as shown in FIG. 2B, information may be transmitted from a virus-infected computer to an external server prepared by the attacker based on a command from a control server prepared by the attacker (pattern 2). ). Further, as shown in FIG. 2 (c), when a normal program is started, a program controlled from the outside is started at the time of the start of the program, and an attack is performed based on a command from a control server prepared by an attacker. Information may be transmitted to an external server prepared by the person (pattern 3).

  Thus, there are a plurality of types of information leakage patterns caused by malware. Depending on the type, some users unintentionally send out information even though they are running normal programs. In the embodiment of the present invention, in order to cope with such malware, the behavior of the user is tracked. Specifically, after tracking keyboard input, mouse input, and active application, and investigating each phase, send only when there is keyboard input or mouse input in the active application. It comes to allow. In addition, the amount of data that can be transmitted in a certain period when transmission is permitted can be arbitrarily defined for each user.

<< System configuration >>
FIG. 3 is a system configuration diagram of the information leak detection system according to the embodiment of the present invention. As shown in this figure, a corporate network (NW) 10 is connected with corporate personal computers 11A, 11B, 11C,... (Hereinafter collectively referred to as “computer 11”) and a corporate file server 14. ing. The computer 11 is connected to the Internet 40 via network devices such as the router 20 and the firewall 30. Since there is an attacker's leak information collection server 41 on the Internet 40, detection / protection software 15 is installed on the computer 11.

  Although details will be described later, the detection / protection software 15 is software that detects the known malware 16 and the unknown malware 17 to prevent leakage of information. This eliminates the need for having a list of malware that was used in the traditional method, thus eliminating the expense of maintenance. Further, since it is no longer necessary to have a white list of destinations used in the conventional method, there is no hindrance to work such as blocking non-malicious transmission. Furthermore, there is an effect that attacks by unknown malware can be prevented.

≪Detection and protection software≫
FIG. 4 is a functional block diagram of the detection / protection software 15 according to the embodiment of the present invention. Functionally, the detection / protection software 15 includes a program operation / operation check function unit 15A, a file / registry / DB access check function unit 15B, an external communication check function unit 15C, and an associated process binding function unit 15D. And a malware determination function unit 15E. The program operation / operation check function unit 15A is a function unit for confirming a program start (foreground, background) method and a keyboard / mouse input operation for the program. The file / registry / DB access check function unit 15B is a function unit that checks whether a running program, process, or the like is accessing the file / registry / DB. The external communication check function unit 15C is a function unit that checks whether a running program or process is communicating with an external address. The related process linking function unit 15D is a function unit that ties up the relationship between the running program and process, including the program thread and the parent-child relationship of the program. The malware determination function unit 15E is a function unit that determines and prevents malware from the contents checked by the program operation / operation check function unit 15A, the file / registry / DB access check function unit 15B, and the external communication check function unit 15C.

≪Sequence≫
FIG. 5 is a sequence diagram of the information outflow detection system according to the embodiment of the present invention.

  First, when an unauthorized malware is automatically activated in the computer 11 and a connection is established between the computer 11 and the leakage information collection server 41, a control command is instructed from the leakage information collection server 41 to the computer 11 (S1 → S2). Accordingly, there is a possibility that an unauthorized malware of the computer 11 starts a child process, and this child process may access confidential information (S3). Further, there is a possibility that an unauthorized malware of the computer 11 starts a child process, and this child process transmits confidential information to the leaked information collection server 41 (S4 → S5).

  In order to avoid such problems, the program operation / operation check function unit 15A determines the program activation method, whether to interrupt the keyboard / mouse input application, and identifies the application that operates regardless of the operator's intention. (Checkpoint 1). The file / registry / DB access check function unit 15B grasps the behavior of the read process and the select process to the base holding the application process file, registry, database, and the like (check point 2). The external communication check function unit 15C confirms whether or not a certain amount of data is transmitted to the outside (check point 3). The related process linking function unit 15D ties up the relevance including the parent-child relationship of the process and the thread due to the activation of the process, and groups the processes. The malware determination function unit 15E determines that it is malware when there is no keyboard or mouse input from the operator, access to a file, registry, or database and communication is performed with respect to a computer other than the IP address of the computer to be used.

  As described above, in the information leak detection system according to the embodiment of the present invention, detection is performed by determining that the application on the end terminal is operating according to the operator's intention, instead of the detection method based on the comparison with the virus pattern. The technique to do is adopted. In other words, it is possible to detect whether or not a known or unknown malware is involved by checking whether the operator is intentionally operating the process, dividing the behavior of the virus step by step, and classifying the candidate behavior for each step. It is. Further, since attention is paid only to the behavior, there is an effect that it is not necessary to list a plurality of patterns such as patterns that are candidates for abnormality.

≪Related process linking function part≫
FIG. 6 is a flowchart of the related process binding function unit 15D according to the embodiment of the present invention. Hereinafter, ProgA_sam. A case where exe is activated will be described as an example.

  S11: The process linking information leakage detection judgment DB is read (see FIG. 17A).

  S12: Process activation information (activation time, process ID, process name) is acquired.

  S13: The presence / absence of malware registration is determined from the activation process and past malware determination results (see FIG. 17B). If not registered, the process proceeds to S14, and if registered, the process proceeds to S19.

  S14: The process linking information leakage detection judgment DB is read, and the process ID that matches the parent process of the startup process is read.

  S15: It is determined whether or not there is a parent process associated with the activated process. If it is associated (with parent process), the process proceeds to S16, and if it is not associated (no parent process), the process proceeds to S17.

  S16: The group ID of the parent process is acquired (see FIG. 18 (k)).

  S17: The group ID management DB is read, a new group ID is created, and the payout date and time of the ID paid out to the group ID management DB is updated (see FIG. 22 (x)).

  S18: The activation time, group ID, process ID, process name, parent process ID, and parent process name are registered in the process linking information leakage detection determination DB (see FIG. 17C).

  S19 to S21: The process is forcibly stopped, the process stop information is acquired, and the stop time is updated in the process binding information leakage detection determination DB (see FIG. 17D).

  S22: The program operation / operation check function unit 15A is activated (see FIG. 7).

  S23: The file / registry / DB access check function unit 15B is activated (see FIG. 8).

  S24: The external communication check function unit 15C is activated (see FIG. 9).

≪Program operation / operation check function part≫
FIG. 7 is a flowchart of the program operation / operation check function unit 15A according to the embodiment of the present invention. Hereinafter, the process of S22 will be described in detail with reference to FIG.

  S31: The processing of the program operation / operation check function unit 15A is started.

  S32: Process information (process ID, process name, process activation method) is acquired and registered in the program operation / operation DB (see FIG. 19 (l)).

  S33: Obtain keyboard and mouse interrupt information.

  S34: Determine whether a keyboard or mouse interrupt has occurred. If there is a keyboard interrupt, the process proceeds to S35, if a mouse interrupt is present, the process proceeds to S37, and if no interrupt occurs, the process proceeds to S39.

  S35: Obtain keyboard operation information (input time, keyboard input information).

  S36: The keyboard input time and keyboard input information are updated in the program operation / operation DB (see FIG. 19 (m)).

  S37: Mouse operation information (input time, mouse input information) is acquired.

  S38: The mouse input time and mouse input information are updated in the program operation / operation DB (see FIG. 19 (n)).

  S39: It is confirmed whether or not the process is stopped. If there is no process stop, the process proceeds to S33, and if there is a process stop, the process ends.

≪File / Registry / DB access check function part≫
FIG. 8 is a flowchart of the file / registry / DB access check function unit 15B according to the embodiment of the present invention. Hereinafter, the process of S23 will be described in detail with reference to FIG.

  S41: The processing of the file / registry / DB access check function unit 15B is started.

  S42: The process ID and process name are acquired and registered in the file / registry / DB access DB (see FIG. 20 (p)).

  S43: Process trace information is acquired by the process monitor. Specifically, a process ID, a file access status (Read), an access file name, a registry action status (RegQueryKey), a registry name, and a DB access status (TCP-Connect) are acquired by the process monitor.

  S44: Based on the process trace information, the presence / absence of file operation, registry operation, and DB operation is determined. Specifically, when the operation of the process monitor is Read, it is determined as a file operation, when it is RegQueryKey, it is determined as a registry operation, and when it is TCP-Connect, it is determined as DB. If there is no operation, the process proceeds to S51. If there is a file operation, the process proceeds to S45. If there is a registry operation, the process proceeds to S47. If there is a DB operation, the process proceeds to S49.

  S45: File operation information (process ID, process name, reading time, reading file name, directory name, reading point, reading size) is acquired by the function of the file system mini-filter driver.

  S46: Update the read time, read file name, directory name, read point, and read size in the file / registry / DB access DB (see FIG. 20 (q)).

  S47: Registry operation information (process ID, process name, reading time, registry name, path name) is acquired by the registry filter notification function.

  S48: The read time, registry name, and path name are updated in the file / registry / DB access DB (see FIG. 20 (r)).

  S49: DB operation information (process ID, process name, read time, database name, read information, read number) is acquired (SQL-NET command).

  S50: Update the reading time, database name, reading information, and number of readings in the file / registry / DB access DB (see FIG. 20 (s)).

  S51: It is confirmed whether or not the process is stopped. If there is no process stop, the process proceeds to S43, and if there is a process stop, the process ends.

≪External communication check function part≫
FIG. 9 is a flowchart of the external communication check function unit 15C according to the embodiment of the present invention. Hereinafter, the process of S24 will be described in detail with reference to FIG.

  S61: The processing of the external communication check function unit 15C is started.

  S62: The process ID and process name are acquired and registered in the external communication DB (see FIG. 21 (u)).

  S63: Process trace information is acquired by the process monitor. Specifically, a process ID, a transmission status (TCP-Send, UDP-Send), a transmission destination IP, and a transmission port are acquired by the process monitor.

  S64: The process trace information determines whether there is external communication. Specifically, when the operation of the process monitor is TCP-Send or UDP-Send, it is determined as external communication. If there is external communication, the process proceeds to S65, and if there is no external communication, the process proceeds to S68.

  S65: The transmission information (process ID, process name, transmission time, transmission destination IP, transmission port, protocol, transmission size) is acquired by the function of the network system mini-driver.

  S66: The transmission time, destination IP, transmission port, protocol, and transmission size are updated in the external communication DB (see FIG. 21 (v)).

  S67: The malware determination function unit 15E is activated (see FIG. 10).

  S68: It is confirmed whether or not the process is stopped. If there is no process stop, the process proceeds to S63, and if there is a process stop, the process proceeds to S69.

  S69: Delete the target process information from the program operation / operation DB, file / registry / DB access DB, and external communication DB.

≪Malware judgment function part≫
FIG. 10 is a flowchart of malware determination function unit 15E according to the embodiment of the present invention. Hereinafter, the process of S67 will be described in detail with reference to FIG.

  S71: The process of the malware determination function unit 15E is started.

  S72: Deliver the transmission process (process ID, process name).

  S73: All process IDs of the group ID corresponding to the transmission process ID are acquired from the process linking information leakage detection determination DB (see FIG. 17E).

  S74: The program operation / operation presence / absence of the record corresponding to the process ID acquired from the program operation / operation DB is determined (see FIG. 19 (o)). If there is an operation, the process proceeds to S75, and if there is no operation, the process proceeds to S76.

  S75: The program operation / operation presence / absence of the record corresponding to the process ID acquired from the process linking information leakage detection determination DB is updated to “Yes” (see FIG. 17F).

  S76: The program operation / operation presence / absence of the record corresponding to the process ID acquired from the process linking information leakage detection judgment DB is updated to zero (see FIG. 17 (f)).

  S77: Whether the file / registry / DB access of the record corresponding to the process ID acquired from the file / registry / DB access DB is determined (see FIG. 20 (t)). If there is access, the process proceeds to S78, and if there is no access, the process proceeds to S79.

  S78: Update the presence / absence of file / registry / DB access of the record corresponding to the process ID acquired from the process linking information leakage detection judgment DB (see FIG. 17G).

  S79: Update the presence / absence of file / registry / DB access of the record corresponding to the process ID acquired from the process linking information leakage detection judgment DB (see FIG. 17G).

  S80: It is determined whether or not a record corresponding to the process ID acquired from the external communication DB is transmitted externally and whether a certain amount of data is transmitted (see FIG. 21 (w)). If there is external transmission and a certain amount of data is transmitted, the process proceeds to S81. If there is no external transmission or there is no external transmission and no certain amount of data is transmitted, the process proceeds to S82.

  S81: Update the presence / absence of external communication of the record corresponding to the process ID acquired from the process linking information leakage detection determination DB (see FIG. 17H).

  S82: Update the presence or absence of external communication of the record corresponding to the process ID acquired from the process linking information leakage detection judgment DB (see FIG. 17H).

  S83: It is determined whether the process linking information leakage detection determination DB is like the malware determination pattern shown in FIG. 12 (see FIG. 17 (i)). If the condition is satisfied, the process proceeds to S84, and if not, the process ends.

  S84: The malware determination result of the record corresponding to the process ID acquired from the process linking information leakage detection determination DB is updated to malware (see FIG. 17 (j)).

  S85: All the corresponding processes are forcibly stopped.

≪Database≫
FIG. 11 is a configuration diagram of the process linking information leakage detection determination DB according to the embodiment of the present invention. As shown in this figure, the process linking information leakage detection determination DB includes “No”, “Startup time”, “Stop time”, “GID”, “PID”, “Process name”, “Parent PID”, “Parent process name”, “Program operation”. Manages “operation presence / absence”, “file / registry / DB access presence / absence”, “external communication presence / absence”, and “malware determination result”.

  FIG. 12 is a diagram showing a malware judgment pattern according to the embodiment of the present invention. The malware determination pattern is a pattern that is determined as malware in the process linking information leakage detection determination DB. In the process belonging to the same GID, it is determined as malware only in the case of the pattern in the figure. However, the number of processes for performing the pattern in the figure is not limited. Here, “when there is no program operation / operation, there is access to a file / registry / DB, and there is external communication exceeding the amount of data to be transmitted for a certain period, it is determined that it is malware.” “Exceeding the amount of transmission data during the period” means that the operator sets the transmission data amount (size) for a certain period in advance in his machine and exceeds the value.

  FIG. 13 is a configuration diagram of the program operation / operation DB according to the embodiment of the present invention. As shown in this figure, the program operation / operation DB manages “No”, “PID”, “process name”, and “program operation / operation information”. The “program operation / operation information” is specifically “activation method”, “keyboard input time, input information”, “mouse input time, input information”.

  FIG. 14 is a configuration diagram of the file / registry / DB access DB according to the embodiment of the present invention. As shown in this figure, the file / registry / DB access DB manages “No”, “PID”, “process name”, and “file / registry / DB access information”. Specifically, “file / registry / DB access information” means “read time” “read file name” “directory name” “read start point” “read size” “registry name” “path name” “database name” “Reading information” and “Number of readings”.

  FIG. 15 is a configuration diagram of the external communication DB according to the embodiment of the present invention. As shown in this figure, the external communication DB manages “No”, “PID”, “process name”, and “external communication information”. Specifically, “external communication information” is “transmission time”, “destination IP”, “transmission port”, “protocol”, and “transmission size”.

  FIG. 16 is a configuration diagram of the group ID management DB according to the embodiment of the present invention. As shown in this figure, the group ID management DB manages “No”, “GID”, and “dispensing date / time”.

  17 and 18 are diagrams showing how the process linking information leakage detection determination DB according to the embodiment of the present invention is updated. FIG. 19 is a diagram showing how the program operation / operation DB according to the embodiment of the present invention is updated. FIG. 20 is a diagram showing how the file / registry / DB access DB according to the embodiment of the present invention is updated. FIG. 21 is a diagram showing how the external communication DB according to the embodiment of the present invention is updated. FIG. 22 is a diagram illustrating a state in which the group ID management DB according to the embodiment of the present invention is updated. In both cases, items surrounded by a thick frame are to be updated. The update timing is as shown in the flowcharts of FIGS.

  As described above, the computer 11 according to the embodiment of the present invention is an information leak detection device that detects an information leak caused by a malicious third party attack, and the input operation to the program is a human operation. Program operation / operation check function unit 15A for checking whether the program is accessing the storage area, file / registry / DB access check function unit 15B, and external communication check for checking whether the program is communicating to an external address Malware determination for determining whether the program is malware based on the contents checked by the function unit 15C, the program operation / operation check function unit 15A, the file / registry / DB access check function unit 15B, and the external communication check function unit 15C Equipped with functional unit 15E That. Thereby, it is not necessary to update the virus pattern, and it is possible to appropriately detect information leakage regardless of known / unknown malware.

  Specifically, the malware determination function unit 15E determines that the program is malware when the input operation to the program is not a human operation, the program accesses the storage area, and the program communicates with an external address. In this case, if the input operation to the program is a human operation, it is possible to immediately determine that the program is not malware.

  Further, the related process grouping function unit 15D for grouping related program groups is provided, and the malware determination function unit 15E collects the program groups grouped by the related process grouping function unit 15D as malware. It may be determined whether or not. As a result, since it is possible to determine whether it is malware including the program thread and the parent-child relationship of the program, it is possible to more appropriately detect information leakage more reliably.

  Although not specifically mentioned in the above description, the program once determined to be malware stores the characteristic information of the program, and if the same program is started again, it is not determined whether it is malware. The program process may be forcibly terminated immediately by considering it as malware. Thereby, it is possible to detect the malware more quickly for the program once determined to be malware.

  Further, the computer 11 may determine the result of the malware and the feature information to be transmitted to a network device such as the router 20 or the firewall 30. Thereby, since the computer 11 and the network device can be operated in cooperation, it is possible to detect information leakage more reliably and quickly.

  In addition, the present invention can be realized not only as an information outflow detection device, but also as an information outflow detection program for causing a computer to realize each functional unit included in the information outflow detection device. It goes without saying that such a program can be distributed via a recording medium such as a CD-ROM or a transmission medium such as the Internet.

11. Computer (information leak detection device)
15 ... detection / protection software 15A ... program operation / operation check function section (first check section)
15B: File / Registry / DB access check function part (second check part)
15C: External communication check function unit (third check unit)
15D ... Related process binding function section (Bundling section)
15E ... Malware determination function part (determination part)
20 ... Router (network equipment)
30 ... Firewall (network equipment)

Claims (5)

An information leak detection device for detecting an information leak caused by a malicious third party attack,
A first check unit for checking whether the input operation to the program is a human operation;
A second check unit for checking whether the program is accessing a storage area;
A third check unit for checking whether the program is communicating to an external address;
An information outflow detection device comprising: a determination unit that determines whether the program is malware based on contents checked by the first check unit, the second check unit, and the third check unit.   The determination unit determines that the program is malware when the input operation to the program is not a human operation, the program accesses a storage area, and the program communicates with an external address. The information outflow detection device according to claim 1. In addition, it has a binding unit that links related programs.
The information outflow detection device according to claim 1 or 2, wherein the determination unit determines whether the program group bundled by the bundling unit is malware or not. The information leak detection device according to any one of claims 1 to 3,
An information outflow detection system comprising: a network device that operates in cooperation with the information outflow detection device.   The information outflow detection program for making a computer implement | achieve each function part of any one of Claims 1-3.

Images