JP2018136603A - Decryption classification method, decryption classification device and decryption classification program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a decryption classification device capable of preventing decryption of an encrypted file not intended by a user based on the purpose of processing by an application.SOLUTION: A decryption classification device 20 comprises: a storage unit 21 which stores classification information including processing information which is information related to processing to open an encrypted file by an application and decryption information indicating an instruction of whether or not to decrypt the encrypted file; an acquisition unit 22 which acquires processing information related to the processing to open the encrypted file by the detected application; and a notification unit 23 which notifies decryption means in which the encrypted file in the detected processing is the object of the decryption, of the decryption information contained in the classification information including the acquired processing information in the classification information stored in the storage unit 21.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a decoding classification method, a decoding classification device, and a decoding classification program.

  Incidents and accidents related to information leakage due to internal fraud and targeted attacks are increasing. Implementation of information leakage countermeasures by file encryption is expected to become more important.

  In general, when security measures are implemented, business efficiency often decreases. The burden on the user and the convenience for the user in the security measures are important factors that need to be considered when the security measures are implemented.

  A specific example of file encryption as a countermeasure against the above information leakage will be described. An encrypted file encrypted by a file encryption product is often a file that can be used by an arbitrary application. In the case of a file that can be used by an arbitrary application, the encrypted file is also used as it is by an application that is normally used by the user.

  That is, since the user can handle the encrypted file by operating the application that is normally used, it is not necessary to introduce a new application in order to handle the encrypted file.

  The feature of the file encryption product that generates an encrypted file that can be used by any application is that, as described above, the cost for learning the operation method of the encrypted file for the user is low and the convenience is high. is there. That is, the burden on the user when installing the file encryption product is light.

  Many file encryption products intervene in the application's “open file” process and decrypt the encrypted file. The file encryption product then passes the decrypted file to the application. That is, the file encryption product mediates the use of the encrypted file by the application in order to realize that the encrypted file is used by an arbitrary application.

  In order to accommodate any application, the file encryption product intervenes in a more general “open file” process rather than in a separate process for each application. For example, a file encryption product intervenes in a general-purpose “open file” process by a Windows (registered trademark) API (Application Programming Interface) with an API hook or the like. An API hook means a process that interrupts when a program calls a specific API.

JP 2007-324726 A

  When executing the “open file” process, the application normally opens not only the file assumed to be opened by the user but also the setting file and the like by an internal process. In addition, the application may open a file that the user has not explicitly instructed to open in parallel with the execution of the “open file” process.

  File encryption products are required to determine whether to decrypt each file opened by the application. However, the process of opening each file by the application corresponds to a general-purpose “open file” process.

  In the above case, it is difficult for the file encryption product that intervenes in the general-purpose “open file” process to determine the purpose of the intervening process. Therefore, the file encryption product must take either the operation of uniformly decrypting the encrypted file to be subjected to the file open process of the application or the operation of not decrypting it uniformly.

  For example, consider a case where an encrypted file is used by a mailer that is software for creating, sending / receiving, storing, and managing electronic mail. It is assumed that the mailer user refers to the encrypted file attached to the received mail with the mailer preview function. In addition, it is assumed that the user transmits the encrypted file attached to the transmission mail in an encrypted state.

  When the encrypted file is used by the mailer, the user sets the file encryption product to intervene in the “open file” process for the encrypted file by the mailer. With the above settings, the user can refer to the encrypted attachment of the received mail with the preview function of the mailer.

  However, even when the user attaches an encrypted file to the outgoing mail, the application (mailer) may open the file by internal processing. When the mailer opens a file by internal processing, if it is set as described above, the attached file may be transmitted in a decrypted state against the user's intention.

  In the above example, general-purpose “open file” processing is performed by a low-layer API such as Windows API CreateFile. The process of opening a file for preview in the mailer is done with the CreateFile API in the lower layer. In addition, the process of opening a file to attach a file to an email is also done with the CreateFile API in the lower layer. That is, simply referring to the process of CreateFile does not determine whether the purpose of the process is preview or email attachment.

  The above operation is an operation that is not assumed to be performed by a file encryption product provided for the purpose of protecting information from targeted attacks or information leakage unintended by the user.

  Patent Document 1 describes a file sharing server device that confirms a packet of a print spool open response message and decrypts the encrypted message. However, in the file sharing server device described in Patent Document 1, it is not assumed that it is determined whether to decode a message according to the type of the open response message.

[Object of invention]
Therefore, the present invention provides a decryption classification method, a decryption classification apparatus, and a decryption classification program capable of preventing the decryption of an encrypted file that is not intended by a user based on the purpose of processing by an application, which solves the above-described problems. Objective.

  The decryption classification method according to the present invention stores and detects classification information including processing information that is information related to processing for opening an encrypted file by an application and decryption information that indicates whether to decrypt the encrypted file. Processing information for opening an encrypted file by the application is acquired, and the encrypted file in the processing in which the decryption information included in the classification information including the acquired processing information is detected among the stored classification information is decrypted It is characterized by notifying to the decoding means which is the object of.

  A decryption and classification apparatus according to the present invention includes a storage unit that stores classification information including processing information that is information related to processing for opening an encrypted file by an application and decryption information that indicates whether to decrypt the encrypted file; An acquisition unit that acquires processing information of a process for opening an encrypted file by a detected application, and detection of decryption information included in the classification information including the acquired processing information among the classification information stored in the storage unit And a notification unit that notifies the decryption means that is the decryption target of the encrypted file in the processed process.

  The decryption classification program according to the present invention stores in a computer, classification information including processing information that is information related to processing for opening an encrypted file by an application and decryption information that indicates whether to decrypt the encrypted file. Processing, acquisition processing for acquiring processing information for opening an encrypted file by the detected application, and decryption information included in the classification information including the acquired processing information among the stored classification information is detected. In this process, a notification process for notifying the decryption means that is the decryption target of the encrypted file is executed.

  ADVANTAGE OF THE INVENTION According to this invention, the decoding of the encryption file which a user does not intend based on the objective of the process by an application can be prevented.

It is a block diagram which shows the structural example of 1st Embodiment of the decoding classification | category apparatus by this invention. It is a flowchart which shows the operation | movement of the classification process by the decoding classification apparatus 20 of 1st Embodiment. It is a block diagram which shows the structural example of 2nd Embodiment of the decoding classification | category apparatus by this invention. It is a block diagram which shows the structural example of 2nd Embodiment of the application operation | movement classification | category part. It is explanatory drawing which shows the example of the classification rule stored in the classification rule memory | storage part 200. FIG. It is explanatory drawing which shows the example of the confirmation screen which the confirmation screen display part 105 displays. It is a flowchart which shows the operation | movement of the classification result notification process by the application operation | movement classification part 100 of 2nd Embodiment.

Embodiment 1. FIG.
Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 is a block diagram showing a configuration example of a first embodiment of a decoding classification apparatus according to the present invention. The decryption and classification apparatus 20 according to the present invention stores a storage unit 21 that stores classification information including processing information that is information related to processing for opening an encrypted file by an application and decryption information that indicates an instruction as to whether or not to decrypt the encrypted file. (For example, the classification rule storage unit 200), the acquisition unit 22 (for example, the application information acquisition unit 102) that acquires processing information of the process for opening the encrypted file by the detected application, and the storage unit 21. A notification unit 23 (for example, a classification result notification unit) that notifies the decryption unit that is the decryption target of the encrypted file in the process in which the decryption information included in the classification information including the acquired processing information is included in the classification information 107).

  Hereinafter, the classification process by the decoding classification apparatus 20 will be described. FIG. 2 is a flowchart showing the operation of classification processing by the decoding classification device 20 of the first embodiment.

  The acquisition unit 22 acquires processing information that is information related to processing for opening the encrypted file by the detected application (step S11).

  Next, the notification unit 23 extracts classification information including the acquired processing information from the classification information stored in the storage unit 21 (step S12).

  Next, the notifying unit 23 sends the decryption information indicating the instruction to determine whether or not to decrypt the encrypted file included in the extracted classification information to the decryption unit whose decryption target is the encrypted file in the detected process. Notification is made (step S13). After the notification, the decoding classification device 20 ends the classification process.

  With such a configuration, the decryption and classification apparatus can prevent decryption of the encrypted file that is not intended by the user based on the purpose of processing by the application.

  The notification unit 23 may notify the decryption unit of information indicating an instruction not to decrypt the encrypted file in the detected process in which the classification information including the acquired process information is not stored in the storage unit 21.

  With such a configuration, the decryption classification apparatus can prevent decryption of an encrypted file that has not been designated in advance by the user.

  In addition, the notification unit 23 is input means for inputting information indicating an instruction as to whether or not to decrypt the encrypted file in the detected process in which the classification information including the acquired process information is not stored in the storage unit 21 (For example, a confirmation screen) may be presented, and information input via the presented input means may be notified to the decryption means.

  With such a configuration, the decryption and classification apparatus can confirm with the user whether or not to decrypt an encrypted file not designated in advance by the user.

  Moreover, the memory | storage part 21 may memorize | store the classification | category information in which the information input via the presented input means is included as decoding information.

  With such a configuration, the decryption classification apparatus can register new classification information related to an encrypted file that is not designated in advance by the user.

  Further, the decryption and classification apparatus 20 may include a detection unit (for example, the file access detection unit 101) that detects a process of opening an encrypted file by an application.

  With such a configuration, the decryption and classification apparatus can detect a process for opening an encrypted file by an application.

  Further, the processing information may include a stack trace related to processing for opening an encrypted file by an application.

  With such a configuration, the decryption and classification apparatus can set the processing conditions for opening the encrypted file by an application that is permitted to decrypt the encrypted file in more detail.

  The processing information includes information related to the application in the process of opening the encrypted file by the application (for example, the path where the application is stored) and information related to the encrypted file (for example, the extension of the encrypted file). May be.

Embodiment 2. FIG.
[Description of configuration]
Next, a second embodiment of the present invention will be described with reference to the drawings. FIG. 3 is a block diagram showing a configuration example of the second embodiment of the decoding classification apparatus according to the present invention.

  The decryption and classification apparatus according to the present embodiment causes a given application to execute only the decryption process designated by the user and suppress the execution of the decryption process not designated by the user, thereby ensuring file safety and convenience. This is a decryption and classification device for encrypted files that achieves both.

  As shown in FIG. 3, the decryption classification apparatus 10 includes an application behavior classification unit 100, a classification rule storage unit 200, an application 300 (hereinafter referred to as AP 300), an operating system 400 (hereinafter referred to as OS 400), A hard disk drive 500 (hereinafter referred to as HDD 500).

  The application operation classification unit 100 performs an operation of an arbitrary application that handles an encrypted file, an application operation that processes a file obtained by decrypting the encrypted file, and an application operation that processes the encrypted file while being encrypted. Has the function of classifying either.

  The application operation classification unit 100 operates in cooperation with a file encryption product (not shown) that intervenes in the “open file” process of an arbitrary application.

  The classification rule storage unit 200 has a function of storing classification rules used when the application operation classification unit 100 classifies application operations. The classification rule is stored as a file in the classification rule storage unit 200 that is a hard disk, for example. Further, the classification rule storage unit 200 may be a database.

  As shown in FIG. 3, the classification rule includes “AP path”, “extension”, “stack trace”, and “decoding operation”. The “AP path” is a path where an arbitrary application is stored. “Extension” is an extension of an encrypted file opened by an arbitrary application.

  The “stack trace” indicates a history of functions, methods, and the like that have been executed in the process of opening an encrypted file of an arbitrary application. “Decryption operation” indicates an instruction as to whether or not the application corresponding to the content described in the classification rule should decrypt the encrypted file in the process of opening the encrypted file.

  The AP 300 is an arbitrary application. In the example illustrated in FIG. 3, the AP 300 is assumed to be a mailer “Mail.exe”.

  The OS 400 is an operating system (Operating System) of the decryption and classification apparatus 10. The OS 400 is, for example, Windows. The HDD 500 is a hard disk drive device (Hard Disk Drive) included in the decryption classification device 10.

  Hereinafter, an operation of classifying the encrypted file to be decrypted by the decryption classification apparatus 10 of the present embodiment will be described with reference to FIG. As shown in FIG. 3, the application operation classification unit 100 detects access to the encrypted file of the AP 300 (step S1).

  Next, the application operation classification unit 100 acquires a path in which the AP 300 that has accessed the encrypted file is stored, and a stack trace related to the access of the AP 300 (step S2).

  Next, the application operation classification unit 100 acquires a classification rule from the classification rule storage unit 200 (step S3). The application operation classification unit 100 checks whether or not a classification rule including the same information as the information acquired in step S2 exists in the acquired classification rule (step S4).

  If a classification rule including the same information does not exist (“No” in step S5), the application operation classification unit 100 determines not to decrypt the encrypted file. Alternatively, the application operation classification unit 100 confirms with the user whether or not to decrypt the encrypted file.

  When a new classification rule is designated by the user, the application operation classification unit 100 stores the designated classification rule in the classification rule storage unit 200. After determining whether or not to decrypt the encrypted file, the decryption and classification apparatus 10 ends the decryption and classification process.

  When a classification rule including the same information exists (“when present” in step S5), the application operation classification unit 100 decrypts the encrypted file according to the content indicated by the “decryption operation” included in the target classification rule. Determine whether or not. After determining whether or not to decrypt the encrypted file, the decryption and classification apparatus 10 ends the decryption and classification process.

  Next, the configuration of the application operation classification unit 100 will be described with reference to the drawings. FIG. 4 is a block diagram illustrating a configuration example of the second embodiment of the application operation classification unit 100.

  As shown in FIG. 4, the application operation classification unit 100 includes a file access detection unit 101, an application information acquisition unit 102, a classification rule acquisition unit 103, a classification rule confirmation unit 104, a confirmation screen display unit 105, a classification A rule storage unit 106, a classification result notification unit 107, and a confirmation screen display switching unit 108 are included.

  The application operation classification unit 100 according to the present embodiment is an application operation that opens an encrypted file is an application operation that permits the decryption of the encrypted file, or an application operation that does not permit the decryption of the encrypted file. It is determined according to the classification rule.

  The file access detection unit 101 has a function of detecting that an “open file” process has been performed in cooperation with a file encryption product intervening in an “open file” process of an arbitrary application. In response to detection by the file access detection unit 101, the decryption classification device 10 starts the decryption classification process.

  The application information acquisition unit 102 has a function of acquiring information used for searching for classification rules. As illustrated in FIG. 3, the information acquired by the application information acquisition unit 102 is, for example, a path in which an application executing the “open file” process is stored or an extension of a file to be processed.

  Also, as shown in FIG. 3, the information acquired by the application information acquisition unit 102 includes a stack trace related to processing of an application that opens an encrypted file. After acquiring the information, the application information acquisition unit 102 instructs the classification rule acquisition unit 103 to acquire the classification rule.

  Note that the application information acquisition unit 102 intervenes in the processing of the application with an API hook or the like, for example, similarly to the file encryption product. By intervening, the application information acquisition unit 102 acquires a stack trace relating to processing of an application for opening a path where an application is stored, an extension of a file to be processed, and an encrypted file.

  When the decoding and classifying apparatus 10 intervenes in the process of CreateFile in the low layer, it can cope with a general-purpose application, so that the process of the intervention target is reduced. However, the purpose of the operation cannot be determined only by referring to the low layer processing. Therefore, the application information acquisition unit 102 of this embodiment uses a stack trace.

  The stack trace is also called a call stack. The call stack (Call Stack) is a stack for storing information regarding a subroutine during execution of a program. The stack trace is data in which information stored in the stack is partially copied.

  When the stack trace is used, the decryption and classification apparatus 10 can confirm the processing process until CreateFile is called. That is, the decoding and classification apparatus 10 can cope with differences in operations of applications while maintaining versatility.

  The classification rule acquisition unit 103 has a function of acquiring a classification rule including the information acquired by the application information acquisition unit 102 from the classification rules stored in the classification rule storage unit 200. FIG. 5 is an explanatory diagram illustrating an example of classification rules stored in the classification rule storage unit 200.

  The form of the classification rule shown in FIG. 5 is the same as the form of the classification rule shown in FIG. That is, as shown in FIG. 5, the classification rule includes “AP path”, “extension”, “stack trace”, and “decoding operation”.

  When acquiring a classification rule, the classification rule acquisition unit 103 may acquire a classification rule including information that completely matches the information acquired by the application information acquisition unit 102. Further, the classification rule acquisition unit 103 may acquire a classification rule including information that partially matches the information acquired by the application information acquisition unit 102.

  After executing the process of acquiring the classification rule, the classification rule acquisition unit 103 instructs the classification rule confirmation unit 104 to confirm the processing result.

  The classification rule confirmation unit 104 confirms the processing result of the classification rule acquisition unit 103. When the confirmed classification rule is acquired, the classification rule confirmation unit 104 determines a decoding operation according to the acquired classification rule. The classification rule confirmation unit 104 instructs the classification result notification unit 107 to notify the determined decoding operation.

  When the confirmed classification rule has not been acquired, the classification rule confirmation unit 104 confirms whether or not the user is set to confirm the decoding operation. When it is set to confirm the decoding operation to the user, the classification rule confirmation unit 104 instructs the confirmation screen display unit 105 to display a confirmation screen.

  If the user is not set to confirm the decoding operation, the classification rule confirmation unit 104 instructs the classification result notification unit 107 to notify that the decoding is not performed.

  The confirmation screen display unit 105 has a function of displaying a confirmation screen that requests the user to input whether or not to decrypt the encrypted file. FIG. 6 is an explanatory diagram illustrating an example of a confirmation screen displayed by the confirmation screen display unit 105. The confirmation screen display unit 105 confirms the necessity of decryption of the encrypted file with the user using the confirmation screen shown in FIG.

  As shown in FIG. 6, the confirmation screen displays an application requesting decryption, a file requested to be decrypted, and a message confirming whether decryption is necessary. When permitting decryption of the encrypted file, the user clicks a “decrypt” button. If the decryption of the encrypted file is not permitted, the user clicks the “Do not decrypt” button.

  Based on the information input from the user, the confirmation screen display unit 105 instructs the classification result notification unit 107 to notify the decoding operation indicated by the input information.

  When the user selects to save the content displayed on the confirmation screen as a classification rule, the confirmation screen display unit 105 receives the information input from the user and then stores the information in the classification rule storage unit 106. Instruct the new classification rule to be saved.

  The case where the user selects to save the content displayed on the confirmation screen as a classification rule is, for example, a case where a check is entered in the check box “Do not confirm next time” shown in FIG. .

  That is, when there is no corresponding classification rule in the classification rule storage unit 200, the confirmation screen display unit 105 newly generates a classification rule by confirming whether or not the encrypted file needs to be decrypted. When a new classification rule is generated, the confirmation screen display unit 105 does not need to confirm again with the user whether or not the decryption is necessary after the initial confirmation regarding the same case. File encryption products and applications operate according to the generated classification rules.

  If there is no corresponding classification rule in the classification rule storage unit 200, the confirmation screen display unit 105 may not perform decryption without confirming whether or not the user needs to decrypt the encrypted file. , And may be operated to be notified to the application. The user can change the action taken by the confirmation screen display unit 105 at any time.

  The classification rule storage unit 106 stores, in the classification rule storage unit 200, a new classification rule generated based on the information acquired by the application information acquisition unit 102 and information input from the user to the confirmation screen display unit 105. It has the function to do. After the storage is completed, the classification rule storage unit 106 instructs the classification result notification unit 107 to notify the decoding operation indicated by the stored classification rule.

  The classification result notification unit 107 has a function of notifying a file encryption product linked with the decryption classification apparatus 10 of the decryption operation of the encrypted file. Information on the decoding operation to be notified is input to the classification result notification unit 107 from any of the classification rule confirmation unit 104, the confirmation screen display unit 105, or the classification rule storage unit 106.

  When a decryption operation “not decrypted” is notified to the file encryption product, the application attempts to open the encrypted file. In the case of a mailer, the file is attached to the outgoing mail in an encrypted state.

  The confirmation screen display switching unit 108 has a function of switching a confirmation screen to be displayed when there is no classification rule in the classification rule storage unit 200. The user can switch the confirmation screen displayed on the confirmation screen display switching unit 108 at an arbitrary timing.

  Generally, it is considered that the number of files that the user opens is smaller than the number of files that the application opens by internal processing. The reason is that a file opened by an application by an internal process includes many files such as a setting file, a log file, and a dll (dynamic link library).

  The confirmation screen display switching unit 108 can instruct the classification rule confirmation unit 104 not to confirm the user other than the encrypted file that is assumed to be opened by the user. That is, since the confirmation screen displayed when the confirmation screen display switching unit 108 is provided is limited, convenience for the user is improved.

[Description of operation]
Hereinafter, the operation of notifying the classification result of the application operation classification unit 100 according to the present embodiment will be described with reference to FIG. FIG. 7 is a flowchart illustrating the operation of the classification result notification process by the application operation classification unit 100 according to the second embodiment.

  First, the file access detection unit 101 detects that the “open file” process has been performed in cooperation with the file encryption product intervening in the “open file” process of an arbitrary application (step S101). .

  Next, the application information acquisition unit 102 acquires information about the application that has performed the “open file” process (step S102). The application information acquisition unit 102 acquires, for example, a path in which an application that has performed “open file” processing is stored, an extension of a file to be processed, and a stack trace related to processing of an application that opens an encrypted file.

  Next, the classification rule acquisition unit 103 acquires a classification rule including the information acquired in step S102 among the classification rules stored in the classification rule storage unit 200 (step S103). Note that the classification rule that is acquired may include information that completely matches the information acquired in step S102, or information that partially matches the information acquired in step S102. May be.

  Next, the classification rule confirmation unit 104 confirms whether or not the classification rule is acquired in step S103 (step S104). When the classification rule is acquired (Yes in step S104), the classification rule confirmation unit 104 confirms the content of the acquired classification rule (step S105). After confirming, the application operation classification unit 100 performs the process of step S110.

  When the classification rule is not acquired (No in step S104), the classification rule confirmation unit 104 confirms whether or not the target encrypted file is set to confirm the decryption operation to the user. The display switching unit 108 is inquired for confirmation (step S106).

  When the target encrypted file is not set to confirm the decryption operation to the user (No in step S106), the application operation classification unit 100 performs the process of step S110.

  When the target encrypted file is set to confirm the decryption operation to the user (Yes in step S106), the confirmation screen display unit 105 determines whether the encrypted file needs to be decrypted to the user. A confirmation screen for requesting input is displayed (step S107).

  The confirmation screen display unit 105 waits for input from the user to the confirmation screen. After the necessity of decryption is input from the user to the confirmation screen, the confirmation screen display unit 105 performs the process of step S108.

  Next, the confirmation screen display unit 105 confirms whether or not the user has selected to save the content displayed on the confirmation screen as a classification rule (step S108). If saving as a classification rule is not selected (No in step S108), the application operation classification unit 100 performs the process of step S110.

  When saving as a classification rule is selected (Yes in step S108), the classification rule storage unit 106 stores the classification rule generated by the confirmation screen display unit 105 in the classification rule storage unit 200 (step S109). .

  For example, the confirmation screen display unit 105 displays a stack trace relating to the path in which the application executing the “open file” process is stored, the extension of the file to be processed, and the process of the application to open the encrypted file, Include in the generated classification rules.

  Next, the confirmation screen display unit 105 adds decryption operation information indicating whether or not to decrypt the encrypted file to the generated classification rule. The classification rule storage unit 106 stores the generated classification rule in the classification rule storage unit 200.

  Next, the classification result notification unit 107 notifies the classification result to the file encryption product with which the decryption classification apparatus 10 cooperates based on the information acquired from the classification rule or the information input from the user (step S110). .

  Specifically, the classification result notifying unit 107 notifies the file encryption product of information on the decryption operation indicating whether or not to decrypt the encrypted file that is the target of the “open file” process. After the notification, the application operation classification unit 100 ends the classification result notification process.

[Description of effects]
The decoding classification apparatus according to the present embodiment can cope with any application. The decryption classifying apparatus classifies the “open file” process performed by the application for each purpose, thereby causing the file encryption product to decrypt only the file that is assumed to be opened by the user. That is, since decryption of a file that is not assumed to be opened by the user is prevented, the decryption and classification apparatus can achieve both improvement in security level and improvement in convenience.

  An encrypted file encrypted by a file encryption product is often a file that can be used by an arbitrary application. A feature of a file encryption product that generates an encrypted file that can be used in an arbitrary application is that the cost for learning the operation method of the encrypted file for the user is low and the convenience is high. That is, the burden on the user when installing the file encryption product is light.

  In order to support arbitrary applications, file encryption products intervene in more general “open file” processes such as Windows API processes, rather than in individual processes for each application. However, it is difficult for a file encryption product that intervenes in a general-purpose “open file” process to determine the purpose of the intervening process.

  Since it is difficult to determine the purpose of the file open process, the file encryption product cannot execute a process that only decrypts a file that is assumed to be opened by the user and does not decrypt other files. In order to protect information from targeted attacks and information leakage unintended by the user, file encryption products are required to decrypt only files that are supposed to be opened by the user.

  The decoding classification apparatus according to the present embodiment can cope with any application. In addition, the decryption and classification device according to the present embodiment classifies the “open file” process of the application for each purpose, thereby decrypting only the file that is assumed to be opened by the user and confirming that the user is opened. Prevent decryption of unexpected files.

  The decryption and classification apparatus of this embodiment can be used for DRM (Digital Rights Management), content security improvement, and security improvement by file encryption.

  In addition, the decoding classification apparatus 10 and the decoding classification apparatus 20 of each embodiment are implement | achieved by CPU (Central Processing Unit) which performs a process according to the program stored in the non-temporary storage medium, for example. That is, the acquisition unit 22, notification unit 23, file access detection unit 101, application information acquisition unit 102, classification rule acquisition unit 103, classification rule confirmation unit 104, confirmation screen display unit 105, classification rule storage unit 106, classification result notification unit 107 The confirmation screen display switching unit 108, the AP 300, and the OS 400 are realized by, for example, a CPU that executes processing according to program control.

  The storage unit 21 is realized by, for example, a RAM (Random Access Memory). Further, the classification rule storage unit 200 may be realized by a RAM.

  In addition, each unit in the decoding and classifying device 10 of each embodiment and each unit in the decoding and classifying device 20 may be realized by a hardware circuit. As an example, the storage unit 21, the acquisition unit 22, the notification unit 23, the file access detection unit 101, the application information acquisition unit 102, the classification rule acquisition unit 103, the classification rule confirmation unit 104, the confirmation screen display unit 105, and the classification rule storage unit 106 The classification result notification unit 107, the confirmation screen display switching unit 108, the classification rule storage unit 200, the AP 300, the OS 400, and the HDD 500 are each realized by LSI (Large Scale Integration). Further, they may be realized by one LSI.

DESCRIPTION OF SYMBOLS 10, 20 Decoding classification | category apparatus 21 Memory | storage part 22 Acquisition part 23 Notification part 100 Application action classification | category part 101 File access detection part 102 Application information acquisition part 103 Classification rule acquisition part 104 Classification rule confirmation part 105 Confirmation screen display part 106 Classification rule preservation | save part 107 Classification result notification unit 108 Confirmation screen display switching unit 200 Classification rule storage unit 300 Application 400 Operating system 500 Hard disk drive

Claims (10)

Storing classification information including processing information that is information relating to processing for opening an encrypted file by an application and decryption information indicating whether to decrypt the encrypted file;
Get processing information of the process to open the encrypted file by the detected application,
Decryption characterized in that the encrypted file in the detected process notifies the decryption means to be decrypted of the decryption information included in the classification information including the acquired processing information among the stored classification information Classification method. The decryption classification method according to claim 1, wherein information indicating an instruction not to decrypt the encrypted file in the detected process in which the classification information including the acquired process information is not stored is notified to the decryption unit. Presenting an input means for inputting information indicating an instruction as to whether or not to decrypt the encrypted file in the detected process in which the classification information including the acquired process information is not stored;
The decoding classification method according to claim 1, wherein information input via the presented input means is notified to the decoding means. The decoding classification method according to claim 3, wherein classification information in which information input through the presented input means is included as decoding information is stored. The decryption classification method according to any one of claims 1 to 4, wherein a process of opening an encrypted file by an application is detected. The decryption classification method according to any one of claims 1 to 5, wherein the processing information includes a stack trace related to processing for opening an encrypted file by an application. A storage unit that stores classification information including processing information that is information related to processing of opening an encrypted file by an application and decryption information that indicates whether to decrypt the encrypted file;
An acquisition unit that acquires processing information of a process of opening an encrypted file by the detected application;
A notification unit for notifying the decryption means that the encrypted file in the process of detecting the decryption information included in the classification information including the acquired processing information among the classification information stored in the storage unit is to be decrypted The decoding classification apparatus characterized by including. The decoding classification apparatus according to claim 7, wherein the notification unit notifies the decryption unit of information indicating an instruction not to decrypt the encrypted file in the detected process in which the classification information including the acquired processing information is not stored in the storage unit. . On the computer,
Storage processing for storing classification information including processing information that is information related to processing for opening an encrypted file by an application and decryption information that indicates whether to decrypt the encrypted file;
An acquisition process for acquiring process information of a process for opening an encrypted file by a detected application, and a process for detecting decryption information included in classification information including the acquired process information out of stored classification information A decryption classification program for executing notification processing for notifying the decryption means that is the decryption target of the encrypted file. On the computer,
The decryption classification program according to claim 9, wherein a notification process for notifying the decryption means of information indicating an instruction not to decrypt the encrypted file in the detected process in which the classification information including the acquired process information is not stored is executed.

Images