JP2017182160A - Monitoring control program, monitoring control system and monitoring control method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a monitoring control system capable of reducing the load imposed on a CPU while ensuring security level.SOLUTION: The monitoring control system includes: a monitoring processing part 31 that repeatedly performs a series of monitoring processing to monitor the operation made on a virtual machine 301 by a user terminal; and a monitoring frequency changing part 351 that, when the utilization rate of a processor satisfies a reference, reduces the execution frequency of the monitoring processing by the monitoring processing part 31 on at least any one of the virtual machines 301 in the virtual machines 301 included in a virtual machine group to which the processor is allotted.SELECTED DRAWING: Figure 4

Description

  The present invention relates to a monitoring control program, a monitoring control apparatus, and a monitoring control method.

  As measures against risk of information leakage from PCs (Personal Computers), operations performed by users in an organization on each PC are recorded, stored, and analyzed as a log.

  Here, the “operation performed by the user on the PC” as a log target includes, for example, writing to a USB (Universal Serial Bus) storage, mail transmission, access to a file server, file update, and the like.

  Also, in middleware products that manage and monitor network devices, in order to prevent information leakage, an agent is installed on the PC, and operation logs are automatically collected and recorded, and specific operations are prohibited. There is something.

  In such a middleware product, for example, information collected by an agent is transmitted to a management server via a network, and the management server provides a unified management function of operation logs by storing the received information in a database.

  For example, in the operation management software of middleware products, desktop monitoring processing is executed periodically (for example, at intervals of 0.5 seconds), and information about active windows on the desktop of the PC (for example, title, application, URL) : Uniform Resource Locator).

  In this desktop monitoring process, specifically, first, a currently active window on the desktop is specified, and the title, application, and URL of this active window are acquired. Then, it is verified whether the acquired information is the same as the previously acquired information. As a result of collation, when the acquired information is different from the previous acquisition, the information is recorded, and when it is the same, the acquired information is ignored.

  The reason why the desktop monitoring process described above is periodically performed is that the state of the active window changes irregularly depending on the user's operation (start / switch / move / end).

  Further, such desktop monitoring processing always consumes a CPU usage rate of about 3% as a guide for each desktop.

JP 2012-108956 A JP 2002-202959 A International Publication WO2012 / 120634 Pamphlet

  In the conventional computer system, one user occupies one physical machine, and the software used by the user can occupy the CPU, so 3% of the CPU is used for desktop monitoring processing. The effect was not regarded as a problem even if it was always used.

  However, in recent years, with the development of virtualization technology, an environment in which the resources of one physical machine are shared by a plurality of virtual machines has appeared. In such an environment, a performance problem due to CPU exhaustion occurs in the conventional desktop monitoring process.

  For example, assume a system in which 80 virtual machines are operating on a server having 10 cores (10 cores) and is in charge of processing of 8 virtual machines per core. In such a system, when 3% of the CPU is constantly used for desktop monitoring of one virtual machine, 24% of the CPU is always consumed only for desktop monitoring per core on the server. As a result, the shared CPU that is allocated to normal work is under pressure.

  Note that if the monitoring interval is simply increased in order to reduce the CPU load due to the desktop monitoring process, although the pressure on the shared CPU is reduced, the active window information cannot be properly recorded and the security risk increases.

  Therefore, conflicting requirements to prepare for security risks by performing desktop monitoring processing that does not compress the shared CPU so as not to interfere with normal business processing performed in the virtual machine and effectively recording user operations and results Is required.

  In one aspect, an object of the present invention is to reduce a CPU load while maintaining a high security level.

  For this reason, this monitoring control program is assigned to a processor when the usage rate of the processor satisfies a criterion in the monitoring control program for executing a monitoring process for monitoring an operation performed on the user terminal on the virtual machine. The computer is caused to execute a process for reducing the execution frequency of the monitoring process related to at least one of the virtual machines included in the virtual machine group.

  According to one embodiment, the CPU load can be reduced while maintaining a high security level.

It is a figure which shows typically the structure of the computer system as an example of embodiment. 1 is a hardware configuration diagram of a computer system as an example of an embodiment. It is a functional diagram of the management server of the computer system as an example of an embodiment. It is a functional block diagram of the virtual environment server of the computer system as an example of an embodiment. It is a figure which illustrates the user operation log collected in the computer system as an example of embodiment. It is a figure which illustrates the process operation monitoring log collected in the computer system as an example of embodiment. It is a figure which illustrates the window title monitoring log collected in the computer system as an example of embodiment. It is a figure which illustrates virtual machine CPU information in the computer system as an example of embodiment. It is a figure which illustrates the virtual machine group information in the computer system as an example of embodiment. It is a figure which illustrates the prohibition operation execution log | history in the computer system as an example of embodiment. It is a figure which illustrates prohibited operation risk value information in a computer system as an example of an embodiment. It is a figure which illustrates the virtual machine user information in the computer system as an example of embodiment. It is a figure which illustrates the security policy regarding the user information in the computer system as an example of embodiment. It is a figure which illustrates the security policy regarding operation in the computer system as an example of an embodiment. It is a figure which illustrates the security policy regarding the access destination in the computer system as an example of embodiment. It is a figure which illustrates the monitoring setting about the monitoring interval in the computer system as an example of embodiment. It is a figure which illustrates the monitoring setting about CPU threshold value in the computer system as an example of embodiment. It is a figure which illustrates the operation history in the computer system as an example of an embodiment. It is a figure which illustrates the order information in a group in the computer system as an example of embodiment. It is a figure for demonstrating the process by the 2nd monitoring interval adjustment part of the computer system as an example of embodiment. It is a figure for demonstrating the outline | summary of the load management method in the computer system as an example of embodiment. It is a figure for demonstrating the outline | summary of the process at the time of user logon in the computer system as an example of embodiment. It is a flowchart for demonstrating the outline | summary of the process of the management server of the computer system as an example of embodiment. It is a flowchart for demonstrating the process of the agent in the virtual machine of the virtual environment server of the computer system as an example of embodiment. It is a flowchart for demonstrating the process by the user evaluation part in the management server of the computer system as an example of embodiment. It is a flowchart for demonstrating the process of the operation log | history production part in the virtual environment server of the computer system as an example of embodiment. It is a flowchart for demonstrating the process of the security risk calculation part in the virtual environment server of the computer system as an example of embodiment. It is a flowchart for demonstrating the production method of the order information in a group by the communication part between agents in the virtual environment server of the computer system as an example of embodiment. It is a flowchart for demonstrating the process of the 1st monitoring interval adjustment part in the virtual environment server of the computer system as an example of embodiment. It is a flowchart for demonstrating the process of the 2nd monitoring interval adjustment part in the virtual environment server of the computer system as an example of embodiment.

  Hereinafter, embodiments of the monitoring control program, the monitoring control apparatus, and the monitoring control method will be described with reference to the drawings. However, the embodiment described below is merely an example, and there is no intention to exclude application of various modifications and techniques not explicitly described in the embodiment. In other words, the present embodiment can be implemented with various modifications (combining the embodiments and modifications) without departing from the spirit of the present embodiment. Each figure is not intended to include only the components shown in the figure, and may include other functions.

(A) Configuration FIG. 1 is a diagram schematically illustrating a configuration of a computer system 1 as an example of an embodiment, and FIG. 2 is a hardware configuration diagram thereof.

  FIG. 3 is a functional diagram of the management server 2 of the computer system 1 as an example of the embodiment, and FIG. 4 is a functional configuration diagram of the virtual environment server 3.

  For the sake of convenience, FIG. 3 also shows some functions of the virtual environment server 3 in addition to the functions of the management server 2, and FIG. 4 shows management functions in addition to the functions of the virtual environment server 3. Some functions of the server 2 are also illustrated.

  A computer system 1 shown in FIG. 1 is configured by connecting a management server 2, a virtual environment server 3, an administrator terminal 101, and one or more user terminals 102 to each other via a network 50.

  In the computer system 1, a user uses a virtual computer environment provided by the virtual environment server 3, that is, a virtual machine 301 via a user terminal 102.

(A) Administrator terminal and user terminal The administrator terminal 101 is a computer used by a system administrator or the like. The administrator terminal 101 includes a processor and a memory (not shown), and implements various functions by the processor executing programs. The system administrator uses the administrator terminal 101 to perform setting operations for the management server 2 and the virtual environment server 3.

  For example, the system administrator inputs a security policy 202 and a monitoring setting 201 described later via the administrator terminal 101.

  The user terminal 102 is a computer used by the user, and includes a processor and a memory (not shown), and the processor executes various functions by executing a program.

  The user terminal 102 connects to the virtual environment server 3 via the network 50, accesses the virtual machine 301 provided in the virtual environment server 3, and executes various processes. That is, the user terminal 102 corresponds to a use terminal that performs an operation on the virtual machine 301.

  The user terminal 102 has a multi-window function that can display a plurality of windows simultaneously on the desktop. The user performs various input / output processes through windows displayed on the desktop of the user terminal 102.

  Further, the log collection unit 31 (see FIG. 4) of the virtual environment server 3 described later executes desktop monitoring processing and the like, monitors the desktop of the user terminal 102, and records processing performed on the desktop and the like. To collect.

(B) Management Server The management server 2 is a computer (server computer, information processing apparatus) having a server function, and performs various management of the virtual environment server 3.

  As shown in FIG. 2, the management server 2 includes a CPU 13, a memory 14, and a storage device 15.

  In the computer system 1 illustrated in FIG. 2, for convenience, an input device such as a mouse and a keyboard and a display device are illustrated in each of the management server 2, the virtual environment server 3, the administrator terminal 101, and the user terminal 102. Omitted. Further, the computer system 1 may include other devices.

  In addition, each of the management server 2, the virtual environment server 3, the administrator terminal 101, and the user terminal 102 may include other devices.

  The memory 14 is a storage memory including a ROM (Read Only Memory) and a RAM (Random Access Memory). A software program (monitoring control program) and data for the program are written in the ROM of the memory 14. The software program on the memory 14 is appropriately read by the CPU 13 and executed. The RAM of the memory 14 is used as a primary storage memory or a working memory.

  The storage device 15 is a storage device such as a hard disk drive (HDD), an SSD (Solid State Drive), or a storage class memory (SCM), and stores various data.

  The storage area of the storage device 15 includes a log 25, virtual machine CPU information 26, virtual machine group information 27, prohibited operation risk value information 28, virtual machine user information 29, security policy 202, prohibited operation execution history 251 and The monitoring setting 201 is stored (see FIG. 3).

  The log 25 is a log (history, record) related to operations performed by the user using the user terminal 102 in the computer system 1, and includes, for example, a user operation log 25a, a process monitoring log 25b, a desktop monitoring log 25c, and the like. It is.

  Hereinafter, in the virtual machine 301, collecting logs relating to operations performed using the user terminal 102 may be referred to as monitoring.

  5 to 7 are diagrams illustrating logs collected in the computer system 1 as an example of the embodiment, FIG. 5 is a diagram illustrating a user operation log 25a, and FIG. 6 is a process operation monitoring log 25b. FIG. 7 and FIG. 7 are diagrams illustrating the window title monitoring log 25c.

  The user operation log 25a is a log of various operations performed by the user using an input device (not shown) such as a mouse or a keyboard of the user terminal 102. As shown in FIG. 5, the user operation log 25a includes, for example, operation time, operation content, operation target, processing time, and the like.

  The process operation monitoring log 25 b is a log for processes executed in the virtual machine 301. As shown in FIG. 6, the process operation monitoring log 25b includes, for example, operation date / time, operation content, operation target, application, and process ID (identification).

  The window title monitoring log 25c is a log relating to processing executed in a window (not shown) opened on the desktop of the user terminal 102. As shown in FIG. 7, the window title monitoring log includes an operation date and time, a window title, and a process ID.

  These logs 25a to 25c are collected in each virtual machine 301 by the log collection unit 31 of the agent 30 of the virtual environment server 3 to be described later, and the basic server function unit 24 to be described later collects from each virtual machine 301, and the log 25 Stored as

  In the computer system 1, various types of information stored as the log 25 are stored / analyzed and are used for countermeasures against risk of information leakage from the user terminal 102 or the like.

  The virtual machine CPU information 26 is a CPU usage rate of each of the CPUs 10-1 to 10-4 provided in the virtual environment server 3 described later. These CPU usage rates are collected by a CPU status confirmation unit 21 described later.

  FIG. 8 is a diagram illustrating virtual machine CPU information 26 in the computer system 1 as an example of the embodiment. As shown in FIG. 8, in the virtual machine CPU information 26, the CPU usage rate is associated with identification information (CPU ID) for specifying the CPUs 10-1 to 10-4.

  Hereinafter, as reference numerals indicating CPUs provided in the virtual environment server 3, reference numerals 10-1 to 10-4 are used when it is necessary to specify one of a plurality of CPUs. 10 is used.

  The virtual machine group information 27 is information for managing a virtual machine group (virtual machine group). In the virtual environment server 3 of the computer system 1, when one CPU 10 realizes a plurality of virtual machines 301, the plurality of virtual machines 301 realized by the same CPU 10 is referred to as a virtual machine group.

  FIG. 9 is a diagram illustrating virtual machine group information 27 in the computer system 1 as an example of an embodiment. As shown in FIG. 9, the virtual machine group information 27 is configured by associating machine names, IP (Internet Protocol) addresses, assigned CPUs, and groups with each other.

  Here, the machine name is identification information for specifying the virtual machine 301. The IP address is an IP address for accessing the virtual machine 301. The assigned CPU is the CPU ID of the CPU 10 that realizes the virtual machine 301. The group is identification information that identifies a virtual machine group.

  In the example shown in FIG. 9, three virtual machines 301 with machine names “VM001”, “VM002”, and “VM003” are realized by the CPU 10 specified by the CPU ID “cpu001”.

  Further, two virtual machines 301 having machine names “VM004” and “VM005” are realized by the CPU 10 specified by the CPU ID “cpu002”.

  In the computer system 1, a plurality of virtual machines 301 realized by the same CPU 10 are set as the same virtual machine group.

  For example, in the example shown in FIG. 9, three virtual machines 10 “VM001”, “VM002”, and “VM003” executed by the CPU 10 with the CPU ID “cpu001” are treated as the same virtual machine group, and a common virtual machine is used. Machine group ID “1” is set.

  The prohibited operation execution history 251 is information for managing the date (prohibited operation execution date) of an operation (prohibited operation) prohibited for each user from the viewpoint of information security.

  FIG. 10 is a diagram illustrating a prohibited operation execution history 251 in the computer system 1 as an example of the embodiment.

  As shown in FIG. 10, the prohibited operation execution history 251 is configured by associating a user ID with a prohibited operation execution date.

  The prohibited operation execution history 251 is created by the user evaluation unit 23 described later extracting a history of execution of the prohibited operation from the log 25.

  The prohibited operation risk value information 28 is information indicating a risk set for each user from the viewpoint of information security.

  FIG. 11 is a diagram exemplifying prohibited operation risk value information 28 in the computer system 1 as an example of the embodiment.

  As shown in FIG. 11, the prohibited operation risk value information 28 is configured by associating a prohibited operation risk value with a user ID.

  The user ID is identification information for specifying the user. The prohibited operation risk value is an evaluation value that expresses a risk that is set from the viewpoint of information security based on the user's operation results. In the example shown in FIG. 11, any integer of 1 to 3 is used as the prohibited operation risk value, and the larger the value, the higher the risk of performing an operation (prohibited operation) that is prohibited from the viewpoint of information security. Indicates. That is, a prohibited operation risk value of 1 indicates a low risk, 2 indicates a medium risk, and 3 indicates a high risk.

  The prohibited operation risk value information 28 is set and updated by a user evaluation unit 23 described later.

  The virtual machine user information 29 is information for managing users who are using the virtual machine 301.

  FIG. 12 is a diagram illustrating virtual machine user information 29 in the computer system 1 as an example of the embodiment.

  As shown in FIG. 12, the virtual machine user information 29 is configured by associating a user ID with a machine name.

  The machine name is information for specifying the virtual machine 301, and the user ID of the user who uses the virtual machine 301 specified by the machine name is registered in association with the machine name.

  In the computer system 1, when the user logs in to the virtual environment server 3 using the user terminal 102, one virtual machine 301 is newly formed. That is, it is assumed that there is a one-to-one correspondence between the user and the virtual machine 301, and it is not assumed that a plurality of users use one virtual machine 301.

  The security policy 202 is information that defines a basic policy regarding information security in the computer system 1.

  The security policy 202 includes a security policy 202a related to user information, a security policy 202b related to operations, and a security policy 202c related to access destinations.

  13 to 15 are diagrams each illustrating a security policy 202 in the computer system 1 as an example of the embodiment. 13 shows a security policy 202a related to user information, FIG. 14 shows a security policy 202b related to operation, and FIG. 15 shows a security policy 202c related to an access destination.

  The security policy 202a related to user information indicates a risk set from the viewpoint of information security based on the affiliation and authority (user information) for the user.

  As shown in FIG. 13, this security policy 202a is configured by associating a user ID with an affiliation, post, and post risk value.

  Here, the post risk value is an evaluation value that expresses the risk set from the viewpoint of information security based on the user's affiliation, post, etc., as a numerical value. That is, the post risk value is set according to the user authority of the user of the user terminal 102.

  A system administrator or the like sets a risk value (position risk value, user authority risk value) as a security policy 202a in advance for each user in view of the user's work contents, position, data to be handled, and the like. That is, for each user, a post risk value corresponding to user information such as the post of the user is set in advance.

  In the example shown in FIG. 13, integers 1 to 3 are used as job risk values, and the larger the value, the higher the importance and confidentiality of information handled from the viewpoint of information security, and the higher the risk. That is, the position risk value 1 indicates a low risk, 2 indicates a medium risk, and 3 indicates a high risk.

  The operation-related security policy 202b is information in which whether or not to execute various operations performed by the user is set according to the affiliation or job title.

  As shown in FIG. 14, the security policy 202 b is configured by associating each item of prohibition, affiliation, and title with the operation content (operation).

  In the item “prohibited”, either prohibition or caution is registered, and a user with a combination of affiliation and title set in the security policy 202b is prohibited or performed. Indicates that some kind of caution (warning) is output when it is done.

  The security policy 202c regarding the access destination indicates a risk set from the viewpoint of information security with respect to the access destination when the user performs data access to the virtual machine 301 using the user terminal 102.

  As shown in FIG. 15, the security policy 202c is configured by associating an access destination risk value with an access destination.

  In the example shown in FIG. 15, the external Internet, the corporate intranet, and the own terminal are shown as access destinations. The access destination risk value is an evaluation value that represents the risk set for the access destination from the viewpoint of information security.

  In the example shown in FIG. 15, an integer of 1 to 3 is used as the access destination risk value, and the larger the value, the higher the risk when performing data access from the viewpoint of information security. That is, an access destination risk value of 1 indicates a low risk, 2 indicates a medium risk, and 3 indicates a high risk.

  Note that the security policy 202c is not limited to that illustrated in FIG. 15, and can be implemented with appropriate modifications. For example, since there is a file that needs to be handled with care even if the data to be accessed is in the terminal itself, more detailed settings may be made in such a case. For example, for data related to confidential information such as My Number, the access destination risk value may be set to 3 even if the access destination is within the corporate intranet.

  The monitoring setting 201 is various settings for collecting logs such as operations performed at the user terminal 102 of the computer system 1, that is, monitoring.

  In the computer system 1, the log collection unit 31 of the agent 30 of the virtual machine 301 performs log collection (monitoring) according to the monitoring setting 201.

  This monitoring setting 201 includes a monitoring setting 201a for the monitoring interval and a monitoring setting 201b for the CPU threshold.

  FIGS. 16 and 17 are diagrams each illustrating a monitoring setting 201 in the computer system 1 as an example of the embodiment. 16 shows the monitoring setting 201a for the monitoring interval, and FIG. 17 shows the monitoring setting 201b for the CPU threshold.

  The monitoring setting 201a regarding the monitoring interval defines an interval at which the log collection unit 31 performs log collection (monitoring) such as operations performed on the user terminal 102 in the virtual machine 301 of the virtual environment server 3 to be described later.

  As shown in FIG. 16, the monitoring setting 201a is configured by associating time (seconds) with a monitoring interval.

  In the example shown in FIG. 16, the monitoring interval has a maximum value (maximum monitoring interval value) and a minimum value (minimum monitoring interval value), the maximum value being 10 seconds and the minimum value being 0.5 seconds.

  In the computer system 1, the log collection unit 31 basically performs log collection at intervals of the minimum value of the monitoring setting 201a (0.5 second intervals). Further, when the log collection unit 31 receives an instruction to change the log collection interval from the agent of the virtual machine 301 by the monitoring interval reset instruction unit 22 to be described later, the log collection unit 31 collects logs at intervals longer than the minimum value interval. To do.

  The monitoring interval (log collection interval) by the log collection unit 31 may be increased stepwise, for example, but does not exceed the maximum interval (10-second interval).

  By extending the log collection interval, the number of log collections in the virtual machine 301 can be reduced, and the load on log collection can be reduced.

  Note that the monitoring setting 201a for the monitoring interval is not limited to that illustrated in FIG. 16, and can be implemented with various modifications. For example, in the example shown in FIG. 16, the minimum value and the maximum value of the monitoring interval are not limited to 0.5 seconds and 10 seconds, and may be other values.

  Further, for example, the monitoring interval may be widened according to the risk level of the user. For example, the monitoring interval is set in the range of 0.5 to 2.0 seconds for high-risk users, and 0.5 to 10.0 seconds for low-risk users. For a simple user, the monitoring interval may be set in the range of 0.5 to 15 seconds.

  Further, the CPU usage status confirmation unit 21 of the management server 2 inquires of the virtual environment management machine 302 about the CPU usage rate and the virtual machine group information 27 at the monitoring interval (monitoring interval minimum value) described above.

The monitoring setting 201b for the CPU threshold value defines a threshold value (CPU threshold value) used by the monitoring interval resetting instruction unit 22 described later to determine that the CPU 10 is overloaded.
In this monitoring setting 201b, a CPU usage rate is defined as a CPU threshold, and in the example shown in FIG. 17, a CPU usage rate of 70% is set.

  Note that the monitoring setting 201b for the CPU threshold is not limited to that illustrated in FIG. 17 and can be implemented with various modifications. For example, by setting a plurality of values divided into several stages as the CPU threshold value, it is possible to perform an operation according to the operation status of the virtual machine 301.

  The CPU 13 is a processing device that performs various controls and calculations, and implements various functions by executing an OS (Operating System) and programs stored in the memory 14.

  Then, when the CPU 13 executes the control program, as shown in FIG. 3, the CPU 13 functions as a CPU usage confirmation unit 21, a monitoring interval resetting instruction unit 22, a user evaluation unit 23, and a basic server function unit 24.

  Note that a program (monitoring control program) for realizing the functions as the CPU usage status confirmation unit 21, the monitoring interval reset instruction unit 22, the user evaluation unit 23, and the basic server function unit 24 is, for example, a flexible disk, CD (CD-ROM, CD-R, CD-RW, etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD + R, DVD-RW, DVD + RW, HD DVD, etc.), Blu-ray disc, magnetic disc, optical disc , Provided in a form recorded on a computer-readable recording medium such as a magneto-optical disk. Then, the computer reads the program from the recording medium, transfers it to the internal storage device or the external storage device, and uses it. The program may be recorded in a storage device (recording medium) such as a magnetic disk, an optical disk, or a magneto-optical disk, and provided from the storage device to the computer via a communication path.

  The CPU usage status confirmation unit 21 inquires and acquires the CPU load of each CPU 10 of the virtual environment server 3 from the virtual environment management machine 302 of the virtual environment server 3.

  The CPU usage status confirmation unit 21 stores the acquired CPU load value of each CPU 10 in the virtual machine CPU information 26 in association with the CPU ID of the CPU 10.

  Further, the CPU usage status confirmation unit 21 compares the obtained CPU load value of each CPU 10 with the CPU threshold value registered in the monitoring setting 201b. As a result of the comparison, when the CPU load of the CPU 10 is higher than the CPU threshold, the CPU usage status confirmation unit 21 determines that the overload of the CPU 10 is imminent, and instructs the monitoring interval reset instruction unit 22 To notify that an overload has occurred.

  The monitoring interval reset instruction unit 22 transmits a monitoring interval change instruction that instructs the log collection unit 31 to change the log collection interval (monitoring interval) to the monitoring interval adjustment unit 35 of the virtual machine 301 of the virtual environment server 3.

  In addition, the monitoring interval reset instruction unit 22 notifies information indicating the monitoring interval (monitoring interval information) together with the monitoring interval change instruction.

  The monitoring interval information may be, for example, a monitoring interval extension instruction that lengthens the monitoring interval or a monitoring interval reduction instruction that shortens the monitoring interval. Further, the monitoring interval information may be a monitoring interval minimum instruction for setting the monitoring interval to the minimum value of the monitoring setting 201a (see FIG. 16) or a monitoring interval maximum instruction for setting the maximum value of the monitoring setting 201a (see FIG. 16). Good.

  In addition, in the monitoring interval extension instruction or the monitoring interval reduction instruction, for example, a value indicating a reduction amount or an extension amount such as “−10%” or “+ 20%” may be transmitted.

  When receiving a monitoring interval change instruction and monitoring interval information, the monitoring interval adjustment unit 35 (first monitoring interval adjustment unit 351) described later changes the monitoring interval by the log collection unit 31 according to the monitoring interval information.

  As a result of confirmation by the CPU usage status confirmation unit 21, the monitoring interval reset instruction unit 22 determines that the virtual machine 301 (monitoring interval) when the CPU 10 usage rate is less than or equal to the threshold, that is, when the CPU 10 is overloaded. A monitoring interval extension instruction for increasing the monitoring interval and a monitoring interval maximum instruction are transmitted to the adjustment unit 25). As a result, the load on the CPU 10 that implements the virtual machine 301 can be reduced.

  However, when the virtual machine 301 is in a high-risk state, the monitoring interval reset instruction unit 22 notifies the monitoring interval minimum instruction regardless of the above. Accordingly, it is possible to prepare for a security risk by increasing the log acquisition frequency of the virtual machine 301 in a high-risk state.

  The basic server function unit 24 collects the log collected by the log collection unit 31 from the agent 30 of the virtual machine 301 of the virtual environment server 3 and stores it in the log 25.

  In addition, the basic server function unit 24 notifies each virtual machine 301 of the security policy 202 and the monitoring setting 201.

  Note that these functions as the basic server function unit 24 can be realized using a known method, and the description thereof is omitted.

  The user evaluation unit 23 determines a prohibited operation risk value for the user based on the log 25 collected by the basic server function unit 24.

  The user evaluation unit 23 extracts a history of execution of the prohibited operation from the log 25 and creates a prohibited operation execution history 251.

  The user evaluation unit 23 then counts the number of times each user has executed the prohibited operation (the number of prohibited operation executions) based on the created prohibited operation execution history 251.

  The user evaluation unit 23 determines the prohibited operation risk value based on the number of prohibited operation executions performed by the user. For example, the user evaluation unit 23 arranges all users in descending order of the number of prohibited operation executions in a predetermined period (for example, the latest one month), and sets the top one third as high risk (prohibited operation risk value = 3). The lower 1/3 of them is assumed to be low risk (prohibited operation risk value = 1). Further, 1/3 of the intermediate rank other than these is set as a medium risk (prohibited operation risk value = 2).

  Therefore, the prohibited operation risk value is a security risk value set based on the user's operation history (operation results).

  In addition, the user evaluation unit 23 registers the determined user's prohibited operation risk value in the prohibited operation risk value information 28.

  As described above, in this computer system 1, since the user and the virtual machine 301 correspond one-to-one, the prohibited operation risk value set for the user (user ID) is the virtual machine used by the user. This corresponds to a prohibited operation risk value of 301.

  Details of a method for determining the prohibited operation risk value by the user evaluation unit 23 will be described later with reference to FIG.

(C) Virtual environment server The virtual environment server 3 is a computer having a server function (server computer, information processing apparatus), and logically divides its hardware resources to thereby create one or more virtual machines 301. provide.

  In the present embodiment, the virtual environment server 3 provides a plurality of virtual machines 301.

  The virtual environment server 3 implements the virtual machine 301 by executing a control program (virtualized OS) called a hypervisor, for example. Thus, the virtual environment server 3 has a function as a virtual machine creation unit that creates a plurality of virtual machines 301.

  Note that the construction method of the virtual machine 301 by the hypervisor is known, and the description thereof is omitted.

  As illustrated in FIG. 2, the virtual environment server 3 includes a plurality (four in the example illustrated in FIG. 2) of CPUs 1010-1 to 10-4, a memory 11, and a storage device 12.

  In the example illustrated in FIG. 2, the virtual environment server 3 includes four CPUs 10-1 to 10-4. However, the present invention is not limited to this, and three or less, or five or more CPUs 10 are included. You may prepare.

  The memory 11 is a storage memory including a ROM and a RAM. A software program (control program) and data for the program are written in the ROM of the memory 11. The software program on the memory 11 is appropriately read and executed by the CPUs 10-1 to 10-4. The RAM of the memory 11 is used as a primary storage memory or a working memory.

  The storage device 12 is a storage device such as an HDD, SSD, or SCM, and stores various data.

  The storage area of the storage device 12 stores a log 36, an operation history 37, in-group rank information 38, and security risk value information 39 (see FIG. 4).

  Similar to the log 25 described above, the log 36 is a log (record) relating to an operation performed by the user using the user terminal 102 in the computer system 1. For example, the user operation log, the process monitoring log, and the desktop monitoring log Etc. are included.

  Note that the information stored as the log 36 is the same as that of the log 25 described above, and a description thereof will be omitted.

  The log collection unit 36 is a user operation log, a process monitoring log, and a desktop monitoring log detected by the log collection unit 31 in a virtual machine 301 in which the log collection unit 31 is executed (hereinafter, referred to as the own virtual machine 301).

  The operation history 37 is a history of operations performed by the user using the user terminal 102 in the own virtual machine 301.

  FIG. 18 is a diagram illustrating an operation history 37 in the computer system 1 as an example of the embodiment.

  In the example illustrated in FIG. 18, the operation history 37 is configured by associating items of operation date / time, operation content, operation target, application, and time (seconds) with each other. Here, the item “time” indicates the time (operation processing time) required for the operation performed on the operation target to respond to the operation result.

  When the same operation is performed on the same operation target, it is considered that substantially the same operation processing time is required. Therefore, in the computer system 1, by referring to the operation history 37, it is possible to predict a time required when the same operation is performed on the same operation target.

The operation history 37 is created by the operation history creation unit 33, and the security risk value information 39 is managed by the security risk calculation unit 32 described later, and manages the security risk value for each virtual machine 301.

  The security risk value is an evaluation value that represents a risk set from the viewpoint of information security as a numerical value. For example, the larger the numerical value, the higher the information security risk.

  The security risk value information 39 includes the security risk value of the own virtual machine 301 calculated by the security risk calculation unit 32 (described later) of the own virtual machine 301 and the security risk value of other virtual machines 301.

  Note that the security risk values of the other virtual machines 301 are respectively received from the other virtual machines 301 by the inter-agent communication unit 34 described later.

  The intra-group order information 38 is information obtained by ranking a plurality of virtual machines 301 executed in the virtual environment server 3 in descending order according to the security risk value determined for each virtual machine 301.

  FIG. 19 is a diagram illustrating the intra-group rank information 38 in the computer system 1 as an example of the embodiment.

  In the example shown in FIG. 19, the in-group rank information 38 is configured by associating machine names, ranks, and security risk values with each other.

  In this intra-group order information 38, the order is set by arranging a plurality of virtual machines 301 belonging to the same virtual machine group in descending order from the largest security risk value.

  That is, the intra-group order information 38 shows a plurality of virtual machines 301 belonging to the same virtual machine group in order from the largest security risk value.

  The CPUs 10-1 to 10-4 are processing devices that perform various controls and calculations, and realize various functions by executing an OS (Operating System) and programs stored in the memory 11. These CPUs 10-1 to 10-4 have the same configuration.

  The computer system 1 is a multiprocessing system including a plurality of CPUs 10-1 to 10-4.

  Hereinafter, as reference numerals indicating CPUs, reference numerals 10-1 to 10-4 are used when one of a plurality of CPUs needs to be specified, but reference numeral 10 is used when referring to an arbitrary CPU.

  Then, when the CPU 10 executes the virtual machine control program, the virtual environment management machine 302 and the agent 30 of the virtual machine 301 (log collection unit 31, security risk calculation unit 32, operation history creation unit as shown in FIG. 4). 33 and the inter-agent communication unit 34).

  A program (monitoring control program) for realizing the functions as the virtual environment management machine 302 and the virtual machine 301 (agent 30) is, for example, a flexible disk, CD (CD-ROM, CD-R, CD-RW). Etc.), DVD (DVD-ROM, DVD-RAM, DVD-R, DVD + R, DVD-RW, DVD + RW, HD DVD, etc.), Blu-ray disc, magnetic disc, optical disc, magneto-optical disc, etc. Provided in recorded form. Then, the computer reads the program from the recording medium, transfers it to the internal storage device or the external storage device, and uses it. The program may be recorded in a storage device (recording medium) such as a magnetic disk, an optical disk, or a magneto-optical disk, and provided from the storage device to the computer via a communication path.

  The virtual environment management machine 302 manages each virtual machine 301 in the virtual environment server 3. For example, the virtual environment management machine 302 monitors the operating status of each virtual machine 301 and monitors hardware resources such as the CPU 10 that realizes these virtual machines 301.

  The virtual environment management machine 302 monitors the CPU usage rate (CPU load) of each CPU 10 as one of the hardware resource management in the virtual environment server 3. When an inquiry about the CPU usage rate is made from the management server 2 (CPU usage status confirmation unit 21), the virtual environment management machine 302 responds to the management server 2 with the CPU usage rate.

  The virtual environment management machine 302 may notify the management server 2 (CPU usage status confirmation unit 21) of the measured CPU usage rate or the like regularly or irregularly. For example, when it is detected that the measured CPU usage rate exceeds a predetermined threshold, the management server 2 (CPU usage status confirmation unit 21) may be notified.

  The agent 30 implements various functions in each virtual machine 301. As shown in FIG. 4, the agent 30 has functions as a log collection unit 31, a security risk calculation unit 32, an operation history creation unit 33, and an inter-agent communication unit 34.

  The log collection unit 31 collects logs related to operations and the like in the own virtual machine 301 performed by the user using the user terminal 102.

  The log collection unit 31 collects logs at a first interval (for example, every 0.5 seconds) in a low load state where the load (CPU usage) of the CPU 10 does not exceed a predetermined threshold (for example, 70%). Repeat.

  That is, the log collection unit 31 corresponds to a monitoring processing unit that repeatedly performs a monitoring process for monitoring an operation performed on the virtual machine 301 at the user terminal 102.

  The logs collected by the log collection unit 31 include, for example, user operation logs, process monitoring logs, desktop monitoring logs, and the like.

  The log collected by the log collection unit 31 is stored as a log 36 in the RAM of the storage device 12 or the memory 11.

  The security risk calculation unit 32 calculates a security risk value for each virtual machine 301 based on an operation performed on the virtual machine 301 from the user terminal 102.

  For example, the security risk calculation unit 32 obtains a security risk value (SR1) based on the access range, a security risk value (SR2) based on the user authority, and a security risk value (SR3) based on the number of prohibited operations, respectively. , SR2 and SR3 are summed to calculate a security risk value.

(I) Security risk value based on access range (SR1)
The security risk calculation unit 32 refers to the security policy 202c (FIG. 15) described above, and the security risk value (in accordance with the access destination when the user performs data access to the virtual machine 301 using the user terminal 102) ( Access destination risk value).

  For example, when the access target stays in the own terminal as in the case of performing a file open operation on the local drive, the risk is low and the security risk value (SR1) = 1.

  Further, for example, when the access target is in the corporate intranet, such as an in-house web server or file server, it is a medium risk, and the security risk value (SR1) = 2.

  When the access target is on the external Internet, such as an external web server or file server, the risk is high, and the security risk value (SR1) = 3.

(Ii) Security risk value based on user authority (SR2)
The security risk calculation unit 32 refers to the security policy 202a (FIG. 13) described above, and determines a security risk value (position risk value) set in advance for a user who performs data access using the user terminal 102. To do.

  In the security policy 202a, for example, the position risk value is set such that the higher the position, the higher the risk, and the higher the confidentiality of the data to be handled, the higher the risk.

(Iii) Security risk value based on the number of prohibited operations (SR3)
The security risk calculation unit 32 refers to the prohibited operation risk value information 28 (FIG. 11) and the virtual machine user information 29 (FIG. 12) described above, and the prohibited operation risk set for the user who uses the virtual machine 301. Get the value. That is, the prohibited operation risk value is an operation result risk value corresponding to an operation result performed by the user of the user terminal 102.

  Then, the security risk calculation unit 32 regards the prohibited operation risk value set for this user as the security risk value (SR3) of the virtual machine 301.

  In the present embodiment, an example in which one user uses the virtual machine 301 is shown. However, when a plurality of users use the virtual machine 301, the most prohibited operation risk value among the plurality of users. It is desirable to use a prohibited operation risk value of a user with a high value.

(Iv) Calculation of Security Risk Value The security risk calculation unit 32 calculates the security risk value for each virtual machine 301 by summing the security risk values SR1, SR2, SR3 determined as described above.

  In the present computer system 1, it can be considered that the virtual machine 301 having the smallest security risk value is the virtual machine 301 having the lowest security risk.

  The security risk calculation unit 32 described above corresponds to a security risk value setting unit that sets a security risk value that indicates information security risk as a numerical value for each virtual machine 301 included in the virtual machine group.

  The operation history creation unit 33 creates an operation history 37. For example, the operation history creation unit 33 creates the operation history 37 by extracting a user operation log related to an operation performed by the user from the log 36 collected by the log collection unit 31.

  The inter-agent communication unit 34 communicates with the agent 30 of another virtual machine 301 to realize data transmission / reception. For example, the inter-agent communication unit 34 transmits the security risk value calculated by the security risk calculation unit 32 of the own virtual machine 301 to each of the other virtual machines 301 belonging to the same virtual machine group.

  The inter-agent communication unit 34 can know the other virtual machines 301 belonging to the same virtual machine group by referring to the virtual machine group information 27 of the management server 2, for example.

  The inter-agent communication unit 34 receives each security risk value transmitted from another virtual machine 301 belonging to the same virtual machine group, and stores it in the security risk value information 39.

  Further, the inter-agent communication unit 34 updates the value of the security risk value of the in-group rank information 38 using the security risk value received from the agent 30 of the other virtual machine 301 in the same virtual machine group. Further, the inter-agent communication unit 34 changes the rank of the virtual machine 301 in the intra-group rank information 38 according to the updated security risk value.

  The monitoring interval adjustment unit 35 changes the interval of log collection performed by the log collection unit 31.

  The monitoring interval adjustment unit 35 includes a first monitoring interval adjustment unit 351 and a second monitoring interval adjustment unit 352.

  When receiving the monitoring interval change instruction from the monitoring interval resetting instruction unit 22 of the management server 2, the first monitoring interval adjustment unit 351 changes the monitoring interval by the log collection unit 31.

  For example, when the first monitoring interval adjustment unit 351 receives the monitoring interval minimum instruction together with the monitoring interval change instruction from the monitoring interval reset instruction unit 22, the first monitoring interval adjustment unit 351 instructs the log collection unit 31 to set the minimum value of the monitoring setting 201 a. Monitoring is performed every (0.5 seconds in the example shown in FIG. 16).

  Further, when the first monitoring interval adjustment unit 351 receives the monitoring interval maximum instruction together with the monitoring interval change instruction from the monitoring interval reset instruction unit 22, the first monitoring interval adjustment unit 351 indicates the maximum value of the monitoring setting 201 a to the log collection unit 31. Monitoring is performed every 10 seconds (10 seconds in the example shown in FIG. 16). That is, the monitoring interval is sparse.

  Further, for example, when the first monitoring interval adjustment unit 351 receives an instruction to shorten the monitoring interval by 10% (−10%) as the monitoring interval shortening instruction from the monitoring interval reset instruction unit 22, the monitoring interval is shortened by 10%. Change the monitoring interval. That is, the monitoring interval is narrowed.

  For example, when receiving an instruction to shorten the monitoring interval by 10% as the monitoring interval shortening instruction from the monitoring interval reset instruction unit 22, the first monitoring interval adjusting unit 351 shortens the monitoring interval by 10% according to the instruction. That is, the monitoring interval is narrowed.

  As described above, when the usage rate of the CPU 10 exceeds the threshold and satisfies the standard, the first monitoring interval adjustment unit 351 is at least one of the virtual machines 301 included in the virtual machine group to which the CPU 10 is assigned. This corresponds to a monitoring frequency changing unit that reduces the execution frequency of the monitoring process by the log collecting unit 31 for the virtual machine 301 of the virtual machine 301.

  Further, for example, when the first monitoring interval adjustment unit 351 receives an instruction to increase the monitoring interval from the monitoring interval reset instruction unit 22 as a monitoring interval shortening instruction, the first monitoring interval adjustment unit 351 may change the monitoring interval stepwise.

  For example, the first monitoring interval adjustment unit 351 divides the maximum value and the minimum value of the monitoring setting 201a illustrated in FIG. 16 into a plurality of levels (for example, 5 levels).

  That is, the first monitoring interval adjustment unit 351 calculates the monitoring interval change amount (monitoring interval change amount) by the following equation (1), and changes the monitoring interval by the calculated monitoring interval change amount.

Monitoring interval change amount = {(Minimum monitoring interval value) − (Maximum monitoring interval value)} ÷ 5 (1)
For example, by extending the monitoring interval by the monitoring interval change amount calculated by the above equation (1), the monitoring interval becomes sparse and the CPU load required for monitoring can be reduced. Further, by shortening the monitoring interval by the monitoring interval change amount calculated by the above formula (1), the monitoring interval becomes dense, and the reliability can be improved by increasing the number of times of monitoring.

  When the user performs a specific input operation via the user terminal 102, the second monitoring interval adjustment unit 352 predicts / estimates a time until a response is made to the input operation (response prediction time). Until the estimated response time elapses, control is performed so that monitoring is sparse.

  FIG. 20 is a diagram for explaining processing by the second monitoring interval adjustment unit 352 of the computer system 1 as an example of the embodiment.

  In FIG. 20, the symbol (A) indicates the transition of the CPU usage rate. Reference numeral (B) indicates processing in the user terminal 102. Symbol (C) indicates the execution timing of the monitoring process by the log collection unit 31.

  The user performs an input operation on the user terminal 102 (see symbol P1 in FIG. 20) and waits for a response to the input operation.

  When the second monitoring interval adjustment unit 352 detects no operation of the user terminal 102 for a certain period of time, the second monitoring interval adjustment unit 352 confirms the user operation log (operation history 37) of the log 36 based on the content of the input operation input from the user. . That is, it is confirmed whether a response is waited after some input operation is performed.

  As a result of the confirmation, when waiting for a response, if there is a record of the same operation and the same operation target in the past in the user operation log, it can be predicted that the response time is also the same (FIG. 20). (See symbol P2).

  Therefore, the second monitoring interval adjustment unit 352 acquires the processing time (actual processing time) in the process of the same operation and the same operation target recorded in the user operation log, and logs during the actual processing time. The monitoring interval by the collection unit 31 is widened (see symbol P3 in FIG. 20).

  That is, the second monitoring interval adjustment unit 352 makes the monitoring interval sparse after the input operation is performed on the user terminal until the actual processing time elapses.

  Further, as a result of the confirmation, when the same operation is not recorded in the past in the user operation log, the second monitoring interval adjustment unit 352 performs the same operation and the same in the other agents 30. Check if there is a record of the operation target.

  That is, the second monitoring interval adjustment unit 352 requests another agent 30 to perform a search using the input operation and the operation target as a search key.

  In any other agent 30, when a record of the same operation and the same operation target has been detected in the user operation log in the past, the record is given to the second monitoring interval adjustment unit 352 of the search request source. Processing time is responded.

  Then, the second monitoring interval adjustment unit 352 makes the monitoring interval sparse after the input operation is performed on the user terminal until the actual processing time elapses.

  As a result of the search request, in any other agent 30, when the same operation and the record of the same operation target have not been detected in the user operation log in the past, the second monitoring interval adjustment unit 352 performs monitoring. Do not change the interval.

(B) Operation First, an overview of a load management method in the computer system 1 as an example of an embodiment will be described with reference to FIG.

  The virtual environment server 3 executes a plurality of virtual machines 301 using hardware resources such as the CPU 10 and the memory 11.

  In the example shown in FIG. 21, three virtual machines 301 are executed using the CPU 10-1. These three virtual machines 301 executed using the CPU 10-1 may be referred to as virtual machines # 1 to # 3.

  In this computer system 1, virtual machines # 1 to # 3 executed using the same CPU 10-1 are handled as the same virtual machine group (see reference numeral P1 in FIG. 21).

  The management server 2 manages the virtual machine group using the virtual machine group information 27.

The user accesses the virtual machine 301 using the user terminal 102 and performs various processes (see reference numeral P2 in FIG. 21).
In the virtual environment server 3, the log collection unit 31 of the agent 30 of each virtual machine 301 has a first interval (for example, for example) in a low load state where the CPU load of the CPU 10 exceeds a predetermined threshold (for example, 75%). Logs are collected every 0.5 seconds.

  In the management server 2, the CPU usage status confirmation unit 21 inquires of the virtual environment management machine 302 of the virtual environment server 3 about the CPU usage of each CPU 10 of the virtual environment server 3 executing the virtual machine 301. The load on the CPU 10 is constantly monitored (see reference P3 in FIG. 21).

  In the management server 2, when the CPU usage confirmation unit 21 determines that the CPU usage of any of the CPUs 10 in the virtual environment server 3 exceeds a predetermined threshold (for example, 75%), the CPU 10 is overloaded. It is determined that there is an imminent state. In such a case, the following processes (a1) and (a2) are executed.

  (A1) The monitoring interval reset instruction unit 22 instructs the virtual machines 301 belonging to the virtual machine group to be executed by the CPU 10 in which the overload state is detected to reset the monitoring interval.

  Specifically, the monitoring interval reset instruction unit 22 makes the log collection interval (monitoring interval) sparse for each virtual machine 301 belonging to the virtual machine group using the CPU 10 determined to be in an overload state. adjust. As a result, it is possible to reduce the load on the CPU 10 in an overload state while collecting logs of the virtual machine 301.

  (A2) The agent 30 of the virtual machine 301 calculates a security risk value from the user's operation tendency, the operation target, the user's authority (role), and the like. The agent 30 of the virtual machine 301 adjusts the monitoring interval of the virtual machine 301 while cooperating within the virtual machine group.

  The monitoring interval reset instruction unit 22 repeatedly performs the process of reducing the monitoring intervals of the virtual machines 301 in the same virtual machine group until the load on the CPU 10 becomes equal to or less than the threshold value.

  When the load on the CPU 10 is equal to or less than the threshold, the monitoring interval reset instruction unit 22 returns the monitoring intervals of the sparse virtual machines 301 densely. Thereby, log collection of the virtual machine 301 is performed, and the reliability of the system can be maintained.

Next, an outline of processing at the time of user logon in the computer system 1 as an example of the embodiment will be described with reference to FIG.
At the time of user logon, the following processes (b1) to (b4) are executed.

  (B1) When the user logs on to the virtual environment server 3 via the user terminal 102 (see P1 in FIG. 22), a virtual machine 301 (virtual machine # 4 in the example shown in FIG. 22) is newly added to the virtual environment server 3. It is activated (see symbol P2 in FIG. 22).

  (B2) The agent 30 of the newly activated virtual machine # 4 notifies the management server 2 of machine information (for example, IP address or MAC address) and user information of the logged-on user (see reference numeral P3 in FIG. 22). ).

  (B3) The management server 2 makes an inquiry to the virtual environment management machine 302 and obtains CPU information (identification number; CPU ID) assigned to the virtual machine # 4 (see symbol P4 in FIG. 22). The management server 2 updates the virtual machine group information 27 based on the acquired CPU information (see symbol P5 in FIG. 22). That is, the newly activated virtual machine 301 is registered in the virtual machine group information 27 in association with the CPU ID of the CPU that executes the virtual machine 301.

  (B4) The management server 2 notifies the machine information of the newly activated virtual machine 301 to each of the agents of all the virtual machines 301 belonging to the virtual machine group to which the agent 30 belongs (see P6 in FIG. 22). ).

Next, an outline of processing at the time of user logoff in the computer system 1 as an example of the embodiment will be described.
At the time of user logoff, the following processes (c1) to (c3) are executed.

  (C1) When the user performs a logoff operation via the user terminal 102, the agent 30 notifies the management server 2 that the user has logged off (see symbol P6 in FIG. 22).

  (C2) The management server 2 updates the virtual machine group information 27. That is, the virtual machine 301 used by the logged off user (hereinafter referred to as the logged off virtual machine 301) is deleted from the virtual machine group information 27.

  (C3) The management server 2 notifies the virtual machine 301 of the virtual machine group to which the logged off virtual machine 301 belongs to the machine information of the logged off virtual machine 301.

  Next, an outline of processing of the management server 2 of the computer system 1 as an example of the embodiment will be described according to a flowchart (steps A1 to A5) illustrated in FIG.

  In step A <b> 1, the system administrator of the computer system 1 inputs the security policy 202 and the monitoring setting 201 using the administrator terminal 101. Thereby, the security policies 202a to 202c and the monitoring settings 201a and 201b are set.

  In step A2, the management server 2 (CPU usage status confirmation unit 21) inquires of the virtual environment management machine 302 about the CPU usage rate and the virtual machine group information 27 at the monitoring interval (monitoring interval minimum value) described above. Further, the virtual machine CPU information 26 and the virtual machine group information 27 are updated according to the responses made to these inquiries.

  In step A3, when the login to the virtual machine 301 by the user is detected, the virtual machine group information 27 is updated.

  In step A4, it is confirmed whether a new log has been collected. As a result of the confirmation, when a new log is collected (refer to the “when done” route in step A4), the user evaluation unit 23 updates the prohibited operation risk value information 28 in step A5. As a result of the confirmation in step A4, if a new log has not been collected (see the “not done” route in step A4), step A5 is skipped and the process is terminated.

  Next, the processing of the agent 30 in the virtual machine 301 of the virtual environment server 3 of the computer system 1 as an example of the embodiment will be described according to the flowchart (steps B1 to B10) illustrated in FIG.

  In step B <b> 1, the user logs in to the virtual machine 301 using the user terminal 102.

  In step B <b> 2, the virtual machine 301 (security risk calculation unit 32) acquires the virtual machine group information 27, the security policy 202, and the monitoring setting 201 regarding the virtual machine 301 to which the own virtual machine 301 belongs.

  In step B <b> 3, when a user operation input is made via the user terminal 102, the operation history creation unit 33 creates an operation history 37. Details of the process performed by the operation history creation unit 33 will be described later with reference to FIG.

  In step B4, the logs collected by the log collection unit 31 are periodically transmitted to the management server 2 (basic server function unit 24) at predetermined intervals.

  In step B5, it is confirmed whether an active window change is detected. If a change in the active window is detected (see YES route in step B5), the security risk calculation unit 32 calculates the security policy 202 in step B6.

  In step B6, the security risk calculation unit 32 calculates a security risk value. As a result of the confirmation in step B5, it is confirmed whether a change in the active window is detected.

  As a result of the confirmation in step B5, if a change in the active window is detected (see YES route in step B5), the process proceeds to step B6.

  In step B6, the security risk calculation unit 32 calculates a security risk value. The details of the security risk value calculation method by the security risk calculation unit 32 will be described later with reference to FIG.

  In step B <b> 7, the inter-agent communication unit 34 updates the rank of the virtual machine 301 in the intra-group rank information 38. Details of processing by the inter-agent communication unit 34 will be described later with reference to FIG.

  As a result of the confirmation in step B5, if no change in the active window is detected (see NO route in step B5), step B6 is skipped and the process proceeds to step B7.

  In step B8, the monitoring interval adjustment unit 35 (first monitoring interval adjustment unit 351) adjusts the monitoring interval. The details of the monitoring interval adjustment method by the first monitoring interval adjustment unit 351 will be described later with reference to FIG.

  In step B9, the monitoring interval adjustment unit 35 (second monitoring interval adjustment unit 352) adjusts the monitoring interval. The details of the monitoring interval adjustment method by the second monitoring interval adjustment unit 352 will be described later with reference to FIG.

  In step B10, it is confirmed whether or not the user has logged out. If the user has not logged out (see NO route in step B10), the process returns to step B3. If the user has logged out (see YES route in step B10), the process is terminated.

  Next, processing by the user evaluation unit 23 in the management server 2 of the computer system 1 as an example of the embodiment will be described according to a flowchart (steps C1 to C9) illustrated in FIG.

  In step C <b> 1, the user evaluation unit 23 updates the number of prohibited operation executions performed by the user based on the newly collected log from the virtual machine 301 by the basic server function unit 24.

  In step C <b> 2, the user evaluation unit 23 extracts a history of execution of the prohibited operation from the log 25 and registers (adds to) the prohibited operation execution history 251.

  In step C3, the user evaluation unit 23 deletes the history for a predetermined period (for example, 30 days or earlier) from the current date and time in the prohibited operation execution history 251.

  In step C4, the user evaluation unit 23 refers to the virtual machine group information 27 and obtains a list of other users belonging to the same virtual machine group as the user who performed the input operation (virtual machine 301).

  In step C5, the user evaluation unit 23 refers to the prohibited operation execution history 251 and acquires the number of prohibited operation executions of each user registered in the user list acquired in step C4.

  In step C6, the user evaluation unit 23 arranges all the users registered in the user list in descending order of the number of prohibited operations. Then, the user evaluation unit 23 sets the upper third of the users arranged in descending order of the number of prohibited operations to be a high risk (prohibited operation risk value = 3) (step C9), and sets the lower third of them. Low risk (prohibited operation risk value = 1) is set (step C7). Further, 1/3 of the intermediate rank other than these is set as a medium risk (prohibited operation risk value = 2) (step C8).

  Next, processing of the operation history creation unit 33 in the virtual environment server 3 of the computer system 1 as an example of the embodiment will be described according to a flowchart (steps D1 to D5) illustrated in FIG.

  In step D1, a process operation monitoring log is recorded based on the log 36 collected by the log collecting unit 31.

  In step D <b> 2, the user evaluation unit 23 acquires information on active windows in the user terminal 102 on which the user is operating.

  In step D3, the user evaluation unit 23 confirms whether a record corresponding to the acquired title of the active window is registered in the window title monitoring log 25c.

  As a result of the confirmation, if a record corresponding to the acquired title of the active window is registered in the window title monitoring log 25c (see YES route in step D3), the process is terminated.

  As a result of the confirmation, if the record corresponding to the acquired title of the active window is not registered in the window title monitoring log 25c (see NO route of step D3), the process proceeds to step D4.

  In step D <b> 4, the user evaluation unit 23 determines that the process being executed in the active window has been operated for the first time after the virtual environment server 3 is activated. Then, the processing time is calculated and recorded in the user operation log 25a with the current time as the time when the result of the input operation is responded.

  In step D5, the user evaluation unit 23 records the operation executed in the active window in the process operation monitoring log 25b and the window title monitoring log 25c, and ends the process.

  Next, processing of the security risk calculation unit 32 in the virtual environment server 3 of the computer system 1 as an example of the embodiment will be described according to a flowchart (steps E1 to E6) illustrated in FIG.

  In step E <b> 1, the security risk calculation unit 32 acquires the access destination for the input operation performed by the user on the user terminal 102.

  In step E2, the security risk calculation unit 32 refers to the security policy 202c based on the acquired access destination, and acquires an access destination risk value (SR1) corresponding to the access destination.

  In step E3, the security risk calculation unit 32 refers to the security policy 202a and acquires the user's affiliation and post (authority information).

  In step E4, the security risk calculation unit 32 refers to the security policy 202a and acquires the user's post risk value (SR2).

  In step E5, the security risk calculation unit 32 refers to the prohibited operation risk value information 28 based on the user ID, and acquires the prohibited operation risk value (SR3).

  In step E6, the security risk calculation unit 32 sums up the access destination risk value (SR1), the post risk value (SR2), and the prohibited operation risk value (SR3), thereby increasing the security risk for the virtual machine 301 (agent 30). The value is calculated and the process ends.

  Next, a method for creating the intra-group order information 38 by the inter-agent communication unit 34 in the virtual environment server 3 of the computer system 1 as an example of the embodiment will be described according to the flowchart (steps F1 to F3) shown in FIG.

  In step F1, the inter-agent communication unit 34 refers to the virtual machine group information 27 and acquires a list of IPs of the virtual machines 301 belonging to the virtual machine group.

  In step F2, the inter-agent communication unit 34 acquires each security risk value from the agents 30 of the other virtual machines 301 shown in the IP list.

  In step F3, the inter-agent communication unit 34 creates the in-group rank information 38 by sorting the other virtual machines 301 shown in the IP list in descending order by the security risk value, and ends the process. .

  Note that the method for acquiring the security risk value of each virtual machine 301 described above is not limited to the method shown in these steps F1 and F2, and can be implemented with various modifications. For example, the agents 30 of the virtual machines 301 may notify each other of their own security risk values through the inter-agent communication unit 34.

  Next, processing of the first monitoring interval adjustment unit 351 in the virtual environment server 3 of the computer system 1 as an example of the embodiment will be described according to the flowchart (steps G1 to G7) illustrated in FIG.

  In step G1, the first monitoring interval adjustment unit 351 compares the CPU usage rate with a threshold value. As a result of the comparison, when the CPU usage rate is equal to or lower than the threshold value (refer to the route “[CPU usage rate] is equal to or lower than“ threshold value ”in step G1), the process proceeds to step G2.

  In step G2, the first monitoring interval adjustment unit 351 makes the monitoring interval fine by setting the monitoring interval of each virtual machine 301 belonging to the same virtual machine group to −10%, and ends the processing.

  On the other hand, if the CPU usage rate is higher than the threshold value as a result of the comparison in step G1 (see the route “[CPU usage rate] is higher than“ threshold value ”in step G1), the process proceeds to step G3.

  In step G <b> 3, the first monitoring interval adjustment unit 351 refers to the in-group order information 38 and confirms the order of the own virtual machine in the virtual machine group.

  When the own virtual machine corresponds to the lower 1/3 in the same virtual machine group (see the route of “lower risk of lower 1/3” in step G3), the process proceeds to step G4.

  In step G4, the first monitoring interval adjustment unit 351 confirms the monitoring interval of the own virtual machine 301. As a result of the confirmation, when the monitoring interval is shorter than the maximum monitoring interval value (see the route “when shorter than the maximum monitoring interval value” in step G4), the process proceeds to step G5.

  In step G5, the first monitoring interval adjustment unit 351 extends the monitoring interval of the own virtual machine 301 by the monitoring interval change amount, and then ends the process.

  When the monitoring interval is equal to the maximum monitoring interval as a result of the confirmation in step G4 (see the route “when equal to the maximum monitoring interval” in step G4), the process proceeds to step G6.

  In step G6, the first monitoring interval adjustment unit 351 notifies the other virtual machines 301 in the same virtual machine group to extend the monitoring interval by the inter-agent communication unit 34, respectively. Thereafter, the process ends.

  If the result of the confirmation in step G3 is that the own virtual machine corresponds to the top 1/3 in the virtual machine group (see the route “in the case of high risk of the top 1/3” in step G3), the process proceeds to step G7. To do.

  In step G7, the first monitoring interval adjusting unit 351 sets the monitoring interval of the own virtual machine 301 to the minimum monitoring interval, and then ends the process.

Further, as a result of the confirmation in step G3, if the own virtual machine does not correspond to either the upper 1/3 or the lower 1/3 in the virtual machine group (refer to the route of “other than medium risk” in step G3) ), The process is terminated.

  Next, the process of the second monitoring interval adjustment unit 352 in the virtual environment server 3 of the computer system 1 as an example of the embodiment will be described according to the flowchart (steps H1 to H6) illustrated in FIG.

  In step H <b> 1, the second monitoring interval adjustment unit 352 confirms the user's operation on the user terminal 102 via the log collection unit 31, for example.

  As a result of the confirmation, if the user is performing any operation on the user terminal 102 (refer to the route “Mouse operation, file selection, character input” in step H1), the process is terminated.

  If the user is not operating the user terminal 102 (see the “not operated” route in step H1), the process proceeds to step H2.

  In step H <b> 2, the second monitoring interval adjustment unit 352 searches the operation history 37 in the own virtual machine 301 and confirms whether it is waiting for the operation result.

  As a result of the confirmation, when waiting for the result of the operation (see the route “Waiting for“ result of operation ”” in step H2), the process proceeds to step H3.

  In step H <b> 3, the second monitoring interval adjustment unit 352 searches the operation history 37 for an execution record of the same operation. This search target includes not only the own virtual machine 301 but also other virtual machines 301 in the virtual machine group.

  When the operation record of the similar operation is in the operation history 37, the second monitoring interval adjustment unit 352 sets the time when the response is made to the input operation based on the recorded processing time (actual processing time). Predict.

  In step H4, the second monitoring interval adjustment unit 352 confirms the time until the predicted time. When the time up to the predicted time is longer than the maximum monitoring interval (see the route “longer than the maximum monitoring interval” in step H4), the process proceeds to step H5.

  In step H5, the second monitoring interval adjustment unit 352 extends the monitoring interval set by the first monitoring interval adjustment unit 351. For example, the second monitoring interval adjustment unit 352 extends the monitoring interval by the monitoring interval change amount. Thereafter, the process ends.

  As a result of the confirmation in step H4, if the time until the predicted time is less than or equal to the maximum value of the monitoring interval (see the route in the case of “below the maximum value of the monitoring interval” in step H4), the processing is ended as it is.

  If the result of the confirmation in step H2 is not waiting for the operation result (step H2 “not waiting for“ operation result ”” route reference, the process proceeds to step H6.

  In step H <b> 6, the second monitoring interval adjustment unit 352 extends the monitoring interval set by the first monitoring interval adjustment unit 351. For example, the second monitoring interval adjustment unit 352 extends the monitoring interval by the monitoring interval change amount. Thereafter, the process ends.

(C) Effect As described above, according to the computer system 1 as an example of the embodiment, in the virtual environment server 3, the monitoring interval adjustment unit 35 (first monitoring interval adjustment unit 351) The execution interval (monitoring interval) of the log collection processing (monitoring processing) by the collection unit 31 is set long (sparse). Thereby, the load on the CPU 10 can be reduced. Further, since the log collection processing by the log collection unit 31 is executed although the number of times is reduced, the security level can be maintained.

  Further, the first monitoring interval adjustment unit 351 increases the monitoring interval of other virtual machines 301 belonging to the virtual machine group realized by the same CPU 10 as the own virtual machine 301. Thereby, the load on the CPU 10 in a high load state can be efficiently reduced.

  When the user performs a specific input operation via the user terminal 102, the second monitoring interval adjustment unit 352 predicts a response prediction time until a response is made to the input operation, and this response prediction time Until the time elapses, control is performed to lengthen the sense of surveillance. Thereby, it is possible to efficiently reduce the load on the CPU 10 in a high load state while waiting for a response to the input operation.

(D) Others Regardless of the embodiment described above, various modifications can be made without departing from the spirit of the present embodiment.

  For example, in the above-described embodiment, the computer system 1 includes the management server 2 and the virtual environment server 3, but the present invention is not limited to this. For example, the function as the management server 2 and the function as the virtual environment server 3 may be provided in one computer, or these functions may be distributed and provided in three or more computers.

  Further, according to the above-described disclosure, this embodiment can be implemented and manufactured by those skilled in the art.

  (E) Appendix

(Appendix 1)
In a monitoring control program that executes a monitoring process for monitoring operations performed on a user terminal on a virtual machine,
When the processor usage rate satisfies the standard, the computer is caused to execute a process of reducing the execution frequency of the monitoring process related to at least one of the virtual machines included in the virtual machine group assigned to the processor. Supervisory control program.

(Appendix 2)
Set a security risk value that indicates information security risk numerically for each virtual machine included in the virtual machine group,
The monitoring control program according to supplementary note 1, which causes the computer to execute a process for reducing an execution frequency of the monitoring process related to a virtual machine having the lowest security risk value among the virtual machines included in the virtual machine group.

(Appendix 3)
The monitoring control program according to appendix 2, wherein the security risk value has an access destination risk value corresponding to an access range when data is accessed from the use terminal to the virtual machine.

(Appendix 4)
The monitoring control program according to appendix 2 or 3, wherein the security risk value has a user authority risk value corresponding to a user authority of a user of the user terminal.

(Appendix 5)
The monitoring control program according to any one of appendices 2 to 4, wherein the security risk value has an operation result risk value corresponding to an operation result of a user of the user terminal.

(Appendix 6)
Refer to the operation history based on the operation content performed on the user terminal, obtain a response processing time corresponding to the operation content,
The monitoring control program according to any one of appendices 1 to 5, which causes the computer to execute a process of reducing an execution frequency of the monitoring process during the response actual time.

(Appendix 7)
A monitoring processing unit that repeatedly performs a monitoring process for monitoring operations performed on the use terminal for the virtual machine;
When the usage rate of a processor satisfies the standard, the monitoring processing unit performs a lower frequency of execution of the monitoring processing on at least one of the virtual machines included in the virtual machine group to which the processor is assigned A monitoring control device comprising: a monitoring frequency changing unit.

(Appendix 8)
A security risk value setting unit configured to set a security risk value indicating information security risk numerically in each virtual machine included in the virtual machine group;
The monitoring frequency changing unit lowers an execution frequency of the monitoring processing by the monitoring processing unit regarding a virtual machine having the lowest security risk value among the virtual machines included in the virtual machine group. The monitoring control device according to appendix 7.

(Appendix 9)
The monitoring control device according to appendix 8, wherein the security risk value has an access destination risk value corresponding to an access range when data access is performed from the use terminal to the virtual machine.

(Appendix 10)
The monitoring control apparatus according to appendix 8 or 9, wherein the security risk value has a user authority risk value corresponding to a user authority of a user of the user terminal.

(Appendix 11)
The monitoring control device according to any one of appendices 8 to 10, wherein the security risk value has an operation result risk value corresponding to an operation result of a user of the user terminal.

(Appendix 12)
Refer to the operation history based on the operation content performed on the user terminal, obtain a response processing time corresponding to the operation content,
The monitoring control device according to any one of appendices 7 to 11, wherein the monitoring frequency changing unit reduces the execution frequency of the monitoring processing by the monitoring processing unit during the response performance time.

(Appendix 13)
A process of identifying a virtual machine group to which the same processor is assigned with reference to a storage unit that stores the identification information of the processor assigned to the virtual machine in association with the virtual machine;
When the usage rate of the same processor satisfies a standard, a monitoring process for monitoring an operation at a use terminal of the virtual machine for at least one of the virtual machines included in the specified virtual machine group And a process for reducing the execution frequency of the monitoring control method.

(Appendix 14)
A process of setting a security risk value that indicates information security risk numerically in each virtual machine included in the virtual machine group;
The monitoring control method according to claim 13, further comprising: a process for reducing the frequency of execution of the monitoring process for the virtual machine having the lowest security risk value among the virtual machines included in the virtual machine group. .

(Appendix 15)
15. The monitoring control method according to appendix 14, wherein the security risk value has an access destination risk value corresponding to an access range when performing data access from the use terminal to the virtual machine.

(Appendix 16)
The monitoring control method according to appendix 14 or 15, wherein the security risk value has a user authority risk value corresponding to a user authority of a user of the user terminal.

(Appendix 17)
The monitoring control method according to any one of appendices 14 to 16, wherein the security risk value has an operation result risk value corresponding to an operation result of a user of the user terminal.

(Appendix 18)
A process of referring to an operation history based on the operation content performed at the user terminal and acquiring a response processing time corresponding to the operation content;
The monitoring control method according to any one of appendices 13 to 17, further comprising a process of reducing an execution frequency of the monitoring process during the response actual time.

(Appendix 19)
A management device that manages a virtual environment device that causes a processor to execute a plurality of virtual machines,
A usage rate confirmation unit that queries the usage rate of the processor of the virtual environment device;
A monitoring process that is repeatedly performed for at least one of the virtual machines included in the virtual machine group to which the processor is assigned to the virtual environment device when the usage rate of the processor satisfies the standard. A management apparatus comprising: a monitoring frequency change instruction unit that reduces an execution frequency.

1 Computer System 2 Management Server 3 Virtual Environment Server 10-1 to 10-4, 10, 13 CPU
DESCRIPTION OF SYMBOLS 11,14 Memory 12,15 Storage device 21 CPU usage condition confirmation part 22 Monitoring interval reset instruction part 23 User evaluation part 24 Basic server function part 25,36 Log 25a User operation log 25b Process operation monitoring log 25c Window title monitoring log 26 Virtual machine CPU information 27 Virtual machine group information 28 Prohibited operation risk value information 29 Virtual machine user information 30 Agent 31 Log collection unit 32 Security risk calculation unit 33 Operation history creation unit 34 Inter-agent communication unit 35 Monitoring interval adjustment unit 351 1 monitoring interval adjustment unit 352 second monitoring interval adjustment unit 37 operation history 38 in-group order information 39 security risk value information 101 administrator terminal 102 user terminal 201, 201a, 201b monitoring setting 202, 202a, 202b 202c security policy 251 prohibits operation execution history 301 virtual machine 302 virtual environment management machine

Claims (8)

In a monitoring control program that executes a monitoring process for monitoring operations performed on a user terminal on a virtual machine,
When the processor usage rate meets the standard, the computer executes a process for reducing the frequency of execution of the monitoring process for at least one of the virtual machines included in the virtual machine group to which the processor is assigned. Supervisory control program. Set a security risk value that indicates information security risk numerically for each virtual machine included in the virtual machine group,
The monitoring control program according to claim 1, wherein the computer is caused to execute a process of reducing an execution frequency of the monitoring process related to a virtual machine having the lowest security risk value among the virtual machines included in the virtual machine group. The monitoring control program according to claim 2, wherein the security risk value has an access destination risk value corresponding to an access range when data is accessed from the user terminal to the virtual machine. The monitoring control program according to claim 2 or 3, wherein the security risk value has a user authority risk value corresponding to a user authority of a user of the user terminal. The monitoring control program according to any one of claims 2 to 4, wherein the security risk value has an operation result risk value corresponding to an operation result of a user of the user terminal. Refer to the operation history based on the operation content performed on the user terminal, obtain a response processing time corresponding to the operation content,
The monitoring control program according to any one of claims 1 to 5, which causes the computer to execute a process of reducing an execution frequency of the monitoring process during the response performance time. A monitoring processing unit that repeatedly performs a monitoring process for monitoring operations performed on the use terminal for the virtual machine;
When the usage rate of a processor satisfies the standard, the monitoring processing unit performs a lower frequency of execution of the monitoring processing on at least one of the virtual machines included in the virtual machine group to which the processor is assigned A monitoring control device comprising: a monitoring frequency changing unit. A process of identifying a virtual machine group to which the same processor is assigned with reference to a storage unit that stores the identification information of the processor assigned to the virtual machine in association with the virtual machine;
When the usage rate of the same processor satisfies a standard, a monitoring process for monitoring an operation at a use terminal of the virtual machine for at least one of the virtual machines included in the specified virtual machine group And a process for reducing the execution frequency of the monitoring control method.

Images