JP2020052669A - Terminal device, file analysis device, file analysis system, file analysis method and program - Google Patents

Abstract

To provide a terminal device, a file analysis device, a file analysis system, and a file analysis method capable of easily analyzing a log.SOLUTION: In terminal parts 21 to 23 of a file analysis system 1, a terminal device 53 includes: a security sensor for always monitoring a log and outputting the monitored log; a file generation part for acquiring some of the plurality of logs output from the security sensor and generating a file including the acquired logs; a file transmission part for transmitting the file generated by the file generation part to a file analysis device 11; and a notification control part for receiving the notification of an analysis result of the file transmitted from the file analysis device.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a terminal device, a file analysis device, a file analysis system, a file analysis method, and a program.

2. Description of the Related Art A log analysis system that acquires and analyzes a log generated in a system to be analyzed is known (for example, see Patent Literature 1). The log includes, for example, a log related to security.
In such a log analysis system, a security sensor monitors and detects a log generated in a system to be analyzed. Such monitoring is always performed. In the log analysis system, a system to be analyzed transmits a log detected by a sensor to a log analysis device via a network. In the log analysis system, the log analysis device analyzes the log transmitted from the analysis target system.

However, in order to operate such a log analysis system, a setting for transmitting a log detected by a sensor to a log analysis device is required. The setting includes, for example, a setting for preparing a sensor environment and a setting for preparing a network environment.
Therefore, in order to operate the log analysis system, it takes time and burden to perform such an environment setting operation. In addition, in order to operate the log analysis system, it is necessary to change the environment of the sensor and the environment of the network. was there.

Japanese Patent No. 5640166

  As described above, conventionally, the initial burden for making the log analysis system operable was large.

  In view of such circumstances, embodiments of the present invention provide a terminal device, a file analysis device, a file analysis system, a file analysis method, and a program that can easily perform log analysis.

  The terminal device according to an aspect of the present invention acquires a part of the plurality of logs output from a security sensor that constantly monitors a log and outputs the constantly monitored log, and obtains the acquired log. A file generation unit that generates a file including the log, a file transmission unit that transmits the file generated by the file generation unit to a file analysis device, and a notification of an analysis result of the file sent from the file analysis device. And a notification control unit.

In the terminal device according to an aspect of the present invention, based on information identifying unnecessary logs that are not required to be analyzed, the unnecessary logs may be reduced from the logs included in the file, so that the file And an unnecessary log reduction unit that reduces the amount of log data included in the log.
The terminal device according to an aspect of the present invention includes a log range reduction unit configured to reduce a range of the log included in the file to reduce a data amount of the log included in the file to a predetermined upper limit or less. , May be a configuration.
The terminal device according to an aspect of the present invention may be configured to include an analysis request availability determination unit that determines whether a request for analysis of the file is possible.

A file analyzing device according to an aspect of the present invention includes a receiving unit that receives a file transmitted from a terminal device, a file analyzing unit that analyzes the file received by the receiving unit, and a file analyzing unit that performs analysis by the file analyzing unit. A notification unit that sends a notification of the result of the analysis of the file to the terminal device, wherein the file is a plurality of the security sensors that constantly monitor a log and output the log that is constantly monitored. The log includes a part of the logs.
In the file analysis device according to one aspect of the present invention, the file analysis device further includes a management unit that manages accounting information related to the analysis performed by the file analysis unit, wherein the accounting information includes information on an amount of money according to the number of times of the analysis, The information on the amount of money according to the number of times of the analysis is information on a charged amount according to the number of times of the analysis, or information indicating that the number of times of the analysis is free when the number of times of the analysis is equal to or less than a predetermined number. You may.

  A file analysis system according to an aspect of the present invention is a file analysis system including a terminal device and a file analysis device, wherein the terminal device constantly monitors a log and outputs the constantly monitored log. A file generation unit that obtains a part of the plurality of logs output from the security sensor and generates a file including the obtained log, and the file generated by the file generation unit. A file transmission unit for transmitting to the file analysis device; and a notification control unit for receiving a notification of the analysis result of the file transmitted from the file analysis device, wherein the file analysis device transmits the file transmitted from the terminal device. A receiving unit that receives the file, a file analyzing unit that analyzes the file received by the receiving unit, The results of the notification of the analysis of the file made by Airu analyzer and a notification unit to send to the terminal device.

  In the file analysis method according to one aspect of the present invention, the terminal device constantly monitors a log and acquires a part of the plurality of logs output from a security sensor that outputs the constantly monitored log. And generating a file including the obtained log, transmitting the generated file to a file analyzer, the file analyzer receives the file transmitted from the terminal device, the received file The file is analyzed, a notification of the result of the file analysis is sent to the terminal device, and the terminal device receives a notification of the file analysis result sent from the file analysis device.

  A program according to an aspect of the present invention includes a function of constantly monitoring logs and a function of acquiring a part of the plurality of logs output from a security sensor that outputs the constantly monitored logs. A computer that has a function of generating a file including the log, a function of transmitting the generated file to a file analysis device, and a function of receiving a notification of the analysis result of the file transmitted from the file analysis device. It is a program to make it.

  According to the above-described file analysis system, file analysis device, terminal device, file analysis method, and program, log analysis can be easily performed.

1 is a diagram illustrating a schematic configuration example of a file analysis system according to an embodiment of the present invention. It is a figure showing the example of schematic composition of the terminal unit concerning one embodiment of the present invention. FIG. 3 is a diagram illustrating a schematic configuration example of a file according to an embodiment of the present invention. FIG. 5 is a diagram illustrating an example of information indicating a file analysis result according to an embodiment of the present invention. FIG. 7 is a diagram illustrating another example of information indicating a file analysis result according to an embodiment of the present invention. FIG. 5 is a diagram illustrating an example of information indicating a range of a log in which a file can be analyzed according to an embodiment of the present invention. It is a figure showing an example of contract information concerning one embodiment of the present invention. It is a figure showing an example of a procedure of processing performed in a terminal unit concerning one embodiment of the present invention. It is a figure showing an example of a procedure of processing performed in a terminal unit concerning one embodiment of the present invention. It is a figure showing an example of a procedure of processing performed in a terminal unit concerning one embodiment of the present invention. It is a figure showing an example of a procedure of processing performed in a terminal unit concerning one embodiment of the present invention. FIG. 7 is a diagram illustrating an example of a procedure of a process performed in the file analysis device according to the embodiment of the present invention. FIG. 7 is a diagram illustrating an example of a procedure of a process performed in the file analysis device according to the embodiment of the present invention. FIG. 7 is a diagram illustrating an example of a procedure of a process performed in the file analysis device according to the embodiment of the present invention. FIG. 1 is a diagram illustrating an example of a hardware configuration of an information processing apparatus according to an embodiment of the present invention.

  An embodiment of the present invention will be described in detail with reference to the drawings.

[File analysis system]
FIG. 1 is a diagram showing a schematic configuration example of a file analysis system 1 according to an embodiment of the present invention. The configuration of the functional blocks illustrated in FIG. 1 is an example, and another configuration may be used.
The file analysis system 1 includes an analysis unit 11, a plurality of terminals 21 to 23, and a network 31.
The terminals 21 to 23 and the analyzer 11 are communicably connected via the network 31.

Here, each of the terminal units 21 to 23 is managed by a different management entity. The management entity may be, for example, an organization such as a company or a school, or may be an individual. When the management subject is an organization, a person belonging to the organization manages the terminal units 21 to 23. When the management subject is an individual, a person corresponding to the individual manages the terminal units 21 to 23. In the present embodiment, a person who manages each of the terminal units 21 to 23 may be called a user.
Note that two or more terminal units among the plurality of terminal units 21 to 23 may be managed by the same management entity. The two or more terminal units may be a part of the plurality of terminal units 21 to 23, or may be all.

The number of terminals 21 to 23 may be one or more.
In the present embodiment, for convenience of description, the configurations and operations of the plurality of terminal units 21 to 23 are the same except that the management entities of the respective terminal units 21 to 23 may be different. For this reason, in the present embodiment, one terminal unit 21 will be described as a representative.
In addition, an aspect in which the configuration or operation of each of the terminal units 21 to 23 is different may be used.

In the present embodiment, the analysis unit 11 performs the same operation on each of the plurality of terminals 21 to 23 except that the management entity of each of the terminals 21 to 23 may be different.
Note that the analysis unit 11 may be configured to perform different operations for each of the plurality of terminal units 21 to 23.

In the present embodiment, the analysis unit 11 is common to the plurality of terminals 21 to 23.
The file analysis system 1 may include a plurality of analysis units 11. In this case, the plurality of analyzers 11 operate by sharing the plurality of terminals 21 to 23.
Here, the analysis unit 11 may be regarded as, for example, an apparatus or a system.
Further, the terminal unit 21 may be regarded as, for example, an apparatus or a system.

The network 31 may be any network. The network 31 may be, for example, the Internet or a dedicated network.
The communication between each of the terminal units 21 to 23 and the analysis unit 11 may be, for example, wired communication, wireless communication, or both wired communication and wireless communication. May be included in combination.

[Overview of Terminal]
The terminal unit 21 will be described as a representative.
The terminal unit 21 includes a log detection device 51, a log management device 52, and a terminal device 53.
The log management device 52 includes a storage unit 151.
Although the example of FIG. 1 shows a configuration in which each of the log detection device 51, the log management device 52, and the terminal device 53 is connected to the network 31, the configuration is not limited to this.

The log detection device 51 detects a predetermined log. In the present embodiment, the log detection device 51 constantly monitors a predetermined target and detects a log of the target. In the present embodiment, the log is a log related to security (security log), for example, a log targeted for communication via the network 31.
The log detection device 51 may be configured using, for example, a sensor that detects a predetermined log. In the present embodiment, the log detection device 51 detects a log related to communication performed by the terminal device 53. The log detection device 51 outputs the detected log. In the present embodiment, the log detection device 51 transmits the detected log to the log management device 52.
In the present embodiment, the log detecting device 51 does not store the detected log. As another example, the log detection device 51 may include a storage unit that stores the detected log.

The log management device 52 stores the log detected by the log detection device 51 in the storage unit 151 and manages the log.
Here, the log management device 52 may store the logs detected by the log detection device 51 in the storage unit 151 for each predetermined unit. The predetermined group may be, for example, a group of logs in which a log detection time is included in a predetermined period. The predetermined group may be generated, for example, as a file. The predetermined period may be, for example, a period of one day.
The log management device 52 may be configured using, for example, a log management server device that stores and manages logs.
The log detection device 51 or the log management device 52 may use, for example, a syslog which is a communication protocol for recording a log of the computer system.

The terminal device 53 is configured using, for example, an information processing device operated by a user. The information processing device is, for example, a computer. The computer may be, for example, a desktop computer, a notebook computer, a mobile phone computer, or a smartphone computer.
The terminal device 53 generates a predetermined file including at least a part of the log stored in the storage unit 151 of the log management device 52 based on the log stored in the storage unit 151 of the log management device 52. The terminal device 53 transmits the generated file to the analysis unit 11 via the network 31.
The terminal device 53 receives the electronic mail transmitted from the analysis unit 11 via the network 31.
Further, the terminal device 53 acquires the information of the Web page provided by the analysis unit 11.

[Overview of File Analysis Department]
The analysis unit 11 includes a file analysis device 41, a Web server device 42, and a mail server device 43.
In the example of FIG. 1, a configuration is shown in which each of the file analysis device 41, the Web server device 42, and the mail server device 43 is connected to the network 31, but is not limited thereto.

The file analysis device 41 includes a storage unit 111, a communication unit 112, a file inspection unit 113, a file analysis unit 114, a notification unit 115, and a management unit 116.
The communication unit 112 includes a receiving unit 121.
The file inspection unit 113 includes a decryption unit 131 and a decompression unit 132.
In the present embodiment, the description will be made using the words “compression” and “decompression”. However, for example, a word such as “decompression” may be used instead of “decompression”.

The outline of the operation performed in the file analysis device 41 will be described.
The storage unit 111 stores various information.
The communication unit 112 performs information communication. In the present embodiment, the communication unit 112 performs communication via the network 31.
The receiving unit 121 receives the file transmitted from the terminal device 53 to the analyzing unit 11 via the network 31. The receiving unit 121 outputs the received file to the file checking unit 113. In the present embodiment, the terminal device 53 transmits the file to the file analysis device 41.

The file checking unit 113 inputs the file output from the receiving unit 121. The file inspection unit 113 performs an inspection to determine whether or not a predetermined condition (for convenience of description, “inspection condition”) is satisfied for the input file. If the file inspection unit 113 determines that the inspection condition is satisfied for the input file, the file inspection unit 113 outputs the file to the file analysis unit 114. On the other hand, if the file inspection unit 113 determines that the inspection condition is not satisfied for the input file, the file inspection unit 113 outputs predetermined information (also referred to as “inspection error information” for convenience of explanation) to the notifying unit 115. .
In the present embodiment, the storage unit 111 stores information for specifying an inspection condition. The file inspection unit 113 acquires an inspection condition based on the information.

Here, in the present embodiment, the file transmitted from the terminal device 53 to the file analysis device 41 is in a state where the compressed file is encrypted after the information of the file is compressed.
In the file inspection unit 113, the input file is in an encrypted state, and the decryption unit 131 decrypts the file. In the file inspection unit 113, the information of the decrypted file is compressed, and the decompression unit 132 decompresses the information. Thus, the compressed and encrypted file is converted into a file before being compressed and encrypted (for convenience of description, also referred to as an “original file”). The file inspection unit 113 performs a predetermined inspection on the original file obtained as a result. When determining that the inspection condition is satisfied, the file inspection unit 113 outputs such an original file to the file analysis unit 114.

Any conditions may be used as the inspection conditions.
The inspection conditions include, for example, a condition that the data amount of a log included in a file to be analyzed once is equal to or less than a predetermined upper limit, or a condition that the size of a file to be analyzed once is equal to or smaller than the predetermined upper limit. The condition that there is, or both conditions may be included.
The inspection condition may include, for example, a condition that the file to be analyzed is not affected by a computer virus. Note that whether or not the file to be analyzed is affected by a computer virus may be determined using, for example, anti-virus software.
The inspection condition may include, for example, a condition that the file to be analyzed is a file of a predetermined format.
The inspection condition may include, for example, a condition that a file to be analyzed includes predetermined information. The predetermined information may be, for example, information indicating that the file is transmitted from the legitimate terminal device 53.

The file analysis unit 114 inputs the file output from the file inspection unit 113. The file analysis unit 114 analyzes the input file based on predetermined conditions (for convenience of explanation, also referred to as “analysis conditions”). The file analysis unit 114 outputs, to the notification unit 115, predetermined information (for convenience of explanation, also referred to as “analysis result information”) on the result of analyzing the input file.
In the present embodiment, the storage unit 111 stores information specifying analysis conditions. The file analysis unit 114 acquires an analysis condition based on the information.

Arbitrary conditions may be used as analysis conditions.
As the analysis condition, for example, a condition for determining whether or not there is a problem with a log included in a file to be analyzed may be used. The problem may be, for example, a computer virus or another event.
The analysis conditions include, for example, “when information identifying a transmission source included in a log, information identifying a transmission destination included in a log, or other information included in a log matches predetermined information. , A condition for determining that there is a problem "may be used. As the analysis condition, for example, a condition described in a blacklist in which a condition of a log to be determined as having a problem is listed may be used. The condition to be determined to have a problem may be referred to as a “rule”, for example.
When a plurality of types of logs can be included in a file to be analyzed, for example, the file analysis unit 114 determines the type of each log. In this case, the information of each log includes information specifying the type of the log. As another example, such a log type may be determined by the file inspection unit 113 instead of the file analysis unit 114.

When the inspection error information is input from the file inspection unit 113, the notification unit 115 notifies the terminal device 53 of predetermined information based on the inspection error information. As the predetermined information, information for notifying the terminal device 53 of information regarding an error in the inspection is used, and arbitrary information may be used.
When the analysis result information is input from the file analysis unit 114, the notification unit 115 notifies the terminal device 53 of predetermined information based on the analysis result information. As the predetermined information, information for notifying the terminal device 53 of information on the analysis result is used, and arbitrary information may be used.

Here, an arbitrary method may be used as a method of notifying information to the terminal device 53 from the notification unit 115.
In the present embodiment, when information to be notified to the terminal device 53 occurs, the notification unit 115 creates an email addressed to the terminal device 53 and transmits the created email to the mail server device 43. In this case, the notification unit 115 includes information of an access destination accessible from the terminal device 53 in the electronic mail. The information may be, for example, a URL (Uniform Resource Locator).
The notification unit 115 generates a Web page corresponding to the access destination information included in the e-mail, and transmits the generated Web page information to the Web server device 42. The notification unit 115 includes information to be notified to the terminal device 53 in the Web page.

The mail server device 43 receives the electronic mail transmitted from the notification unit 115. The mail server device 43 transmits the received electronic mail to the destination of the electronic mail. In the present embodiment, an e-mail addressed to the terminal device 53 is transmitted from the mail server device 43 to the terminal device 53 via the network 31.
The Web server device 42 receives the Web page information transmitted from the notification unit 115. The Web server device 42 provides the Web page in a viewable manner based on the received information. In the present embodiment, the Web server device 42 provides the Web page to the terminal device 53 in a viewable manner in response to the access from the terminal device 53.

The management unit 116 performs various types of management on the terminal device 53.
In the present embodiment, in the analysis unit 11, there may be a case where the information of the terminal device 53 is unknown and a case where the information of the terminal device 53 is known.
In the present embodiment, when a contract regarding the service is concluded between the management entity of the terminal device 53 and the management entity providing the file analysis service by the analysis unit 11, the terminal device 53 Information is set in the analysis unit 11. The information may be stored in the storage unit 111, for example. The information may include, for example, information specifying the terminal device 53. The information may include an e-mail address of the terminal device 53.
On the other hand, in the present embodiment, when such a contract has not been concluded, the information of the terminal device 53 is unknown in the analysis unit 11.

Here, the information of the terminal device 53 set for the contract includes, for example, information for specifying a range of file analysis that can receive the service, or information on a fee required for receiving the service (for convenience of explanation) , "Charging information").
The range of the file analysis that can receive the service may be set using, for example, one or more of the data amount, the number of times, the period, and the like. The range of file analysis in which the service can be received is, for example, an upper limit value for the sum of data amounts of all logs to be analyzed in a predetermined period, an upper limit value for the data amount of logs to be analyzed once, It may be specified using one or more of the upper limit of the number of times that the file analysis service can be received in a predetermined period.

As an example, the service may be charged for a fixed amount.
As another example, the service may be charged on a pay-as-you-go basis. In this case, the management unit 116 stores and manages information for determining a fee to be charged in the storage unit 111 for the service provided to the terminal device 53. The information may be, for example, one or more of the sum of the data amounts of logs that have received the file analysis service during the predetermined period, the number of times that the file analysis service has been received during the predetermined period, and the like. For example, an amount of money may be charged according to the amount of data or the number of times using file analysis. Further, for example, a service that provides free up to a predetermined amount of data using file analysis or a service that provides free up to a predetermined number of times using file analysis may be performed.
Further, the management unit 116 may store information for specifying the fee currently charged for the terminal device 53 in the storage unit 111 and manage the information.

As a specific example, the management unit 116 manages charging information related to file analysis performed by the file analysis unit 114. The billing information includes information on the amount of money according to the number of times of file analysis. The information on the amount of money according to the number of times of file analysis is, for example, information on a charged amount of money according to the number of times of file analysis, or information indicating that the number of times of file analysis is free when the number of times is equal to or less than a predetermined number.
Here, a specific example of the charging according to the number of times of the file analysis has been described, but the same applies to the charging according to the data amount of the file analysis.

[Details of terminal device]
FIG. 2 is a diagram illustrating a schematic configuration example of the terminal device 53 according to an embodiment of the present invention. The configuration of the functional blocks shown in FIG. 2 is an example, and another configuration may be used.
The terminal device 53 includes an input unit 211, an output unit 212, an operation unit 213, a display unit 214, a communication unit 215, a storage unit 216, and a control unit 217.
The control unit 217 includes a log acquisition unit 231, a file condition acquisition unit 232, a file condition determination unit 233, a log reduction unit 234, a file generation unit 235, a compression unit 236, an encryption unit 237, and a notification control. And an analysis request availability determination unit 239.

The input unit 211 inputs information output from an external device.
The output unit 212 outputs information to an external device.
Here, the external device may be any device. The external device may be, for example, a portable recording medium. The external device may be, for example, a printing device.
The operation unit 213 inputs information corresponding to an operation performed by the user. The operation unit 213 may include, for example, a keyboard or a mouse.
The display unit 214 has a screen and outputs information to the screen. Thereby, the information is displayed on the screen.

The communication unit 215 performs communication via the network 31. In the present embodiment, the terminal device 53 is communicably connected to the network 31 by the communication unit 215.
Note that the terminal device 53 may be connected to the network 31 via the log detection device 51. In this case, the communication unit 215 outputs the signal to be transmitted to the network 31 via the log detection device 51. In this case, the log detection device 51 receives the signal output from the communication unit 215 and outputs the input signal to the network 31. In this case, the communication unit 215 inputs a signal from the network 31 via the log detection device 51. In this case, the log detection device 51 inputs a signal from the network 31 and outputs the input signal to the communication unit 215.

The storage unit 216 stores various types of information.
The control unit 217 performs various controls in the terminal device 53.

The log acquisition unit 231 acquires a log. In the present embodiment, the log acquisition unit 231 acquires a predetermined log from the logs stored in the log management device 52.
The file condition acquisition unit 232 acquires a file condition (also referred to as a “file condition” for convenience of description).
In the present embodiment, the storage unit 216 stores information for specifying a file condition. The file condition acquisition unit 232 acquires a file condition based on the information.
The file condition determining unit 233 determines whether or not the file condition to be determined is satisfied, based on the file condition acquired by the file condition acquiring unit 232.

Here, in the present embodiment, the file condition includes at least a condition of an upper limit value of an allowable data amount for log information included in a file to be analyzed once.
When the number of files to be analyzed at one time is one, the upper limit of the allowable data amount is the upper limit value of the allowable data amount of the log information included in one file. .
If the number of files to be analyzed at one time is a predetermined number, which is a plurality of files, the upper limit of the allowable data amount is the data allowable for the total sum of log information included in the predetermined number of files. It is the upper limit of the amount.

The log reduction unit 234 performs a process of reducing unnecessary logs (also referred to as “unnecessary logs” for convenience of explanation) as an analysis target (also referred to as “unnecessary log reduction processes” for convenience of description) and an analysis. A process of reducing logs to be analyzed by limiting the range of logs to be targeted (for convenience of description, also referred to as “log range”) (also referred to as “log range reduction process” for convenience of description) is performed. Has functions. Thereby, the log reduction unit 234 reduces the data amount of the log to be analyzed. In this embodiment, when the data amount of the log included in the file increases, the size of the file increases, or the number of the files increases.
In the present embodiment, the log reduction unit 234 always performs unnecessary log reduction processing when a file to be analyzed is generated.
Further, in the present embodiment, the log reduction unit 234 determines whether or not the information of the log to be included in the file to be analyzed once when the data amount exceeds the upper limit of the allowable data amount. Perform range reduction processing.

  Note that, as another configuration example, the log reduction unit 234 may be configured to determine whether the data amount of the log information scheduled to be included in the file to be analyzed once is equal to or less than the allowable data amount upper limit value. Alternatively, the unnecessary log reduction processing need not be performed. Then, the log reduction unit 234 performs unnecessary log reduction processing on the information of the log scheduled to be included in the file to be analyzed once when the data amount exceeds the upper limit of the allowable data amount. You may. In this case, even after the unnecessary log reduction process, the log reduction unit 234 determines that the data amount of the log information to be included in the file to be analyzed once exceeds the upper limit of the allowable data amount. In this case, a log range reduction process is performed.

The file generation unit 235 generates a file including the information by using information of a log to be included in a file to be analyzed once. The information is, for example, a case where the information is not reduced by the log reduction unit 234 and a case where the information is reduced by the log reduction unit 234.
Note that, as an example, the file generation unit 235 converts a set of logs (for example, a set of files) stored in the storage unit 151 of the log management device 52 for each predetermined period into a file generated by the file generation unit 235. As may be used. At this time, the file generation unit 235 may change the format or the like of a group of logs (for example, a group of files) for each predetermined period stored in the storage unit 151 of the log management device 52.
As another example, the file generation unit 235 generates a log of which a part of logs has been reduced from a group of logs (for example, a group of files) stored for a predetermined period stored in the storage unit 151 of the log management device 52. A file may be generated using a set.

The compression unit 236 compresses the file generated by the file generation unit 235.
The encryption unit 237 encrypts the file compressed by the compression unit 236.
The control unit 217 transmits the file encrypted by the encryption unit 237 to the file analysis device 41 via the network 31 by the communication unit 215.

Here, the information encrypted by the encryption unit 237 of the terminal device 53 is returned to the original information by the decryption performed by the decryption unit 131 of the file analysis device 41.
The information compressed by the compression unit 236 in the terminal device 53 is returned to the original information by the decompression performed by the decompression unit 132 in the file analysis device 41.

The notification control unit 238 performs a process for receiving the content of the notification performed by the notification unit 115 of the file analysis device 41.
In the present embodiment, the notification control unit 238 receives, by the communication unit 215, an electronic mail transmitted from the mail server device 43 to the terminal device 53 via the network 31. In addition, the notification control unit 238 accesses the access destination Web page described in the received e-mail, and acquires information on the Web page provided by the Web server device 42. This access may be performed, for example, in response to an operation of the operation unit 213 performed by the user.

  The analysis request availability determination unit 239 determines whether it is possible to make a file analysis request from the terminal device 53 to the file analysis device 41 based on a predetermined condition (for convenience of explanation, referred to as “analysis request condition”). Is determined. Any condition may be used as the analysis request condition, and for example, a condition relating to one or more of the data amount, the number of times, the period, and the like may be used.

Here, in the present embodiment, the analysis request availability determination unit 239 determines that a contract regarding the service has been concluded between the management entity of the terminal device 53 and the management entity that provides the file analysis service by the analysis unit 11. If there is, such a determination is made. The analysis request availability determination unit 239 determines whether it is possible to make a file analysis request from the terminal device 53 to the file analysis device 41 based on the contents of the contract and the usage status of the service in the terminal device 53. Is determined.
For example, the storage unit 216 stores information for specifying the terminal device 53 with which the contract has been concluded, information for specifying the content of the contract, and information for specifying the service use status of the terminal device 53. The information for specifying the terminal device 53 may include, for example, an e-mail address of the terminal device 53.
From the viewpoint of the management entity that provides the file analysis service by the analysis unit 11, the management entity of the terminal device 53 with which the contract regarding the service is concluded is the customer. The management entities of the plurality of terminals 21 to 23 may be different customers.

[File]
FIG. 3 is a diagram illustrating a schematic configuration example of the file 1011 according to the embodiment of the present invention.
The file 1011 includes a header and a plurality of pieces of log information.
The log information may include, for example, one or more pieces of information such as date and time of occurrence, signature, information for identifying a transmission source, information for identifying a transmission destination, and an error code. As the information for identifying the transmission source and the information for identifying the transmission destination, for example, an IP (Internet Protocol) address may be used. These pieces of information may be included in a header, for example.
The header may include, for example, an e-mail address of the terminal device 53.

Note that, in the example of FIG. 3, a configuration example in which a plurality of pieces of log information are included in the file 1011 is illustrated. Is also good.
When a plurality of files 1011 form a single analysis target, for example, the header of each of the files 1011 may include information identifying such a collection.

FIG. 4 is a diagram illustrating an example of information indicating a file analysis result according to an embodiment of the present invention.
FIG. 4 shows an example of the display content 2011 displayed on the screen by the display unit 214 of the terminal device 53 based on the Web page provided by the Web server device 42.
In the example of FIG. 4, in the display content 2011, character information "No problem was detected" is displayed as "File analysis result". That is, a case where no problem is detected as a result of the file analysis is shown. The display content 2011 in such a case may be another content.

FIG. 5 is a diagram illustrating another example of the information indicating the file analysis result according to the embodiment of the present invention.
FIG. 5 shows an example of the display content 2111 displayed on the screen by the display unit 214 of the terminal device 53 based on the Web page provided by the Web server device 42.
In the example of FIG. 5, in the display content 2111, character information "The following problem has been detected ..." is displayed as the "file analysis result". That is, a case where a problem is detected as a result of the file analysis is shown. In this case, the content of such a display may be regarded as a warning (alert). The display content 2111 in such a case may be another content.
The “problem” in the result of the file analysis may be called, for example, “incident” or “abnormal”.

[Reduction of logs to be analyzed: unnecessary log reduction processing]
The log reduction unit 234 reduces unnecessary logs among logs acquired by the log acquisition unit 231 to reduce logs to be analyzed.
In the present embodiment, in the terminal device 53, information that specifies a log that does not need to be analyzed is stored in the storage unit 216.

Here, logs that do not need to be analyzed may be arbitrarily determined.
As an example, logs that do not need to be analyzed may be determined using a list including information that specifies one or more logs that do not need to be analyzed. The list may be called a whitelist. The log reduction unit 234 reduces, from the logs to be analyzed, the logs that need not be analyzed among the logs obtained by the log obtaining unit 231 based on the contents of the list.

[Reduction of logs to be analyzed: Log range reduction processing]
In the present embodiment, the file condition includes at least an upper limit value of the log data amount that can be subjected to one analysis.
In the present embodiment, in the terminal device 53, the file condition determination unit 233 determines that a log that is a candidate of one analysis target is a determination target log, and the sum of the data amount of the log is equal to or less than a predetermined upper limit value. Is determined.
As a result, if the total data amount of the log exceeds a predetermined upper limit, the log reduction unit 234 deletes a part of the log that is a candidate for one analysis from the candidate. Thus, logs that are candidates for one analysis are reduced.

In the present embodiment, the log reduction unit 234 deletes a part of the log that is a candidate for analysis from the candidate, but the log itself is stored in the storage unit 151 of the log management device 52. It is kept stored.
Further, in the present embodiment, a case is shown in which both the unnecessary log reduction processing and the log range reduction processing are performed, but any one of the unnecessary log reduction processing and the log range reduction processing is performed independently of the other. May be.

FIG. 6 is a diagram illustrating an example of information indicating a log range in which file analysis is possible according to an embodiment of the present invention.
FIG. 6 shows an example of display content 2211 displayed on the screen by the display unit 214 of the terminal device 53 in order to present a range of logs that can be subjected to one analysis.
In the example of FIG. 6, the period is “2018/7/10 13:00 to 2018/7/12 15:45”, and if the sensor is “Sensor A”, it indicates that file analysis is possible. I have.

Here, the period indicates a period that should include the date and time when the log is generated. “2018/7/10 13:00 to 2018/7/12 15:45” shown in FIG. 6 is from 13:00 on July 10, 2018 to 15:45 on July 12, 2018. Represents a period.
In the example of FIG. 6, the period is a group of continuous periods; however, two or more discrete groups of periods may be used.
Normally, when the range of the period is shortened from the range of a certain period, the total amount of log data also decreases.

The sensor indicates the sensor that detected the log. “Sensor A” illustrated in FIG. 6 indicates a sensor of the log detection device 51, for example.
As the sensor, for example, one sensor may be specified, or two or more sensors may be specified. Usually, when the number of sensors is reduced from a certain number of sensors, the total amount of log data is also reduced.

  In the present embodiment, in the terminal device 53, the file condition acquisition unit 232, the file condition determination unit 233, and the log reduction unit 234 automatically execute their respective processes without an explicit instruction from the user. Thus, the terminal device 53 automatically reduces the number of logs to be analyzed before the file to be analyzed is generated. Then, the display content 2211 shown in FIG. 6 is displayed to the user. That is, the range of logs that can be analyzed in terms of the amount of data is presented to the user as the recommended range of logs.

Here, in the terminal device 53, for example, the condition of the range of the log to be displayed initially is set. The condition may be any condition. Information for specifying the condition is stored in the storage unit 216.
For example, in the condition, an end point may be set for a period from the start to the end. As an example, the end time point is a rule set to a time point at which the process of displaying the log range is initially performed (that is, the current time point) or a rule set to a time point a predetermined time before the time point. May be set based on In this case, the log reduction unit 234 can extract a log having a predetermined data amount as an analysis target by retroactively setting the log at the set end point as the latest log and going back to the older log (start point) from the log. is there.
Further, for example, the condition may be such that one or more predetermined sensors are defined for the sensors. As an example, the predetermined sensor may be set based on a rule that it is set to a predetermined “sensor A”.

The terminal device 53 may change part or all of the range of the log by the control unit 217 according to the operation of the operation unit 213 performed by the user.
In this case, when the file condition determination unit 233 determines that the range of the log changed by the user operation is within the range of the log that can be subjected to one analysis, Approve changes by the user.

On the other hand, if the file condition determination unit 233 determines that the range of the log after being changed by the user operation exceeds the range of the log that can be subjected to one analysis, The log is reduced by the log reduction unit 234. At this time, the log reduction unit 234 does not change, for example, a portion changed by a user operation. That is, the change by the user is prioritized. Then, the control unit 217 displays the range of the log obtained as a result of the log reduction on the screen of the display unit 214.
If the file condition is not satisfied unless the part changed by the user operation is changed, the control unit 217 may display information indicating an error on the screen of the display unit 214.

With such a configuration, for example, even if the user does not know the range of logs that can be subjected to one analysis, an appropriate range of logs is presented by the terminal device 53, and A range of logs can be used.
Further, for example, even when the user changes the range of the log presented by the terminal device 53 to an impossible log range according to the request of the user, the log range is adjusted again by the terminal device 53. This is very convenient because a new log range is presented.

The display content 2211 shown in FIG. 6 includes a predetermined button 2221 indicating “upload”.
The user can press the button 2221 on the screen (for example, click with a mouse) by operating the operation unit 213 of the terminal device 53. When the button 2221 is pressed, the range of the log displayed at that time is adopted, a file including the log within the range is generated, and the generated file is transmitted from the terminal device 53 via the network 31. And transmitted to the file analyzer 41.

  In the present embodiment, “period” and “sensor” are used as parameters for determining the log range, but other parameters may be used.

[Contract Details]
FIG. 7 is a diagram illustrating an example of the contract information 3011 according to an embodiment of the present invention.
In the example of FIG. 7, the contract information 3011 associates the customer identification information with the contents of the contract. The content of the contract is, for example, the number of times, capacity, period, and the like.
In the example of FIG. 7, the contract information 3011 includes the contents of the contract of the customer as well as the usage status of the contract. As another example, the contents of the contract of the customer and the usage status related to the contents of the contract may be separately managed.

  The customer identification information may be, for example, number information. In the present embodiment, the terminal device 53 of each customer is identified by the identification information of the customer. In the example of FIG. 7, information such as “001”, “002”, and “003” is used as the identification information.

The number of times indicates the maximum number of times that the terminal device 53 of each customer can receive the file analysis service. In the example of FIG. 7, information such as “2/10” is used as the number of times. For example, “2/10” indicates that the maximum number of times is 10, and that 2 times have already been performed.
The capacity indicates the total capacity of the data amount that can receive the file analysis service for the terminal device 53 of each customer. In the example of FIG. 7, information such as "300/1000" is used as the capacity. For example, “300/1000” indicates that the maximum capacity is 1000 Gbytes, of which 300 Gbytes of service have already been performed.
The period represents a period during which the terminal device 53 of each customer can receive the file analysis service. In the example of FIG. 7, information such as “2018/1/1 to 2018/12/31” is used as the period. For example, “2018/1/1 to 2018/12/31” indicates that a period from January 1, 2018 to December 31, 2018 is a valid period.

In the present embodiment, in the file analysis device 41, the management unit 116 manages the contract information 3011. For example, the contract information 3011 is stored in the storage unit 111.
Further, in the present embodiment, in the terminal device 53, information of a part corresponding to the customer of the terminal device 53 in the contract information 3011 is stored in the storage unit 216. That is, the file analysis device 41 manages information on a plurality of customers, but the terminal device 53 of each customer manages information on the customers.

[Access to file analyzer from terminal device]
The method for accessing the file analysis device 41 from the terminal device 53 is not particularly limited.
As an example, the terminal device 53 accesses a Web page that can be browsed by the management entity that provides the file analysis service by the analysis unit 11. The Web page may be provided by the Web server device 42, for example.
The terminal device 53 may access the Web page in response to, for example, an operation of the operation unit 213 performed by a user.
The terminal device 53 may be accessed from the file analysis device 41 when, for example, a contract for receiving a file analysis service is concluded. In this case, in the file analysis device 41, information specifying the terminal device 53 is stored in the storage unit 111, and the management unit 116 accesses the terminal device 53 based on the information.

  In the file analysis service, the terminal device 53 and the file analysis device 41 may execute processing on demand. For example, in response to a request issued from the terminal device 53, a process for satisfying the request may be executed by the file analysis device 41.

[Dedicated tool for file analysis]
The terminal device 53 may be provided with a dedicated tool (also referred to as a “dedicated tool” for convenience of explanation) for receiving a file analysis service. The dedicated tool may be software. The software may be a program.
In the terminal device 53, the software is stored in, for example, the storage unit 216. Then, the terminal device 53 performs processing based on the content of the software.

The dedicated tool is distributed to the management entity of the terminal device 53 by, for example, an administration entity that provides a file analysis service by the analysis unit 11. For example, the dedicated tool may be stored in a recording medium and distributed, or may be transmitted (downloaded) from the file analysis device 41 or the like to the terminal device 53 via the network 31. In the terminal device 53, for example, the program which is the dedicated tool is installed and made available.
The dedicated tool may be distributed free of charge, for example, or may be distributed for a fee.
In addition, the dedicated tool may be distributed to, for example, a person who has contracted to receive a file analysis service, or may be distributed to any person without such a contract.

If the terminal device 53 includes a dedicated tool, the file analysis device 41 may be accessed by the function of the dedicated tool. The destination of the access may be a predetermined Web page.
When the terminal device 53 has a dedicated tool, the communication from the file analysis device 41 to the terminal device 53 may be communication using electronic mail or communication using Web push notification.

In the example of FIG. 2, the function of the file condition acquisition unit 232 and the function of the file condition determination unit 233 in the terminal device 53 may be included in, for example, a function realized by a dedicated tool. In this case, for example, when the dedicated tool is not provided in the terminal device 53, the function of the file condition acquisition unit 232 and the function of the file condition determination unit 233 may not be provided in the terminal device 53.
In this case, in the terminal device 53, for example, when processing similar to these functions is performed, the processing is performed in accordance with the operation of the operation unit 213 performed by the user. That is, processing similar to these functions is performed by a user's manual operation.

Similarly, in the example of FIG. 2, the function of the log reduction unit 234 in the terminal device 53 may be included in, for example, a function realized by a dedicated tool. In this case, for example, in a state where the dedicated tool is not provided in the terminal device 53, the function of the log reduction unit 234 may not be provided in the terminal device 53.
In this case, in the terminal device 53, for example, when performing a process similar to the function, the terminal device 53 performs the process according to an operation of the operation unit 213 performed by the user. That is, the same processing as the function is performed by a manual operation of the user.

Similarly, in the example of FIG. 2, one or more of the functions of the compression unit 236, the function of the encryption unit 237, the analysis request availability determination unit 239, and the function of the file generation unit 235 in the terminal device 53 are, for example, , May be included in the function realized by the dedicated tool. In this case, for example, in a state where the dedicated tool is not provided in the terminal device 53, the terminal device 53 may not have the corresponding function.
In this case, in the terminal device 53, for example, when performing a process similar to the function, the terminal device 53 performs the process according to an operation of the operation unit 213 performed by the user. That is, the same processing as the function is performed by a manual operation of the user.

Further, the dedicated tool may realize other functions.
Here, when the dedicated tool stores and manages information to be referred to for realizing a predetermined function in the storage unit 216 or the like, for example, the information is automatically transmitted in response to a request from the file analyzer 41 or the like. It may be updated. The information may be, for example, whitelist information. The information in the terminal device 53 may be automatically updated, for example, periodically or when information as a source of the information changes. As a result, the information is shared between the terminal device 53 and the file analysis device 41, is kept the same information, and is kept at the latest information. The update of the information may be performed by, for example, a dedicated tool.

The dedicated tool may have a function of performing compression in a unique format as a function of the compression unit 236. In this case, the file analyzer 41 has a function of decompressing in a format suitable for the format as a function of the decompression unit 132. In the file analysis system 1, the use of such a unique format can reduce security risks.
As an example, when compressing a file in a unique format, the dedicated tool may write predetermined information in a header or the like that can be read even if the compressed file is not decompressed. In this case, in the file analysis device 41, when the file inspection unit 113 determines that the predetermined information included in the compressed file is predetermined information, the compressed file is safe. Assume that there is. The predetermined information may be any information, for example, information indicating that the information has been compressed by the dedicated tool.

  Similarly, the dedicated tool may include, as a function of the encryption unit 237, a function of performing encryption in a unique format. In this case, the file analysis device 41 has a function of decoding in a format suitable for the format as a function of the decoding unit 131. In the file analysis system 1, the use of such a unique format can reduce security risks.

  Similarly, the dedicated tool may have a function of generating a file in a unique format as a function of the file generation unit 235. In this case, in the file analyzer 41, the file checking unit 113 checks whether such a unique format is used. In this case, the file analysis device 41 can reduce security risks by using such a unique format.

As a dedicated tool, for example, a tool having a function of determining a file condition, a tool having a function of reducing a log, a tool having a function of performing compression, a tool having a function of performing encryption, and the like are provided. May be separately provided, or a tool in which two or more of them are put together may be provided.
Further, a tool having both functions of compression and decompression may be provided as a dedicated tool. Further, a tool having both functions of encryption and decryption may be provided as a dedicated tool.

  In the file analysis system 1, a file to be analyzed is generated by the dedicated tool in the terminal device 53, so that, for example, a state in which the file transmitted from the terminal device 53 to the file analysis device 41 satisfies a predetermined inspection condition is ensured. It becomes easy to do. That is, compared to a case where a file is generated in response to an arbitrary operation performed by a user, a case where a file is generated by a dedicated tool provided exclusively is more easily adapted to predetermined inspection conditions. That is, by generating a file that satisfies the predetermined inspection condition by the dedicated tool, the file inspection by the file inspection unit 113 in the file analysis device 41 can be omitted, or the burden required for the file inspection can be reduced. It is possible. Thus, it is possible to simplify the file inspection by the file inspection unit 113 in the file analysis device 41.

Here, an example of performing control using the display contents 2211 shown in FIG. 6 by a dedicated tool will be described.
In the terminal device 53, it is assumed that the frame of the dedicated tool is displayed on the screen of the display unit 214. At this time, the icon of the information to be analyzed is dragged and dropped into the frame according to the operation of the operation unit 213 performed by the user. The icon may be, for example, an icon representing a log file of the security sensor.
Then, the dedicated tool reads the log to be analyzed, and deletes lines (unnecessary logs) that are not necessary for analysis from the log based on the whitelist. Then, the dedicated tool cuts out the logs retrospectively from the log of the latest date and time as necessary so that the log to be analyzed is not oversized because it fits in a predetermined size. At this time, the dedicated tool calculates the range of the date and time of the log and displays it on the screen of the display unit 214. The user confirms this display content (display content 2211 in the example of FIG. 6) and performs an operation of pressing the upload button 2221. In response, the dedicated tool compresses the file containing the log to be analyzed in a unique format and sends it to the file analyzer 41. The file analysis device 41 inspects and analyzes the received file, and notifies the file.
In this way, it is possible to transmit a file whose size is limited to the file analysis device 41 by a simple operation by the user using the dedicated tool.
The dedicated tool may be, for example, a form in which a file is uploaded or processed on a browser and used.

[Process Performed in File Analysis System]
FIG. 8 is a diagram illustrating an example of a procedure of a process performed in the terminal device 53 according to an embodiment of the present invention.
The example of FIG. 8 illustrates a case where the terminal device 53 uses a file analysis service based on a manual operation performed by a user.
This example shows a case where the functions of the file condition acquisition unit 232, the file condition determination unit 233, and the log reduction unit 234 are turned off (invalid) or a case where the functions are not provided in the terminal device 53.

(Step S1)
In the terminal device 53, the operation unit 213 receives and acquires the content of the operation performed by the user. Then, the process proceeds to the process in step S2. In this example, the operation is an operation for using a file analysis service.

(Step S2)
In the terminal device 53, the file generation unit 235 generates a file to be subjected to file analysis based on the acquired operation content. Then, the process proceeds to the process in step S3.
Here, the terminal device 53 may perform one or both of the compression by the compression unit 236 and the encryption by the encryption unit 237 on the generated file.

(Step S3)
In the terminal device 53, the control unit 217 transmits the generated file to the file analysis device 41 via the network 31 by the communication unit 215. Then, the process proceeds to the process of step S4.
As a result, the file analyzer 41 checks and analyzes the file received from the terminal device 53 and notifies the terminal device 53 of the file.
In the terminal device 53, for example, the file may be transmitted in response to a predetermined operation by the user being received by the operation unit 213.

(Step S4)
In the terminal device 53, the notification control unit 238 receives the notification from the file analysis device 41. Thereafter, in the terminal device 53, the notification control unit 238 displays the content of the received notification on the screen of the display unit 214. Then, the processing of this flow ends. Thereby, the user can grasp the contents of the notification, that is, grasp the result of the file analysis.

FIG. 9 is a diagram illustrating an example of a procedure of a process performed in the terminal device 53 according to an embodiment of the present invention.
The example of FIG. 9 illustrates a case where the terminal device 53 uses a file analysis service based on a predetermined rule (for convenience of description, also referred to as a “file generation rule”). The file generation rules are stored in the storage unit 216, for example. The file generation rule is a rule for generating a file, and may include, for example, one or more rules of a file generation timing, a log range included in the file, and the like.
This example shows a case where the functions of the file condition acquisition unit 232, the file condition determination unit 233, and the log reduction unit 234 are turned off (invalid) or a case where the functions are not provided in the terminal device 53.

(Step S21)
In the terminal device 53, the file generation unit 235 reads and acquires the file generation rule. Then, the process proceeds to the process in step S22.

(Step S22)
In the terminal device 53, the file generation unit 235 generates a file to be subjected to file analysis based on the content of the obtained file generation rule. Then, the process proceeds to the process in step S23.
Here, the terminal device 53 may perform one or both of the compression by the compression unit 236 and the encryption by the encryption unit 237 on the generated file.

(Step S23)
In the terminal device 53, the control unit 217 transmits the generated file to the file analysis device 41 via the network 31 by the communication unit 215. Then, the process proceeds to step S24.
As a result, the file analyzer 41 checks and analyzes the file received from the terminal device 53 and notifies the terminal device 53 of the file.

(Step S24)
In the terminal device 53, the notification control unit 238 receives the notification from the file analysis device 41. Then, in the terminal device 53, the notification control unit 238 displays the content of the received notification on the screen of the display unit 214. Then, the processing of this flow ends. Thereby, the user can grasp the contents of the notification, that is, grasp the result of the file analysis.

FIG. 10 is a diagram illustrating an example of a procedure of a process performed in the terminal device 53 according to an embodiment of the present invention.
In the example of FIG. 10, the terminal device 53 generates a file that meets a predetermined file condition. Note that arbitrary processing may be used as processing before and after file generation.
This example shows a case where the functions of the file condition acquisition unit 232, the file condition determination unit 233, and the log reduction unit 234 are provided in the terminal device 53 and are turned on (valid).

(Step S41)
In the terminal device 53, the file generation unit 235 generates a file based on the log acquired by the log acquisition unit 231. Then, the process proceeds to the process of step S42. In this example, the file is a file temporarily generated to determine whether or not the file condition is satisfied.

(Step S42)
In the terminal device 53, the file condition acquisition unit 232 acquires the file condition. Then, the process proceeds to the process of step S43.

(Step S43)
In the terminal device 53, the file condition determination unit 233 determines whether the generated file satisfies the file condition.
As a result, in the terminal device 53, when the file condition determination unit 233 determines that the generated file satisfies the file condition (step S43: YES), the processing of this flow ends. In this case, the generated file is determined as a candidate for analysis, and the range of the log corresponding thereto is presented to the user (for example, the example in FIG. 6). When the range of the log is approved by the user, the file is determined as an analysis target.
On the other hand, in the terminal device 53, when the file condition determining unit 233 determines that the generated file does not satisfy the file condition (Step S43: NO), the process proceeds to Step S44.

(Step S44)
In the terminal device 53, the log reduction unit 234 reduces logs included in the file. Then, the process shifts to the process of step S41.
In this example, after the log is reduced, the process of determining whether the generated file satisfies the file condition is performed again. In a configuration in which the reduction is performed, the processing of this flow may be ended after the processing of step S44.

FIG. 11 is a diagram illustrating an example of a procedure of a process performed in the terminal device 53 according to an embodiment of the present invention.
In the example of FIG. 11, the terminal device 53 determines whether a file analysis request is possible. The processing of this flow may be performed at any timing when the processing for receiving the file analysis service is performed in the terminal device 53.
This example shows a case where the analysis request availability determination unit 239 is provided in the terminal device 53 and is on (valid). When the analysis request availability determination unit 239 is off (invalid) or not provided in the terminal device 53, the processing of this flow is not performed.

(Step S61)
In the terminal device 53, the analysis request availability determination unit 239 determines whether a file analysis request is possible. In this case, the analysis request availability determination unit 239 may determine whether a file analysis request is possible based on the same information as the contract information 3011, for example. The information may be stored in the storage unit 216 and managed by the analysis request availability determination unit 239, for example.
As a result, in the terminal device 53, when the analysis request availability determination unit 239 determines that a file analysis request is possible (step S61: YES), the processing of this flow is ended.
On the other hand, in the terminal device 53, when the analysis request availability determination unit 239 determines that the file analysis request is not possible (step S61: NO), the process proceeds to step S62.

(Step S62)
In the terminal device 53, the analysis request availability determination unit 239 stops the process for receiving the file analysis service. In this case, the analysis request availability determination unit 239 may display that fact on the screen of the display unit 214. Then, the processing of this flow ends.
In the terminal device 53, a process for receiving the file analysis service may be performed again.

  FIG. 12 is a diagram illustrating an example of a procedure of a process performed in the file analysis device 41 according to an embodiment of the present invention.

(Step S101)
In the file analysis device 41, the receiving unit 121 receives the analysis target file transmitted from the terminal device 53. Then, the process proceeds to the process of step S102.

(Step S102)
In the file analyzer 41, the file checking unit 113 determines whether a predetermined checking condition is satisfied for the received file.
As a result, in the file analysis device 41, when the file inspection unit 113 determines that the received file satisfies the predetermined inspection condition (step S102: YES), the process proceeds to step S103.
On the other hand, in the file analysis device 41, when the file checking unit 113 determines that the received file does not satisfy the predetermined checking condition (step S102: NO), the process proceeds to step S104.

(Step S103)
In the file analysis device 41, the file analysis unit 114 analyzes the inspected file based on the analysis conditions. Then, the process proceeds to the process in step S104.

(Step S104)
In the file analysis device 41, the notification unit 115 notifies the terminal device 53.
Here, when the file checking unit 113 determines that the file does not satisfy the checking condition, the notifying unit 115 notifies the terminal device 53 of the information to that effect.
When the file analyzing unit 114 determines that there is no problem in the file, the notifying unit 115 notifies the terminal device 53 of the information to that effect.
When the file analysis unit 114 determines that there is a problem with the file, the notification unit 115 notifies the terminal device 53 of the information to that effect.

<Modification>
A modification will be described with reference to FIG.
FIG. 13 is a diagram illustrating an example of a procedure of processing performed in the file analysis device 41 according to an embodiment of the present invention.
In the present example, a case is shown in which the file analysis unit 114 of the file analysis device 41 has a function of determining whether a file satisfies the file condition and a function of reducing logs included in the file.
In this example, information for specifying a file condition is stored in the storage unit 111.
In this example, when the functions of the file condition acquisition unit 232, the file condition determination unit 233, and the log reduction unit 234 are turned off (invalid) in the terminal device 53, or when the functions are not provided in the terminal device 53 It is especially effective for Note that the processing of this flow may be applied when the terminal device 53 is provided with the functions of the file condition acquisition unit 232, the file condition determination unit 233, and the log reduction unit 234 and is on (valid).
In this example, it is assumed that the content of the inspection condition does not include the content of the file condition. Note that the content of the inspection condition may include a part of the content of the file condition.

(Step S121)
In the file analysis device 41, the receiving unit 121 receives the analysis target file transmitted from the terminal device 53. Then, the process proceeds to the process of step S122.

(Step S122)
In the file analyzer 41, the file checking unit 113 determines whether a predetermined checking condition is satisfied for the received file.
As a result, in the file analyzer 41, when the file inspection unit 113 determines that the received file satisfies the predetermined inspection condition (step S122: YES), the process proceeds to step S123.
On the other hand, in the file analysis device 41, when the file inspection unit 113 determines that the received file does not satisfy the predetermined inspection condition (step S122: NO), the process proceeds to step S126.

(Step S123)
In the file analyzer 41, the file analyzer 114 acquires the file condition. Then, in the file analysis device 41, the file analysis unit 114 determines whether the file condition is satisfied for the file after the inspection.
As a result, in the file analysis device 41, when the file analysis unit 114 determines that the file condition is satisfied for the inspected file (step S123: YES), the process proceeds to step S125. In this case, the file becomes an analysis target.
On the other hand, in the file analysis device 41, when the file analysis unit 114 determines that the file condition is not satisfied for the inspected file (step S123: NO), the process proceeds to step S124.

(Step S124)
In the file analysis device 41, the file analysis unit 114 reduces logs included in the file after inspection. Then, control goes to a process of step S125. In this case, the file containing the log after the reduction is to be analyzed.
In this example, the file analysis unit 114 reduces the log so that the file including the reduced log satisfies the file condition.

(Step S125)
In the file analysis device 41, the file analysis unit 114 analyzes a file to be analyzed based on the analysis conditions. Then, control goes to a process of step S126.

(Step S126)
In the file analysis device 41, the notification unit 115 notifies the terminal device 53.
Here, when the file checking unit 113 determines that the file does not satisfy the checking condition, the notifying unit 115 notifies the terminal device 53 of the information to that effect.
When the file analyzing unit 114 determines that there is no problem in the file, the notifying unit 115 notifies the terminal device 53 of the information to that effect.
When the file analysis unit 114 determines that there is a problem with the file, the notification unit 115 notifies the terminal device 53 of the information to that effect.
Further, when the log is reduced by the file analysis unit 114, the notification unit 115 notifies the terminal device 53 of the information to that effect. The information may include, for example, one or both of information specifying a reduced log and information specifying a log that has not been reduced. This allows the user of the terminal device 53 to know when the number of logs to be analyzed has been reduced in the file analysis device 41.

Here, the file condition determination process and the log reduction process in the file analyzer 41 may be the same as the file condition determination process and the log reduction process in the terminal device 53, for example. That is, in the present example, even if the terminal device 53 does not perform the file condition determination process and the log reduction process, the file analysis device 41 performs the file condition determination process and the log reduction process.
If the file conditions used in the file analyzer 41 and the file conditions used in the terminal device 53 exist, for example, these file conditions may be the same, or some or all of them may be used. May be different.

  In this example, the file analysis unit 114 of the file analysis unit 41 performs the file condition determination process and the log reduction process. However, as another example, the file analysis unit 114 replaces the file analysis unit 114 with the file inspection unit 114. 113 may perform a file condition determination process and a log reduction process. In this case, the contents of the inspection condition may include some or all of the contents of the file condition. When the contents of the inspection condition include all of the contents of the file condition, only the inspection condition may be determined, and the determination of the file condition is unnecessary.

<Modification>
A modified example will be described with reference to FIG.
FIG. 14 is a diagram illustrating an example of a procedure of a process performed in the file analysis device 41 according to an embodiment of the present invention.
In this example, it is recommended that the file analysis device 41 use the file analysis service to the terminal device 53 at a predetermined timing (for convenience of explanation, also referred to as “analysis recommended timing”). The analysis recommended timing may be an arbitrary timing, for example, may be a regular timing.
In this example, information for specifying the recommended analysis timing is stored in the storage unit 111.

(Step S141)
In the file analysis device 41, the management unit 116 determines whether the recommended analysis timing has come. In this case, the management unit 116 may refer to, for example, information on a clock function (not shown) provided inside or outside the file analyzer 41.
As a result, in the file analysis device 41, when the management unit 116 determines that the analysis recommended timing has come (step S141: YES), the process proceeds to step S142.
On the other hand, in the file analysis device 41, when the management unit 116 determines that the analysis recommended timing has not come (step S141: NO), the processing of this flow ends.

(Step S142)
In the file analysis device 41, the management unit 116 notifies the terminal device 53 of information indicating that the analysis recommended timing has come by the notification unit 115. Then, the processing of this flow ends.
Note that the processing of this flow may be performed at regular time intervals, for example.
In addition, any method may be used as a method of notifying the terminal device 53 by the notification unit 115.

Here, when the file analysis device 41 recommends (notifies) that it is the analysis recommended timing, the terminal device 53 may display information indicating the recommendation on the screen of the display unit 214 as an example. In this case, the user can grasp that it is the analysis recommended timing.
In addition, when the terminal device 53 is recommended (notified) that it is the analysis recommended timing from the file analysis device 41, as another example, the file analysis service is automatically provided without any user operation. A process for receiving (for example, the process of the flow shown in FIG. 9) may be performed.

FIG. 15 is a diagram illustrating an example of a hardware configuration of an information processing device 4001 according to an embodiment of the present invention.
An information processing device 4001 having a hardware configuration as shown in FIG. 15 may be used as the terminal device 53 or the file analysis device 41 in the present embodiment.

  In the example of FIG. 15, the information processing device 4001 connects the processor 4011, the operation unit 4012, the display unit 4013, the storage device 4014, the memory 4015, the input / output interface 4016, the network interface 4017, and the like. A bus 4021 is provided.

The processor 4011 is configured from a CPU (Central Processing Unit) and the like, and executes a program to execute processing specified by the program.
The operation unit 4012 includes one or more input devices such as a keyboard and a mouse, and receives an operation performed by a user (person).
The display unit 4013 has a screen, and outputs information on the screen.

The storage device 4014 is a non-volatile storage unit, and is configured from, for example, a hard disk, and stores information.
The memory 4015 is a volatile storage unit and is configured from a RAM (Random Access Memory) or the like, and temporarily stores information. As the RAM, for example, a DRAM (Dynamic Random Access Memory) may be used.
The storage device 4014 or the memory 4015 may store, for example, information of a program executed by the processor 4011.

The input / output interface 4016 is an interface connected to an external recording medium or the like.
The network interface 4017 is an interface for connecting to an external network.

  Here, the information processing device 4001 may include one processor as the processor 4011, or may include two or more processors. As an example, the information processing apparatus 4001 may include a plurality of CPUs, execute the respective processes by the respective CPUs, and realize the entire process in cooperation with the plurality of CPUs.

[Summary of Embodiment]
As described above, in the file analysis system 1 according to the present embodiment, the terminal device 53 transmits a file including a log to be analyzed to the file analysis device 41, and the log is analyzed by the file analysis device 41. You can receive notification of the results. For this reason, in the file analysis system 1 according to the present embodiment, log analysis can be easily performed without performing initial settings for making the system for analyzing logs operable. A log analysis service can be easily realized.

For example, the user of the terminal device 53 can send the file including the log of the security sensor from the terminal device 53 to the file analyzer 41 even if the sensor setting and the network setting are not performed, so that the analysis accuracy of the monitoring function can be improved. Can be evaluated or confirmed.
Normally, logs are always monitored by the security sensor. However, in the file analysis system 1 according to the present embodiment, a file including a log to be analyzed is transmitted from the terminal device 53 to the file analysis device 41. It is possible to easily try the file analysis service.

In the file analysis system 1 according to the present embodiment, for example, the terminal device 53 can receive a file analysis service only during a period when the security risk increases.
For example, when a large-scale new virus occurs, the terminal device 53 can receive a file analysis service for logs of a predetermined period in the past from that time. The predetermined period may be, for example, a period such as the past two weeks. The terminal device 53 may receive the service in response to an operation performed by the user, for example, or may receive the service based on a preset rule regarding the occurrence of a new virus. Alternatively, a service may be received in response to a request from the file analysis device 41.

  In the file analysis system 1 according to the present embodiment, in the terminal device 53, the log reduction unit 234 performs the log reduction, so that the data amount of the log included in the file transmitted from the terminal device 53 to the file analysis device 41. Is reduced. Thus, in the file analysis system 1 according to the present embodiment, for example, logs that do not need to be subjected to file analysis are removed in the terminal device 53, so that the efficiency of the file analysis service can be improved. Further, in the file analysis system 1 according to the present embodiment, for example, when there is a condition of an upper limit value for the data amount of a log included in a file to be analyzed, the terminal device 53 sets the condition so that the condition is satisfied. Since the number of logs is reduced, the file analysis service can be smoothly performed.

  Normally, in the security sensor, since the data size of the log file is large, it often takes a long time to analyze the log file, or the condition of the analysis capacity limitation is not easily satisfied. In the file analysis system 1 according to the above, such a problem can be solved. In the file analysis system 1 according to the present embodiment, for example, by limiting the amount of log data that can be analyzed, the load on the file analysis service is reduced, and the charge on the file analysis service is reduced. Can be reduced to a low price.

In the file analysis system 1 according to the present embodiment, for example, a dedicated tool for receiving a file analysis service is used in the terminal device 53, thereby simplifying an operation performed by a user of the terminal device 53. It is possible. In addition, the use of the dedicated tool can enhance security, for example.
Further, in the file analysis system 1 according to the present embodiment, for example, cost reduction can be achieved by using on-demand communication between the terminal device 53 and the file analysis device 41.

[Log Type]
In the present embodiment, the case where the log of the security sensor is used as the log to be subjected to the file analysis has been described. As a log of a security sensor, for example, FW (FireWall), NGFW (New Generation FireWall), IPS (Intrusion presentation system), IDS (Intrusion Detection System), UTM (UnificationWatation, WAT, WAT, WF, etc.) There is a log.

As an example, the device that detects logs may be an intrusion prevention system (IPS) device that prevents unauthorized intrusion in a computer network. For example, the device may detect a log that may be related to fraud.
As another example, the device that detects the log may be a device of a firewall (FW) that blocks communication that should not be passed. For example, the device may detect both logs that may be related to fraud and logs that are not related to fraud.
In general, when comparing the IPS with the firewall, it is easy to increase the amount of data because there is a log of a signal passed through the firewall, and it can be said that the IPS has a higher density of logs that may have a problem. .

Other logs can be used as logs to be analyzed. Other logs include, for example, an authentication log, an error log, a terminal scan log, a communication log, a program operation log, and an application operation log.
Examples of the authentication log include logs such as Active Directory, BIND (Berkeley Internet Name Domain), and DNS (Domain Name System).
The error log includes, for example, a log such as WinEvt.
Examples of the terminal scan log include logs such as antivirus and EDR (Endpoint Detection and Response).
As communication logs, there are logs such as Proxy, mail, File access, and database (DB: DataBase) access.
Examples of the program operation log include a log such as a boot log and dmesg.
Examples of the application operation log include logs such as an event log and a unique log.

In the present embodiment, a case is described in which a log is used as a target of file analysis. However, information other than a log can be used as a target of file analysis.
The information other than the log includes, for example, information on the setting of an operating system (OS).
Examples of the OS setting information include registry information.
Further, for example, a web browsing history, an operation history, or a log-in history may be used.

In the present embodiment, a case where one type of log is detected by one log detection device 51 has been described. However, a configuration in which two or more log detection devices are provided and two or more types of logs are detected is used. You may.
The log detection device may be provided, for example, outside the terminal device 53, or may be provided as a function inside the terminal device 53.

The log management device 52 may store and manage information on logs detected by a plurality of log detection devices in the storage unit 151.
For example, information of a plurality of different types of logs may be stored in a form mixed in chronological order. For example, information for identifying a sensor that has detected each log is added to each log. The logs can be distinguished based on the information. This makes it possible to extract information of a predetermined type of log from information in which information of a plurality of different types of logs is mixed.

In the terminal device 53, the file to be analyzed may include, for example, one type of log, or may include two or more types of logs.
In the file analyzer 41, the file inspection by the file inspection unit 113 may be performed, for example, for each type of log, or may be performed collectively for two or more types of log.
In the file analysis device 41, the file analysis by the file analysis unit 114 may be performed, for example, for each type of log, or may be performed collectively for two or more types of logs.

<Example of configuration>
As an example of the configuration, in the terminal device (the terminal device 53 in the present embodiment), the security sensor (the sensor of the log detection device 51 in the present embodiment) that constantly monitors the log and outputs the constantly monitored log is output. A file generation unit (in this embodiment, the file generation unit 235) that obtains a part of the plurality of logs and generates a file including the obtained log, and a file generated by the file generation unit. A file transmission unit (in this embodiment, the communication unit 215) that transmits to the file analysis device (in this embodiment, the file analysis device 41), and a notification control unit (in which the notification of the file analysis result sent from the file analysis device is received) In the present embodiment, a notification control unit 238) is provided.
As one configuration example, in the terminal device, unnecessary logs are reduced from logs included in the file based on information that specifies unnecessary logs (unnecessary logs) that are unnecessary to be analyzed, so that the An unnecessary log reduction unit (in this embodiment, a function of the log reduction unit 234) that reduces the data amount of logs to be included is provided.
As an example of the configuration, the terminal device reduces the range of the log included in the file to reduce the data amount of the log included in the file to a predetermined upper limit value or less. (The function of the unit 234).
As one configuration example, the terminal device includes an analysis request availability determination unit (in the present embodiment, an analysis request availability determination unit 239) that determines whether a file analysis request is possible.

As an example of the configuration, in the file analysis device (the file analysis device 41 in the present embodiment), a receiving unit (the reception device in the present embodiment) that receives the file transmitted from the terminal device (the terminal device 53 in the present embodiment). Unit 121), a file analysis unit (in this embodiment, the file analysis unit 114) that analyzes the file received by the reception unit, and a notification of the result of the file analysis performed by the file analysis unit to the terminal device. A file is sent from a security sensor (in this embodiment, a sensor of the log detection device 51) that constantly monitors the log and outputs the constantly monitored log. Includes some of the output logs.
As an example of the configuration, the file analysis device includes a management unit (in this embodiment, the management unit 116) that manages accounting information related to the analysis performed by the file analysis unit. The billing information includes information on the amount of money according to the number of times of analysis. The information on the amount of money according to the number of times of the analysis is information on a charged amount according to the number of times of the analysis, or information indicating that the number of times of the analysis is free when the number of times of the analysis is equal to or less than a predetermined number.

  The present invention may be embodied in various forms such as a terminal device or a device such as a file analysis device, a system such as a file analysis system, a method such as a file analysis method, a program, and a recording medium on which the program is recorded. The recording medium may be, for example, a temporary recording medium.

As described above, the program for realizing the function of each device (for example, the terminal device 53, the file analysis device 41, and the like) according to the embodiment is recorded (stored) in the computer-readable recording medium (storage medium). The processing can be performed by causing the computer system to read and execute the program recorded on the recording medium.
Here, the “computer system” may include an operating system or hardware such as a peripheral device.
The “computer-readable recording medium” includes a flexible disk, a magneto-optical disk, a writable nonvolatile memory such as a ROM (Read Only Memory), a flash memory, a portable medium such as a DVD (Digital Versatile Disc), A storage device such as a hard disk built in a computer system.
Further, a “computer-readable recording medium” refers to a volatile memory (for example, DRAM) in a computer system serving as a server or a client when a program is transmitted through a network such as the Internet or a communication line such as a telephone line. ) As well as those that hold programs for a certain period of time.
Further, the above program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
Further, the above program may be a program for realizing a part of the functions described above. Further, the above program may be a program that can realize the above-described functions in combination with a program already recorded in the computer system, that is, a so-called difference file (difference program).

  Although the present invention has been described using the embodiment, the technical scope of the present invention is not limited to the above embodiment. It will be apparent to those skilled in the art that various modifications and alternative embodiments can be made without departing from the spirit and scope of the invention.

DESCRIPTION OF SYMBOLS 1 ... File analysis system, 11 ... Analysis part, 21-23 ... Terminal part, 31 ... Network, 41 ... File analysis apparatus, 42 ... Web server apparatus, 43 ... Mail server apparatus, 51 ... Log detection apparatus, 52 ... Log management Device, 53: Terminal device, 111, 151, 216: Storage unit, 112, 215: Communication unit, 113: File inspection unit, 114: File analysis unit, 115: Notification unit, 116: Management unit, 121: Receiving unit, 131 decoding unit, 132 decompression unit, 211 input unit, 212 output unit, 213, 4012 operation unit, 214, 4013 display unit, 217 control unit, 231 log acquisition unit, 232 file condition acquisition Unit, 233: file condition determination unit, 234: log reduction unit, 235 ... file generation unit, 236 ... compression unit, 237 ... encryption unit, 238 ... notification control unit, 39: analysis request availability determination unit, 1011: file, 2011, 2111, 2211 ... display contents, 2221 ... button, 3011 ... contract information, 4001 ... information processing device, 4011 ... processor, 4014 ... storage device, 4015 ... memory, 4016 ... I / O interface, 4017 ... Network interface, 4021 ... Bus

The terminal device according to an aspect of the present invention acquires a part of the plurality of logs output from a security sensor that constantly monitors a log and outputs the constantly monitored log, and obtains the acquired log. A file generation unit for generating a file including the log, and information of the log included in one or more files to be analyzed once is allowed for the file generated by the file generation unit. A file transmitting unit that transmits to a file analyzing device that performs file analysis when a condition that the data amount is equal to or less than an upper limit value of a data amount, and a notification control unit that receives a notification of the file analysis result transmitted from the file analyzing device And the amount of data in which the information of the log to be included in the one or more files to be analyzed once is allowed. A file condition determining unit that determines whether a condition that the condition is equal to or less than an upper limit value is determined, and when the file condition determining unit determines that the condition is not satisfied, the data amount of the log included in the file is determined. A log reduction unit for reducing, and when the file condition determination unit determines that the condition is not satisfied, the log reduction unit reduces the data amount of the log included in the file, and the condition is satisfied. The terminal device , wherein the file generation unit generates the file using information of the log that is satisfied, and the file transmission unit transmits the file to the file analysis device .

In the terminal device according to an aspect of the present invention, the log reduction unit may display a time period in which the date and time when the log has occurred should be included and the time period in which the condition is satisfied for the information of the log included in the time period. The log reduction unit, when the displayed period is changed by a user's operation, if the condition is not satisfied, changes the period so that the condition is satisfied, The file generation unit may be configured to generate the file using information of the log included in the period in which the condition is satisfied .
In the terminal device according to one aspect of the present invention, one or two or more sensors are designated by an operation of the user, and information of the log to be included in the file is detected by the designated sensor. The information of the log may be included.
In the terminal device according to an aspect of the present invention, an analysis that determines whether or not a request for analysis of the file is possible based on the contents of a contract related to the file analysis service and the use status of the service. A configuration including a request availability determination unit may be employed.

The file analysis device according to an aspect of the present invention is a file including a part of the plurality of logs output from a security sensor that constantly monitors a log and outputs the constantly monitored log, A receiving unit that receives one or a plurality of the files to be analyzed once from the terminal device; and, for the file received by the receiving unit, one or the one to be analyzed once. A file inspection unit that determines whether an inspection condition that information of the log included in the plurality of files is equal to or less than an upper limit of an allowable data amount is satisfied, and the inspection condition is determined by the file inspection unit. file analysis information of said log contained satisfied is determined to be said once one or more of the files to be analyzed in an analysis When, a notification unit for sending the results of the notification of the analysis of the file made by the file analysis unit to the terminal device, Ru provided with.
In the file analysis device according to one aspect of the present invention, the file analysis device further includes a management unit that manages accounting information related to the analysis performed by the file analysis unit, wherein the accounting information includes information on an amount of money according to the number of times of the analysis, The information on the amount of money according to the number of times of the analysis is information on a charged amount according to the number of times of the analysis, or information indicating that the number of times of the analysis is free when the number of times of the analysis is equal to or less than a predetermined number. You may.

A file analysis system according to an aspect of the present invention is a file analysis system including a terminal device and a file analysis device, wherein the terminal device constantly monitors a log and outputs the constantly monitored log. A file generation unit that obtains a part of the plurality of logs output from the security sensor and generates a file including the obtained log, and the file generated by the file generation unit A file transmission unit for transmitting to the file analysis device; a notification control unit for receiving a notification of the analysis result of the file transmitted from the file analysis device; and a notification control unit included in one or more files to be analyzed once. A file condition for determining whether or not the condition that the information of the scheduled log is less than or equal to the upper limit of the allowable data amount is satisfied A determining unit; and a log reducing unit configured to reduce a data amount of the log included in the file when the file condition determining unit determines that the condition is not satisfied , wherein the file condition determining unit determines the condition. If it is determined that is not satisfied, the file generation unit reduces the data amount of the log included in the file by the log reduction unit, and uses the information of the log that is configured to satisfy the condition. Generates the file, the file transmission unit transmits the file to the file analysis device, the file analysis device receives the file transmitted from the terminal device, the reception unit, received by the reception unit A file inspection unit that determines whether a predetermined inspection condition is satisfied for the file that has been identified; A file analysis unit by part performing analysis on the file it is judged that the test conditions are met, a notification unit for sending the results of the notification of the analysis of the file made by the file analysis unit to the terminal device, the Prepare.

In the file analysis method according to one aspect of the present invention, the terminal device constantly monitors a log and acquires a part of the plurality of logs output from a security sensor that outputs the constantly monitored log. And determining whether or not a condition that information of the log scheduled to be included in one or a plurality of files to be analyzed once is equal to or less than an upper limit of an allowable data amount is satisfied; When it is determined that the condition is not satisfied, the data amount of the log included in the file is reduced, and the file is generated using the information of the log that is configured to satisfy the condition, and the file is generated. To the file analyzer, the file analyzer receives the file transmitted from the terminal device, and the received file satisfies a predetermined inspection condition. Determine whether or not to be performed, analyze the file determined that the inspection conditions are satisfied , send a notification of the result of the analysis of the file to the terminal device, the terminal device, the file analysis device To be notified of the analysis result of the file.

Program according to an embodiment of the present invention has a function of acquiring a portion of the log of the plurality of the log output from a security sensor for outputting the log that is constantly monitored constantly monitors the log, once A function of determining whether or not a condition that information of the log scheduled to be included in one or a plurality of files to be analyzed is equal to or less than an upper limit value of an allowable data amount is satisfied; When it is determined that the condition is not satisfied, a function of reducing the data amount of the log included in the file and using the information of the log adapted to satisfy the condition to generate the file, The log information contained in the one or more files to be analyzed at one time is equal to or less than the upper limit of the allowable data amount. It is a program for causing a computer to realize a function of transmitting a file analysis device that performs file analysis when a condition is satisfied and a function of receiving a notification of the analysis result of the file transmitted from the file analysis device.

Claims (9)

A file generation unit that constantly monitors a log, acquires a part of the plurality of logs output from a security sensor that outputs the constantly monitored log, and generates a file including the acquired log When,
A file transmission unit that transmits the file generated by the file generation unit to a file analysis device,
A notification control unit that receives a notification of the analysis result of the file sent from the file analysis device,
A terminal device comprising: By reducing the unnecessary logs from the logs included in the file based on the information specifying the unnecessary logs that are not required to be analyzed, the data amount of the logs included in the file is reduced. Equipped with unnecessary log reduction unit,
The terminal device according to claim 1. A log range reduction unit configured to reduce a data amount of the log included in the file by reducing a range of the log included in the file to be equal to or less than a predetermined upper limit.
The terminal device according to claim 1. An analysis request availability determination unit that determines whether a request for analysis of the file is possible,
The terminal device according to claim 1. A receiving unit that receives a file transmitted from the terminal device;
A file analysis unit that analyzes the file received by the reception unit,
A notification unit that sends a notification of the result of the analysis of the file performed by the file analysis unit to the terminal device,
With
The file includes a part of the plurality of logs output from a security sensor that constantly monitors a log and outputs the constantly monitored log,
File analyzer. A management unit that manages charging information related to the analysis performed by the file analysis unit,
The billing information includes information on the amount of money according to the number of times of the analysis,
The information of the amount of money according to the number of times of the analysis is information of a charged amount according to the number of times of the analysis, or information indicating that the number of times of the analysis is free when the number of times is equal to or less than a predetermined number.
The file analysis device according to claim 5. A file analysis system including a terminal device and a file analysis device,
The terminal device constantly monitors a log, acquires a part of the plurality of logs output from the security sensor that outputs the constantly monitored log, and stores a file including the acquired log. A file generation unit to generate,
A file transmission unit that transmits the file generated by the file generation unit to the file analysis device;
A notification control unit that receives a notification of the analysis result of the file sent from the file analysis device,
With
The file analyzer,
A receiving unit that receives the file transmitted from the terminal device,
A file analysis unit that analyzes the file received by the reception unit,
A notification unit that sends a notification of the result of the analysis of the file performed by the file analysis unit to the terminal device,
Comprising,
File analysis system. A terminal device constantly monitors a log, acquires a part of the plurality of logs output from the security sensor that outputs the constantly monitored log, and generates a file including the acquired log. Sending the generated file to a file analyzer,
The file analysis device receives the file transmitted from the terminal device, performs an analysis on the received file, sends a notification of the result of the analysis of the file to the terminal device,
The terminal device receives a notification of the analysis result of the file sent from the file analysis device,
File analysis method. A function of constantly monitoring a log and obtaining a part of the plurality of logs output from the security sensor that outputs the constantly monitored log,
A function of generating a file including the obtained log,
A function of transmitting the generated file to a file analyzer,
A function of receiving a notification of the analysis result of the file sent from the file analysis device,
To make a computer realize

Images