JP2021033598A - Information processing device, information processing method, information processing system, and program - Google Patents

Abstract

To improve the security relating to the update of a list and reduce the workload, when a list type (white list, black list) control method is used.SOLUTION: In an information processing device, a detection program detects the execution of a program (S701). An identification program acquires execution file information and determines whether it exists in a black list or a white list (S703, S704). If it does not exist in the white list, a tracking program acquires a tracking result of the history of an execution file from a history DB and transmits it to the identification program (S705, S706). The identification program determines whether there is information that matches a confidence region list (S707). If it is determined that there is matching information, a registration program registers it in the white list (S709). A control program permits the execution of the program registered in the white list (S710).SELECTED DRAWING: Figure 7

Description

The present invention relates to information processing that controls whether or not a program can be executed.

In recent years, as a new form of cyber attack on a company, a method called a targeted attack that infects a computer used or owned by a specific employee in the company with malware and steals information in the company is increasing. The mainstream method of conventional anti-virus software is to use a virus definition file by the blacklist method, but the types of malware including computer urs are increasing by 10,000 units every day, and updating the virus definition file is a malware update. It is in a situation where it cannot keep up with the rapid increase.

On the other hand, there is also a countermeasure against targeted attacks using the so-called white list method, which allows execution of only registered programs and prohibits execution of other programs. However, in the white list method, it is necessary to register a safe program in the white list, and there is a problem that scrutinizing the contents generally imposes a heavy burden on the system administrator. As one of the measures to deal with this problem, for example, Patent Document 1 describes a promotion standard rule, which is a rule for determining whether a program or file is issued by a reliable issuer or publisher. Based on, there is a way to automatically whitelist secure programs.

Japanese Unexamined Patent Publication No. 2014-96142

However, according to Patent Document 1, in order to determine the promotion standard rule, the skill and experience of the registration work are required, so that the number of personnel who can create the promotion standard rule is limited. In addition, since the setting of the promotion standard rule depends on the administrator skill, there is a possibility that the promotion standard rule is erroneously registered due to a judgment error. Furthermore, there is a burden of scrutinizing the promotion standard rule itself, confirming its safety, and creating the promotion standard rule.

In view of the above problems, it is an object of the present invention to improve the security required for updating the list and reduce the workload when the list type control method is used.

The present invention includes the following configurations as one means for achieving the above object.
The information processing apparatus according to the present invention includes a detection means for detecting the execution of a program and a search for the program, an identification means for identifying the program, a registration means for registering the program in a list of programs whose execution is permitted or prohibited, and a registration means for registering the program. It is stored in the storage means based on the storage means that stores the operation history, which is the history of the operations executed in the information processing device, and the program information of the program whose execution is detected by the detection means or the detected program. From the operation history, the program information has a specific means for specifying the operation history executed at the date and time when the program information was first stored in the information processing apparatus, and the identification means is specified by the specific means. From the operation history, it is determined whether or not the program satisfies the conditions for issuance, and the registration means registers the program determined to satisfy the conditions in the list.

According to the present invention, when the list type control method is used, it is possible to improve the security required for updating the list and reduce the workload.

A block diagram showing a configuration example of a white list control system. A block diagram showing a configuration example of a white list control system in which a server does not exist. The figure which shows an example of the white list. The figure which shows an example of the white list master existing in a server. The figure which shows an example of the trust area list. The figure which shows an example of the trust area list master existing in a server. The flowchart which shows an example of the white list control process. A flowchart showing an example of tracking processing. The figure which shows an example of the tracking process based on the operation history. The figure which shows an example of the tracking process based on the operation history. The figure which shows an example of the tracking process based on the operation history. The figure which shows an example of the tracking process based on the operation history. The figure which shows an example of the tracking process based on the operation history.

Hereinafter, examples of the present invention will be described in detail with reference to an information processing diagram of an information processing system.

[System configuration]
The block diagram of FIG. 1 shows a configuration example of a list-type control system. In the following, the white list control system using the white list will be described, but the following processing can be applied not only to the white list but also to the blacklist control system using the blacklist. The white list control system includes an information processing device and a server device that manages the information processing device.

In FIG. 1, the client computer (hereinafter, client) 100 is an information processing device in a white list control system. The client 100 is, for example, a personal computer (PC) installed in a company, a school, an administrative agency, a home, or the like, or a computer device such as a tablet terminal or a smartphone used or owned by an individual. The client 100 can also apply the following processing to a terminal having no pointing device (for example, a network scanner) or a terminal having no display (for example, an embedded terminal) as a client.

The server computer (hereinafter, server) 200 is a server device that manages an information processing device in a white list control system. The server 200 acquires the information of the white list 121 from the plurality of clients 100 and creates a database, or periodically sends the white list data to the client 100 to update the white list 121.

The network 300 is a computer network such as the Internet or an intranet. The client 100 connects to the server 200, a web server, an FTP server, etc. (not shown) via the network 300.

For the sake of brevity, FIG. 1 shows one client 100 and one server 200, but in reality, there can be a plurality of clients and servers in the white list control system.

● Client In the client 100, the arithmetic unit 160 is a microprocessor (CPU). The arithmetic unit 160 boots the operating system (OS) stored in the storage device 140 according to a boot program such as the BIOS stored in the ROM of the memory 150, and further, various resident programs (for example, detection program 111) according to the OS. To start. At that time, the arithmetic unit 160 uses the RAM of the memory 150 as a work area. The OS is, for example, Windows (registered trademark), Mac OS (registered trademark), Linux (registered trademark), iOS (trademark), Android (trademark), and the like.

The storage device 140 is a hard disk drive (hereinafter, HDD), a solid state drive (hereinafter, SSD), or the like. The program 110 stored in the storage device 140 includes a detection program 111, a tracking program 112, an identification program 113, a registration program 114, a control program 115, and the like.

The program 110 may include a plurality of programs for each function such as the detection program 111, or may be one program having various functions. Further, the data 120 stored in the storage device 140 includes a white list 121, a blacklist 122, a trust area list 123, a history database (hereinafter, history DB) 124, and the like.

The I / O device 130 is an input / output interface (I / F) for connecting to a pointing device (mouse or the like) or a keyboard, or a display incorporating a touch panel. The keyboard may be a software keyboard. Further, the I / O device 130 may be a voice input unit including a microphone or the like that recognizes the input operator's voice by the voice recognition function and transmits the recognized voice to the arithmetic unit 160. The I / O device 130 also functions as a user interface (hereinafter, UI) for displaying information.

The network I / F 170 is an interface with the network 300 and is a communication circuit for communicating with other computers. The arithmetic unit 160 receives information such as a part of the data of the white list 121 from the server 200 via the network I / F 170, and transmits various information to the server 200.

● Server In the server 200, the arithmetic unit 260 is a microprocessor (CPU). The arithmetic unit 260 boots the OS stored in the storage device 240 according to a boot program such as a BIOS stored in the ROM of the memory 250. Further, the arithmetic unit 260 loads the management console 211 from the storage device 240 into the RAM of the memory 250. Then, information (for example, information on the white list 121) is acquired from a plurality of clients 100 and stored in a database, and conversely, information is transmitted to the client 100 to update the white list 121.

The storage device 240 is an HDD, SSD, or the like. In addition to the OS, the program 210 stored in the storage device 240 includes the management console 211 running on the server 200, the tracking program 212, and the like. Further, the data 220 stored in the storage device 240 includes a white list master 221, a blacklist master 222, a trust area list master 223, a history DB 224, and the like.

The I / O device 230 is an interface (I / F) for connecting to a pointing device (mouse, etc.), keyboard, and monitor, and the monitor functions as a UI for displaying information. The network I / F 270 is an interface with the network 300 and is a communication circuit for communicating with other computers such as the client 100.

The arithmetic unit 260 receives information about the white list 121 and the blacklist 122 from a plurality of clients 100 via the network I / F 270, and manages the white list master 221 and the blacklist master 222 based on the received information. ..

In the white list control system, the server 200 is not an essential configuration. The block diagram of FIG. 2 shows a configuration example of a white list control system in which the server 200 does not exist. In the configuration of FIG. 2, since communication between the client 100 and the server 200 is not required, the network 300 and the network I / F 170 are also optional.

Further, the white list control system may be configured by using a thin client (for example, a terminal service). A thin client is a system that enables a client to remotely connect to a server and execute an application program on the server using a virtual desktop environment generated on the server.

[Programs and Data]
The identification program 113 acquires information such as a file name (program name), hash value, version information, file size, file path, and digital signature (hereinafter referred to as program information) from a program executed separately by the arithmetic unit 160. To do. Then, it has an identification function for identifying the program based on the acquired program information. Further, the identification program 113 queries the acquired program information with the trust area list 123 described later, and determines whether or not the program satisfies the conditions issued by a reliable issuer or issuer.

White list 121 is a list of information about programs that may be executed. As the information constituting the white list 121, the program information acquired by the identification program 113 is used.

FIG. 3 shows an example of White List 121. White list 121 holds program name, hash value, version information, and file size information for each program. Note that FIG. 3 is an example, and the types and numbers of information held as the white list 121 are not limited to FIG.

The white list master 221 is a list of a plurality of white lists 121. FIG. 4 shows an example of the white list master 221 existing in the server 200. The white list master 221 holds information related to the white list 121 of a plurality of clients in association with the client name and code. In the example of FIG. 4, as a white list 002 corresponding to the client PC 002, an example in which the process names, hash values, registration date and time, and last start date and time of a plurality of programs are retained is shown. Note that FIG. 4 is an example, and the type and number of information held as the white list master 221 is not limited to FIG.

The detection program 111 is executed by the arithmetic unit 160 and has a monitoring function for monitoring the execution of the program and a detection function for detecting the monitoring function.

The tracking program 112 is executed by the arithmetic unit 160, and based on the program information acquired by the identification program 113 of the program whose execution is detected or detected by the detection program 111, the history information (operation history) of the program is described later in the history DB. It has a tracking function to track from 124.

The registration program 114 has a registration function of registering the program in the white list 121 based on the history information of the program executed by the arithmetic unit 160 and tracked by the tracking program 112.

The control program 115 has a startability control function that is executed by the arithmetic unit 160 and allows or prohibits the execution of the program to be executed on the client 100.

The trust area list 123 is a list of conditions (conditions related to issuance) for determining whether or not a program or file is issued by a trusted publisher or publisher.

FIG. 5 shows an example of the trust region list 123. The trust area list 123 is a list showing conditions defined by an administrator, a user, or the like based on the history information of the program tracked by the tracking program 112. The trust area list 123 holds information indicating the intrusion source, a file type, a process name, and information on the existence of a certificate. The conditions include, for example, a file downloaded from a web server with a legitimate server certificate, an attachment to an email received from a mail server with a legitimate server certificate, and a digitally signed file with a legitimate certificate. There are received mails etc. Note that FIG. 5 is an example, and the type and number of information held in the trust area list 123 is not limited to FIG.

The trust area list master 223 is a list of a plurality of trust area lists 123. FIG. 6 shows an example of the trust area list master 223 existing in the server 200. The trust area list master 223 holds information related to the trust area list 123 of a plurality of clients in association with the client name and code. In the example of FIG. 6, the trust area list 002 corresponding to the client PC 002 shows an example in which information indicating the intrusion source, file type, process name, certificate presence / absence information, and registration date / time are retained. Note that FIG. 6 is an example, and the type and number of information held as the trust area list master 223 is not limited to FIG.

In the history DB 124, the operation history such as the content of the operation of the program executed by the client and the operation date and time is recorded as history information. As the contents of the operation, record the existence of the server certificate of the website, the path name of the downloaded file, the path name of the uploaded file, etc. as related to web browsing. As the operation contents related to the file operation, the path name of the file to be operated (copy source path name, copy destination path name), operation type (file open, rename, delete, new creation, overwrite save, name) (Save with), whether or not there is a server certificate for the file server, etc. Operations related to removable media include connecting and disconnecting removable devices, device names, device IDs, vendor IDs, serial IDs, and the presence or absence of digital signatures. The operation contents related to the mailer include the presence / absence of the server certificate of the mail server, the distinction between sending / receiving, the presence / absence of the attached file, the destination, the mail address of the sender, and the presence / absence of the digital certificate / digital signature of the received mail. The operation contents related to FTP (File Transfer Protocol) communication include file upload, file download, file deletion, and presence / absence of a server certificate of the connection destination server. The operation contents related to the active window include URL access, active window, window title change, and save as dialog.

Based on this information, the tracking program 112 tracks the history information of the program, but transfers part or all of the history information to a server on the network, leaving sufficient history information for the client. It is possible that it is not. In this case, the history of the program may not be sufficiently specified. Therefore, in this case, the client requests the server to request the tracking of the history. The server also has the same history DB 224 as the client, and the history information held by multiple clients is stored in a database. In this way, when the client cooperates with the server, the history information may be specified by tracing to the past history. Further, the history information held by a plurality of clients may be stored in the server, and the history information may be specified across the plurality of clients.

Blacklist 122 is a list of programs that are prohibited from being executed. The data structure of blacklist 122 is substantially the same as that of whitelist 121. Also, the blacklist 122 is not required and does not have to exist on the client 100, and if the blacklist 122 is not used, the blacklist master 222 of the server 200 is not required either.

[White list control process]
An example of the white list control process is shown by the flowchart of FIG.

The detection program 111 monitors the execution of the program (step S701), and when it detects the execution of the program, proceeds to the process in step S702.

When the execution of the program is detected, the identification program 113 acquires the program information of the program (step S702) and determines whether or not the program exists in the blacklist 122 (step S703). If it is determined that the program is on the blacklist 122 (YES in step S703), the control program 115 prohibits execution of the program (step S708).
If it is determined that the program does not exist in the blacklist 122 (NO in step S703), the identification program 113 determines whether or not the program exists in the whitelist 121 (step S704). If it is determined that the program exists in the white list 121 (YES in step S704), the control program 115 permits the start of the program (step S710).

If it is determined that the program does not exist in the white list 121 (NO in step S704), the identification program 113 passes the program information of the program to the tracking program 112. The tracking program 112 tracks the history DB 124 according to the search key included in the program information (step S705). By searching the history DB 124 according to the search key included in the program information, it becomes possible to identify the history information that the file or process was first imported into the client 100. The tracking process will be described later.

When the client 100 is connected to the server 200 by the network 300, the tracking program 112 sends a tracking request for history information to the management console 211 of the server 200. When the tracking program 212 receives the history information tracking request through the management console 211, the tracking program 212 may track the program information of the program from the history DB 224 as a tracking target.

The identification program 113 acquires the tracking result that identifies the historical information that the file or process was first taken into the client 100 (step S706), and whether or not there is information that matches the trust area list 123 (conditions for issuance). Whether or not to satisfy) is determined (step S707). The tracking result may be the specified history information itself, a part of the history information, or processed information (for example, information indicating the intrusion source, file type, process name, information on the presence / absence of a certificate, etc.). If it is determined that the program does not have information that matches the trust region list (NO in step S707), the control program 115 prohibits execution of the program (step S708).

If it is determined that there is information that matches the program trust area list, the identification program 113 passes the program information of the program to the registration program 114. As a result, the registration program 114 registers the program in the white list 121 (step S709), and the control program 115 permits the program registered in the white list 121 to be executed (step S710).

If the blacklist 122 does not exist, the identification program 113 passes through the determination in step S703.

Further, the client 100 may transfer a part or all of the history information stored in the history DB 124 to the server 200 at a predetermined timing, and delete the transferred history information.

Further, in the above, the process of performing the tracking process with the execution of the program as a trigger and registering the program in the white list based on the tracking result has been described. However, it is also possible to search for a program using, for example, an OS standard file search tool, perform tracking processing using the program search as a trigger, and register it in a white list based on the tracking result.

[Tracking process]
● Outline of processing From the flowchart of FIG. 8, an example of tracking processing executed by the tracking program 112 is shown. Here, an example of executing tracking from the contents of the operation recorded in the history DB 124 will be described.

The tracking program 112 determines whether or not the program information of the program is received from the identification program 113 (step S801). When it is determined that the program information of the program is received from the identification program 113 (YES in step S801), the history DB 124 is searched according to the search key included in the program information (step S802).

In step S803, the tracking program 112 investigates the old history information in order from the new history information, and the operation name recorded in the history information is a specific operation name (for example, file download, file copy, mail reception, etc.). Judge whether or not.

If the operation name is not a specific operation name (NO in step S803), the process proceeds to step S804. If the operation name is a specific operation name (YES in step S803), the process proceeds to step S806.

In step S804, the tracking program 112 searches for and investigates new historical information next to the investigated historical information.

In step S805, the tracking program 112 then proceeds to step S806 if no new historical information exists (NO in step S805). Next, if new history information exists (YES in step S805), the processing after step S803 is repeated. This makes it possible to identify the historical information that the tracked files and processes were first captured by the client 100.

The tracking program 112 transmits the tracking result of the history obtained by the tracking process (eg, the identified history information, a part of the identified history information) to the identification program 113 (step S806).
In the determination process of whether or not the operation name is a specific operation name in step S803, the tracking process is continued in consideration of the file renaming and the relevance of the parent-child process as shown in FIG.

● Tracking process related to web browsing FIG. 9 shows an example of tracking to identify the history information that a file or process was first captured by the client 100 from the history related to web browsing.

In FIG. 9, the history DB 124 includes, for example, a PC name 124a, an operation name 124b, a file name 124c, a process name 124d, a URL 124e, a date and time 124f, and the presence / absence of a certificate 124g. URL 124e may be identified from the access history of the network, or may be determined from the window name (title name) / address bar name of the active window of the target process.

Depending on the process, some program (child program) may be generated based on a certain process (parent program). In that case, URL 124e may be determined from the window name (title name) / address bar name of the parent program / child program.

The tracking program 112 searches the history DB 124 using the process name (Lkjhbg.exe) included in the program information of the program passed from the identification program 113 as a search key, and tracks the history in order from the new operation content of the date and time. I will do it.

In this example, it can be seen that the program (Lkjhbg.exe) opened the file at 15:00 on November 5, 2017. In addition, tracking program 112 goes back in time. In this example, it can be seen that the program (Lkjhbg.exe) was saved at 10:11 on November 5, 2017. The file name 124c and the process name 124d may be path names including the path. This makes it possible to perform tracking more accurately.

Furthermore, the tracking program 112 goes back in the past history and finds "file download" which is the operation first imported into the client 100 as the operation name, and the program (Lkjhbg.exe) is a site by the process (webbrowser.exe). Find out that it was downloaded from (http://www.abc.jp). File download is an example of how the program (Lkjhbg.exe) was first imported into the client 100. In this way, history information such as the timing when the program (Lkjhbg.exe) was first imported into the client 100 and the presence / absence of a certificate can be tracked from the history DB 124.

● Tracking process related to file operations Figure 10 shows an example of tracking to identify the historical information that a file or process was first captured by the client 100 from the history related to file operations. In this example, the copy source 124h indicating the file copy source information is added to the history DB 124.

As mentioned above, the tracking program 112 goes back in time according to the process name. In this example, it can be seen that the program (def.exe) was renamed from the program (abc.exe) at 10:15 on November 5, 2017. Then, the program (abc.exe) finds "file copy", which is the operation first imported into the client 100 as the operation name. The copy source 124h in the found record indicates that the file server was the copy source, and the program (abc.exe) finds out that the file was copied from the file server by the process (filemanager.exe).

In this way, even when the program name is changed, history information such as the timing when the program (def.exe) is first imported into the client 100 and the presence / absence of a certificate can be tracked from the history DB 124.

● Tracking process for removable devices FIG. 11 shows an example of tracking to identify the history information that a file or process was first captured by the client 100 from the operation history related to the removable device.

As mentioned above, the tracking program 112 traces back the past history according to the process name (abc.exe) and finds the operation name "file copy" that was first captured by the client 100. The source 124h in the found record indicates that the removable device was the source, and the program (abc.exe) finds out that the process (filemanager.exe) has copied the file from the removable device.

In this way, even when copied from a removable device, historical information such as the timing when the program (abc.exe) was first imported into the client 100 and the existence of a certificate can be tracked from the history DB 124. ..

If the product ID, vendor ID, serial ID, etc. of the removable device are recorded in the record of the history DB 124, it becomes possible to specifically identify which removable device it was.

● Tracking process related to mailer FIG. 12 shows an example of tracking to identify the history information that a file or process was first captured by the client 100 from the operation history related to mailer.

In this example, the attachment file 124i indicating the attachment information of the received mail and the mail address 124j indicating the sender of the mail are added to the history DB 124.

As described above, the tracking program 112 traces back the past history according to the process name and finds "mail reception", which is the operation first captured by the client 100 as the operation name. The email address 124j in the found record indicates that it is the sender of the email, and the program (jhgfrf.exe) finds out that the email was received from lkjc@abc.co.jp.

In this way, even when the mail is received, the history information such as the timing when the program (jhgfrf.exe) is first fetched into the client 100 and the existence of the certificate can be tracked from the history DB 124.

● Tracking process related to FTP communication FIG. 13 shows an example of tracking to identify the history information in which a file or process is first fetched into the client 100 from the operation history related to FTP communication.

In this example, the history DB 124 contains the user ID 124k, which indicates the user ID required for FTP communication, the connection source IP 124l, which indicates the IP address of the connection source of FTP communication, and the connection destination, which indicates the IP address of the connection destination of FTP communication. IP 124m has been added.

As mentioned above, the tracking program 112 traces back the past history according to the process name and finds the operation name "file download" which is the operation first captured by the client 100. The program (abc.exe) finds out that the file was downloaded from the destination IP (222.222.222.222).

In this way, even when downloaded by FTP communication, history information such as the timing when the program (abc.exe) was first imported into the client 100 and the presence / absence of a certificate can be tracked from the history DB 124. ..

As described above, according to the present embodiment, by searching the history, it is possible to specify the history information such as the timing when the program is imported into the client 100 and the presence / absence of the certificate, and the specified history. Based on the information, it is possible to know whether or not the program was published by a reliable publisher or publisher. Therefore, when the list type control method is used, the security required for updating the list can be improved and the workload can be reduced.

[Other Examples]
The present invention is also realized by executing the following processing. That is, software (program) that realizes the functions of the above-described embodiment is supplied to the system or device via a network or various storage media, and the computer (or CPU, MPU, etc.) of the system or device reads the program. This is the process to be executed. It can also be realized by a circuit (for example, ASIC) that realizes one or more functions.

Claims (7)

It is an information processing device
A detection means that detects program execution and searches for programs,
Identification means to identify the program and
A registration method for registering programs in a list of programs that are allowed or prohibited to run,
A storage means that stores an operation history, which is a history of operations executed in the information processing device, and
The date and time when the program information was first stored in the information processing apparatus from the operation history stored in the storage means based on the program whose execution was detected by the detection means or the program information of the detected program. Has a specific means to identify the operation history executed in
The identification means determines whether or not the program satisfies the conditions relating to issuance from the operation history specified by the specific means.
The information processing apparatus is characterized in that the registration means registers a program determined to satisfy the above conditions in the list. The identification means determines whether or not the program is registered in a blacklist, which is a list of programs whose execution is prohibited, based on the program whose execution is detected or the program information of the detected program. Alternatively, it is determined whether or not the program is registered in the white list, which is a list of programs permitted to be executed.
The registration means is characterized by executing a process for registering a program determined not to be registered in the blacklist or a program determined not to be registered in the white list to be registered in the list. The information processing apparatus according to claim 1. further,
The information processing apparatus according to claim 1 or 2, further comprising a control means for permitting or prohibiting the activation of a program based on a list of programs whose execution is permitted or prohibited. The specific means determines whether or not the content of the operation constituting the operation history is the specific operation content, so that the operation history executed at the date and time when the program information was first stored in the information processing apparatus. The information processing apparatus according to any one of claims 1 to 3, wherein the information processing apparatus is specified. It is an information processing method of an information processing device.
A detection process that executes a program and searches for a program,
The identification process that identifies the program and
The registration process of registering a program in the list of programs that are allowed or prohibited to run,
A storage process in which an operation history, which is a history of operations executed in the information processing apparatus, is stored in a storage means,
The date and time when the program information was first stored in the information processing apparatus from the operation history stored in the storage means based on the program whose execution was detected by the detection step or the program information of the detected program. Has a specific process to identify the operation history executed in
The identification step determines whether or not the program satisfies the conditions related to issuance from the operation history specified in the specific step.
The registration step is an information processing method of an information processing apparatus, characterized in that a program determined to satisfy the above conditions is registered in the list. The information processing apparatus according to any one of claims 1 to 4,
An information processing system including a server device that transmits data of a list of programs permitted or prohibited to be executed to the information processing device via a network. A program for causing a computer to function as each means of the information processing apparatus according to any one of claims 1 to 4.

Images