JP2023045210A - Information process system, information process method, and device - Google Patents

Abstract

To provide an information process system, an information process method, and devices allowing reception of data to be limited.SOLUTION: An information process system 100 is provided with a terminal device 10, a plurality of image formation devices 20A, 20B, and an equipment management server 50. The image formation device 20A performs malware check upon receiving a print job from the terminal device (1), and the image formation device 20A transmits malware detection information including a transmission source to the equipment management server when malware is detected (2). The equipment management server transmits the malware detection information and a shutoff request to all of the image formation devices 20A, 20B connected to a network (3). The image formation device 20B stores the received malware detection information to shut off the print job from a transmission source matched with the transmission source of the malware detection information (4).SELECTED DRAWING: Figure 1

Description

The present invention relates to an information processing system, an information processing method, and an apparatus.

It is known that information processing apparatuses may be infected with malware such as computer viruses. A computer virus is a program that parasitizes and proliferates in various types of files, and issues illegitimate commands to cause operations contrary to the user's intentions. For this reason, various types of anti-malware software have been developed, and information processing devices scan data such as files with the anti-malware software and quarantine the data before using it to see if it is infected with malware.

A technique for suppressing malware infection in an information processing apparatus connected to a network has been devised (see, for example, Patent Document 1). Patent Literature 1 discloses a system in which, when malware is detected in one information processing device, the other information processing device also checks for malware.

However, the conventional technology has the problem that it does not restrict the reception of data even after malware is detected. For example, while the other information processing device is detecting malware, the other information processing device may be infected with malware.

SUMMARY OF THE INVENTION An object of the present invention is to provide an information processing system capable of restricting reception of data.

The present invention is an information processing system having a plurality of devices, wherein the first device includes a data receiving unit that receives data from an apparatus, and if the data received by the data receiving unit contains malware, the malware and a communication unit that transmits to the network that the malware has been detected, and the second device restricts reception of data when receiving the notification that the malware has been detected.

It is possible to provide an information processing system capable of restricting receipt of data.

It is a figure explaining the schematic processing of an information processing system. It is a figure which shows the system configuration|structure of an example of the information processing system which concerns on one Embodiment. 1 is a hardware configuration diagram of an example of a computer; FIG. 1 is a hardware configuration diagram of an example of an image forming apparatus; FIG. 2 is a functional block diagram illustrating an example of functions of an image forming apparatus and a device management server divided into blocks; FIG. It is an example of malware detection information stored in a malware detection information storage unit. It is an example of device information stored in a device information storage unit. FIG. 10 is a sequence diagram illustrating an example of processing for restricting reception of print jobs based on IP addresses by the information processing system when malware is detected; FIG. 10 is a sequence diagram illustrating an example of processing performed by an information processing system when a USB memory is attached to an image forming apparatus and malware is detected; FIG. 10 is a sequence diagram illustrating an example of a process in which an information processing system restricts reception of data based on a user ID when malware is detected from a print job received by the image forming apparatus from a terminal device; It is an example of a management screen displayed by the console. FIG. 10 is a sequence diagram showing an example of a procedure in which an administrator deletes malware detection information (IP address) determined to be safe from a malware detection information storage unit, and the device management server cancels blocking; FIG. 10 is a sequence diagram showing an example of a procedure in which an administrator deletes malware detection information (USB memory identification information) determined to be safe from the malware detection information storage unit, and the device management server cancels blocking. FIG. 11 is a sequence diagram showing an example of a procedure in which an administrator deletes malware detection information (user ID) determined to be safe from the malware detection information storage unit and the device management server cancels blocking; 1 is a functional block diagram of an example of an image forming apparatus; FIG. FIG. 11 is a sequence diagram illustrating an example of processing performed by the information processing system when malware is detected; FIG. 10 is a sequence diagram showing an example of a procedure in which an administrator deletes malware detection information determined to be safe from a malware detection information storage unit and the image forming apparatus cancels blocking;

Hereinafter, an information processing system and an information processing method performed by the information processing system will be described as an example of a mode for carrying out the present invention, with reference to the drawings.

<General operation>
First, with reference to FIG. 1, the outline of the process of suppressing malware infection by the information processing system 100 will be described. FIG. 1 is a diagram for explaining schematic processing of an information processing system 100. As shown in FIG.

(1) The terminal device 10 inputs a print job to the image forming device 20A (an example of a first device). The image forming apparatus 20A performs a malware check when receiving a print job.

(2) When malware is detected, the image forming apparatus 20A transmits malware detection information including a transmission source (device identification information and user information) to the device management server 50 .

(3) The device management server 50 transmits malware detection information and a blocking request to all image forming apparatuses 20A and 20B connected to the network. A block request is an instruction to block (not receive) data from a source where malware has been detected.

(4) The image forming apparatus 20B (an example of a second device) saves the transmitted malware detection information and blocks print jobs from transmission sources that match the transmission source of the malware detection information.

Therefore, in the information processing system 100 of the present embodiment, when malware is detected in a certain image forming apparatus 20, infection from the same infection source (the terminal device 10 in FIG. 1) can be suppressed.

In addition, in the conventional technology, when malware is detected in one image forming apparatus 20, the other image forming apparatus 20 starts checking for malware all at once, so the processing load on the image forming apparatus 20 increases. On the other hand, in the present embodiment, it is possible to reduce the number of times malware scans are performed, thereby suppressing an increase in the processing load.

<Terms>
Malware is a general term for malicious software and malicious code created with the intention of performing illegal and harmful actions. Malware includes viruses, worms, Trojan horses, spyware, keyloggers, backdoors, and more.

Malware check refers to determining whether or not data contains malware or is attached to data. Malware checking may include removing detected malware.

Restricting the receipt of data includes not only not receiving data but also discarding part or all of the data after receiving it.

A device may be any device that transmits data to be processed by the device. In this embodiment, the terminal device 10 and the USB memory will be described as an example.

The fact that malware has been detected means that malware has intruded or may intrude into the network. In this embodiment, the term "malware detection information" will be used.

A device is an information processing device that can be infected with malware. In this embodiment, the image forming apparatus 20 will be described as an example.

<System configuration>
Next, with reference to FIG. 2, the system configuration of the information processing system 100 according to this embodiment will be described. FIG. 2 is a diagram illustrating an example system configuration of an information processing system 100 according to an embodiment.

As shown in FIG. 2, an information processing system 100 according to the present embodiment includes one or more terminal devices 10, two or more image forming devices 20, and a device management server 50. These devices are network N are communicatively connected to each other via Note that the terminal device 10 does not always need to be connected to the network, and the information processing system 100 may include or exclude the terminal device 10 .

The terminal device 10 runs an application such as a word processor and has a printer driver installed. The terminal device 10 is an information processing device. The terminal device 10 is, for example, a PC (Personal Computer), a smart phone, a tablet terminal, a PDA (Personal Digital Assistant), or the like, and may have a function of printing using a printer driver.

For example, the terminal device 10 receives a print instruction from a user, creates print data from print target data created by an application, and then transmits a print job to the image forming device 20 . The data to be printed is, for example, printable electronic data such as image data and document data. Print data is, for example, electronic data obtained by converting data to be printed into a list of print commands described in PDL (Page Description Language). There are types of PDL such as RPCS/PCL6/PostScript (registered trademark). A print job is a print request in which print settings (color/monochrome, double-sided/single-sided, aggregate, number of copies, punch, staple, etc.) are attached to this print data.
Further, the route for transmitting the print job from the terminal device 10 to the image forming device 20 may be via a network or one-to-one communication such as a USB cable. It is also possible that the terminal device 10 once registers a print job in the print server, and the print server transmits the print job to the image forming device 20 . The print server is a device that receives print jobs from a plurality of terminal devices 10 , stores them, and sequentially submits the print jobs to the image forming device 20 . In addition, the print server may transmit the stored print data to the image forming apparatus 20 that issued the request in response to a request from the image forming apparatus 20 . The print server transmits to the image forming apparatus 20 only the print data associated with the user who has logged in to the image forming apparatus 20 . Such a printing format is called pull print printing or secure printing.

Instead of the terminal device 10 sending a print job to the image forming apparatus 20, the user attaches a portable storage medium such as the USB memory 9 to the image forming apparatus 20, and a file stored in the storage medium (for example, PDF file, etc.) may be read by the image forming apparatus 20 . The USB memory 9 is a removable storage medium for the image forming apparatus 20 . The USB memory 9 may be an SD memory (registered trademark) or the like.

Hereinafter, when print jobs and files are not distinguished, they are simply referred to as data, and data infected with malware is referred to as malware data.

The image forming device 20 is, for example, a printer, a printing device, or the like. The image forming apparatus 20 may have functions such as FAX, scanner, and copy as long as it has a printing function. Such an image forming apparatus 20 is called an MFP (Multifunction Peripheral) or multifunction machine. The image forming device 20 interprets a print job received from the terminal device 10 or the print server and prints an image on paper. Note that the image forming apparatus 20 may print by an electrophotographic method, an inkjet method, or another method.

The image forming apparatus 20 scans data to determine whether it is infected with malware. If infected, the image forming apparatus 20 transmits malware detection information to the device management server 50 . When the image forming apparatus 20 receives the blocking request together with the malware detection information from the device management server 50, the image forming apparatus 20 stores the malware detection information. The image forming apparatus 20 blocks data reception from the terminal device 10, the user, or the storage medium specified by the malware detection information. When the image forming apparatus 20 receives a block release request from the device management server 50, the image forming apparatus 20 permits data reception from the blocked terminal device 10, user, and storage medium.

In this embodiment, the image forming apparatus 20 blocks malware data, but blocking of malware data is possible in an apparatus that may be infected with malware. For example, electronic blackboards (electronic whiteboards, electronic information boards, etc.), projectors, output devices such as digital signage, network appliances, PCs (Personal Computers), smartphones, tablet terminals, game machines, PDAs (Personal Digital Assistants), digital cameras, etc. may block malware data.

The device management server 50 is an information processing device on the network. A server is a computer or software that provides information and processing results in response to a request from a client (here, the image forming apparatus 20 or the terminal device 10). The equipment management server 50 manages the image forming apparatuses 20 connected to the network. Authentication information of the image forming apparatus 20 is registered in the device management server 50, and communication is performed when the authentication of the image forming apparatus 20 is successful. The device management server 50 can transmit malware detection information to the image forming apparatus 20 in response to a request from the image forming apparatus 20 (for example, in response to polling). Further, the IP address of the image forming apparatus 20 is registered in the device management server 50, so that the malware detection information can be transmitted to the image forming apparatus 20 even without a request.

A console 8 is connected to the device management server 50 . The console 8 is an input/output interface for controlling the system, such as a keyboard, mouse and display. The device management server 50 displays on the display that malware has been detected based on the received malware detection information. Also, the device management server 50 may notify the administrator by e-mail or the like that malware has been detected. The administrator can release the blocking from the console 8 if he/she can confirm that the source of the malware data has become safe.

Regardless of whether the device management server 50 has the console 8 or not, the device management server 50 may provide the terminal device 10 with a management screen equivalent to that displayed on the console 8 as a Web server. The administrator can display a management screen on the terminal device 10 using a Web browser or the like, check the infection status, and cancel the blocking.

The device management server 50 may be realized by cloud computing, or may be realized by a single information processing device. Cloud computing refers to a form in which resources on a network are used without being aware of specific hardware resources. The device management server 50 may exist on the Internet or may exist on-premises.

The network N may have, for example, a LAN in a facility where the image forming device 20 and the terminal device 10 are present, and may also have the Internet constructed by a provider network or the like. Network N may also include a telephone network.

Hereinafter, one or more image forming apparatuses 20 will be referred to as "image forming apparatus 20A", "image forming apparatus 20B", etc. when distinguishing between them. When one or more terminal devices 10 are distinguished from each other, they are referred to as "terminal device 10A", "terminal device 10B", and the like.

Although the image forming apparatus 20 and the equipment management server 50 are separate in FIG. 2 , a specific image forming apparatus 20 may have the functions of the equipment management server 50 . In this case, the equipment management server 50 does not have to exist independently.

<Hardware configuration>
<<Equipment management server, terminal device>>
The device management server 50 and the terminal device 10 are implemented by, for example, a computer 500 having the hardware configuration shown in FIG. FIG. 3 is a hardware configuration diagram of an example of the computer 500. As shown in FIG. As shown in FIG. 3, the computer 500 is constructed by a computer, and as shown in FIG. , an external device connection I/F (Interface) 508 , a network I/F 509 , a bus line 510 , a keyboard 511 , a pointing device 512 , a DVD-RW (Digital Versatile Disk Rewritable) drive 514 , and a media I/F 516 .

Among these, the CPU 501 controls the operation of the computer 500 as a whole. The ROM 502 stores programs used to drive the CPU 501 such as IPL. A RAM 503 is used as a work area for the CPU 501 . The HD 504 stores various data such as programs. The HDD controller 505 controls reading or writing of various data to/from the HD 504 under the control of the CPU 501 . A display 506 displays various information such as cursors, menus, windows, characters, or images. The external device connection I/F 508 is an interface for connecting various external devices. The external device in this case is, for example, a USB (Universal Serial Bus) memory, the image forming apparatus 20, or the like. A network I/F 509 is an interface for data communication using a communication network. A bus line 510 is an address bus, a data bus, or the like for electrically connecting each component such as the CPU 501 shown in FIG.

Also, the keyboard 511 is a kind of input means having a plurality of keys for inputting characters, numerical values, various instructions, and the like. A pointing device 512 is a kind of input means for selecting and executing various instructions, selecting a processing target, moving a cursor, and the like. An optical drive 514 controls reading or writing of various data to an optical storage medium 513 as an example of a removable recording medium. Optical storage media include CD, DVD, Blu-Ray (registered trademark), and the like. A media I/F 516 controls reading or writing (storage) of data to a recording medium 515 such as a flash memory.

<<Image forming apparatus>>
FIG. 4 is a hardware configuration diagram of the image forming apparatus 20. As shown in FIG. As shown in FIG. 4, the image forming apparatus 20 includes a controller 910, a short-range communication circuit 920, an engine control section 930, an operation panel 940, and a network I/F 950.

Among these, the controller 910 includes a CPU 901, a system memory (MEM-P) 902, a north bridge (NB) 903, a south bridge (SB) 904, an ASIC (Application Specific Integrated Circuit) 906, and a storage unit, which are the main parts of the computer. A local memory (MEM-C) 907 , an HDD controller 908 , and an HD 909 as a storage unit, and the NB 903 and ASIC 906 are connected by an AGP (Accelerated Graphics Port) bus 921 .

Among them, the CPU 901 is a control unit that performs overall control of the image forming apparatus 20 . The NB 903 is a bridge for connecting the CPU 901, the MEM-P 902, the SB 904, and the AGP bus 921, and is a memory controller that controls reading and writing with respect to the MEM-P 902, a PCI (Peripheral Component Interconnect) master, and an AGP target. have

The MEM-P 902 is composed of a ROM 902a, which is a memory for storing programs and data for realizing each function of the controller 910, and a RAM 902b, which is used as a drawing memory for expansion of programs and data, memory printing, and the like. The program stored in the RAM 902b is configured to be provided by being recorded in a computer-readable recording medium such as a CD-ROM, CD-R, DVD, etc. as a file in an installable format or an executable format. You may

SB 904 is a bridge for connecting NB 903 with PCI devices and peripheral devices. The ASIC 906 is an image processing IC (Integrated Circuit) having hardware elements for image processing, and serves as a bridge that connects the AGP bus 921, PCI bus 922, HDD controller 908, and MEM-C 907, respectively. This ASIC 906 includes a PCI target and AGP master, an arbiter (ARB) that forms the core of the ASIC 906, a memory controller that controls the MEM-C 907, and multiple DMACs (Direct Memory Access Controllers) that rotate image data using hardware logic. , and a PCI unit for performing data transfer via the PCI bus 922 with a scanner section 931, a printer section 932, and a facsimile section. The ASIC 906 may have a USB (Universal Serial Bus) interface or an IEEE 1394 (Institute of Electrical and Electronics Engineers 1394) interface.

MEM-C 907 is a local memory used as an image buffer for copying and an encoding buffer. The HD 909 is a storage for accumulating image data, accumulating font data used for printing, and accumulating forms. The HD 909 controls reading or writing of data to or from the HD 909 under the control of the CPU 901 . The AGP bus 921 is a bus interface for graphics accelerator cards proposed to speed up graphics processing, and can speed up the graphics accelerator card by directly accessing the MEM-P 902 with high throughput. .

Also, the near field communication circuit 920 is provided with an antenna 920a of the near field communication circuit. The short-range communication circuit 920 is a communication circuit for NFC, Bluetooth (registered trademark), or the like.

Furthermore, the engine control section 930 has a scanner section 931 , a printer section 932 and a facsimile section 933 . The operation panel 940 displays a current setting value, a selection screen, and the like, and a panel display unit 940a such as a touch panel for receiving input from an operator, and setting values for image forming conditions such as density setting conditions. A hardware key 940b including a numeric keypad for accepting a copy start instruction and a start key for accepting a copy start instruction is provided. The controller 910 controls the entire image forming apparatus 20, such as drawing, communication, and input from the operation panel 940, for example. The scanner unit 931 or printer unit 932 includes an image processing part such as error diffusion and gamma conversion.

Note that the image forming apparatus 20 can sequentially switch and select the document box function, the copy function, the printer function, and the facsimile function using the application switching key on the operation panel 940 . When the user selects the document box function, the image forming apparatus 20 is in the document box mode, when the copy function is selected, the image forming apparatus 20 is in the copy mode, when the printer function is selected, the printer mode is selected, and when the facsimile mode is selected, the facsimile mode is selected.

A network I/F 950 is an interface for data communication using the network N. FIG. A short-range communication circuit 920 and a network I/F 950 are electrically connected to the ASIC 906 via a PCI bus 922 .

<About functions>
Next, functions of the image forming apparatus 20 and the device management server 50 will be described with reference to FIG. FIG. 5 is an example of a functional block diagram for explaining the functions of the image forming apparatus 20 and the device management server 50 by dividing them into blocks.

<<Image forming apparatus>>
The image forming apparatus 20 includes an operation reception unit 21, an authentication unit 22, a data reception unit 23, a blocking unit 24, a malware detection unit 25, a transmission source identification unit 26, a printing unit 27, a communication unit 28, and a malware detection information storage unit. has 40. These functions of the image forming apparatus 20 are functions or means implemented by the CPU 901 of the image forming apparatus 20 shown in FIG. 4 executing a program. The malware detection information storage unit 40 is constructed in the HD 909, RAM 902b, etc. of the image forming apparatus 20 shown in FIG.

The operation reception unit 21 receives various operations for the image forming apparatus 20 . In this embodiment, the operation accepting unit 21 accepts input of a user ID (or user name) and password, and accepts printing of a file stored in the USB memory 9, for example.

The authentication unit 22 authenticates the user based on the user ID (or user name) and password. Authentication may be performed by another server.

The data receiving unit 23 receives print jobs from the terminal device 10 . As described above, the data receiving unit 23 may read a file to be printed from the USB memory 9, or may acquire a print job from the print server.

The malware detection unit 25 detects malware from the print job or file received by the data reception unit 23 . The malware detection unit 25 is a virus check application that scans print jobs or files to detect code patterns specific to malware. Various virus check applications are available on the market or have been developed, and the details of the malware detection method of this embodiment will be omitted.

The printing unit 27 executes a print job for which malware has not been detected, generates a print job from a file, and forms an image on a sheet material such as paper. The printed matter on which the image is formed is discharged to the discharge tray.

The transmission source identification unit 26 generates malware detection information when malware is detected. Malware detection information is information that indicates that malware has been detected and that identifies at least one of the device (data transmission source terminal device 10 or storage medium such as USB memory 9) or the user. The transmission source identification unit 26 stores the malware detection information transmitted from the device management server 50 in the malware detection information storage unit 40 . Malware detection information will be described below.

- When the data receiving unit 23 receives a print job via the network, the transmission source identification unit 26 acquires the network information (IP address and host name) of the transmission source from the IP header.

- When the data receiving unit 23 receives a print job via the network, the transmission source identification unit 26 acquires user information included in the print job. Generally, the user logs in to the terminal device 10, and the user name (or user ID) is included in the print job. Alternatively, the print job includes a user name (or user ID) and password for logging in to the image forming apparatus 20 by the user.

When the data receiving section 23 reads the print job from the USB memory 9 , the transmission source identification section 26 acquires identification information (for example, serial number) of the USB memory 9 .

The communication unit 28 communicates with the equipment management server 50 . When the image forming apparatus 20 detects malware, it transmits malware detection information to the device management server 50. When another image forming apparatus 20 detects malware, it receives a blocking request and malware detection information.

The blocking unit 24 compares the terminal device 10, the storage medium, or the user information with the malware detection information when the data receiving unit 23 receives a print job via the network or reads a file from the USB memory 9 or the like. and cut off communication. Blocking communication means refusing to receive data or discarding at least part of the received data.

FIG. 6 is an example of malware detection information stored in the malware detection information storage unit 40. As shown in FIG. The malware detection information storage unit 40 holds the transmission source when malware is detected. In FIG. 6, the malware detection information storage unit 40 has items of user ID, IP address, and identification number of the USB memory 9 as types of source information.

The date and time is the date and time when malware detection information was transmitted from the device management server 50 or the date and time when malware was detected.

- When a print job containing malware is transmitted via a network, the IP address of the terminal device 10 is saved.

- If user information is included in the print job sent to the image forming apparatus 20, the user ID (or user name) is saved.

- When a file containing malware is read from the USB memory 9, the identification information of the USB memory 9 is saved. When a user logs in to the image forming apparatus 20 when printing a file saved in the USB memory 9, user information is saved.

Although each image forming apparatus 20 has the malware detection information storage unit 40 in FIG. 5 , the device management server 50 may have the malware detection information storage unit 40 . In this case, the image forming apparatus 20 may acquire malware detection information from the device management server 50 before (or after) receiving the print job or file. Alternatively, the image forming apparatus 20 may transmit the IP address, the identification information of the USB memory 9, or the user ID to the device management server 50 and inquire whether the same information is stored in the malware detection information storage unit 56. .

<<Device management server>>
The device management server 50 has a screen generation unit 51 , a cancellation transmission unit 52 , a communication unit 53 , a notification unit 54 , a restriction request unit 55 , a malware detection information storage unit 56 and a device information storage unit 57 . These functions of the device management server 50 are functions or means implemented by the CPU 501 of the image forming apparatus 20 shown in FIG. 3 executing programs. The malware detection information storage unit 56 and the device information storage unit 57 are constructed in the HD 504, the RAM 503, etc. shown in FIG.

Communication unit 53 communicates with a plurality of image forming apparatuses 20 . Communication unit 53 receives malware detection information from image forming apparatus 20 that has detected malware. Communication unit 53 stores malware detection information received from image forming apparatus 20 in malware detection information storage unit 56 . The communication unit 53 requests the notification unit 54 to notify the administrator or the like that malware has been detected.

The restriction request unit 55 transmits the malware detection information stored in the malware detection information storage unit 56 to the image forming apparatus 20 stored in the device information storage unit 57 together with a blocking request. The image forming apparatus 20 of the transmission destination may be only the image forming apparatus 20 in which malware is not detected, but may be transmitted to the image forming apparatus 20 in which malware is detected. The image forming apparatus 20 that detects malware may discard duplicate malware detection information.

The screen generation unit 51 generates a management screen based on the malware detection information stored in the malware detection information storage unit 56, and displays it on the display of the console 8 or transmits it to the terminal device 10 as a web page. On the management screen, the administrator can view malware detection information and set blocking release.

The cancellation transmission unit 52 designates the malware detection information whose deletion has been accepted according to the blocking cancellation setting accepted by the screen generation unit 51, and sends the information to the image forming apparatus 20 stored in the device information storage unit 57. Request to unblock receiving data.

FIG. 7 shows an example of device information stored in the device information storage unit 57. As shown in FIG. The device information storage unit 57 stores information about the image forming apparatus 20 to be managed by the device management server 50 . The information about the image forming device 20 is, for example, identification information, serial number, IP address, etc. of the image forming device 20 . A serial number is a number unique to the image forming apparatus 20 . The IP address is identification information on the network and does not change for at least a certain period of time.

When new malware detection information is registered in the malware detection information storage unit 56 of the device management server 50, the restriction request unit 55 sends the blocking request and the malware detection information to the image forming apparatus 20 stored in the device information storage unit 57. Send.

When the administrator cancels the blocking of communication (or when the malware detection information is deleted from the malware detection information storage unit 56 of the device management server 50), the cancellation transmitting unit 52 transmits the blocking cancellation request along with the malware detection information, It is transmitted to the image forming apparatus 20 stored in the device information storage unit 57 .

The data structure of the malware detection information storage unit 56 held by the device management server 50 may be the same as that of the malware detection information storage unit 40 of the image forming apparatus 20 .

<Operation procedure>
Processing performed by the information processing system 100 upon detection of malware based on the IP address, the identification information of the USB memory 9, and the user ID will be described below with reference to FIGS. 8 to 10. FIG.

<<IP Address>>
Processing performed by the information processing system 100 when malware is detected will be described with reference to FIG. 8 . FIG. 8 is an example of a sequence diagram illustrating a process in which the information processing system 100 restricts reception of print jobs based on IP addresses when malware is detected. Note that FIG. 8 mainly describes a case where a print job is transmitted to the image forming apparatus 20 via a network. A case where a file is read from the USB memory 9 will be described later.

S1: The terminal device 10 transmits a print job containing malware to the image forming device 20A via the network.

S2: The blocking unit 24 of the image forming apparatus 20A acquires the IP address from the IP header of the IP packet that transmits the print job, and the IP address is added to the list of IP addresses stored in the malware detection information storage unit 40. Determine whether it is included. Assume here that the IP address is not on the list. The data receiving unit 23 receives print jobs from the terminal device 10 .

S3: Next, the malware detection unit 25 of the image forming apparatus 20A checks the received print job for malware. Here, it is assumed that malware has been detected.

S4: Malware is detected, so the source identifier 26 acquires the IP address from the IP header of the IP packet that transmits the print job. Further, when user information exists in the print job, the transmission source identification unit 26 also acquires the user information. The transmission source identification unit 26 may store the malware detection information in the malware detection information storage unit 40 at this point. When malware is detected, it is possible to restrict the data reception unit 23 of the image forming apparatus 20A from receiving data from the same transmission source.

S5: The communication unit 28 of the image forming apparatus 20A transmits malware detection information to the device management server 50. FIG.

S6: The communication unit 53 of the device management server 50 receives the malware detection information and stores the malware detection information in the malware detection information storage unit 56. FIG.

S7: The restriction requesting unit 55 of the device management server 50 sends a blocking request and malware detection information (terminal device 10 IP address). If it is difficult for the equipment management server 50 to communicate with the image forming apparatus 20 through the firewall, the image forming apparatus 20 polls. Alternatively, the device management server 50 and the image forming apparatus 20 may use bidirectional communication such as WebSocket. WebSocket is a technical specification that allows two-way communication between web servers and devices. The equipment management server 50 can start communication at any timing from the server side.

S8: The communication unit 28 of the other image forming apparatus 20B receives the blocking request and the malware detection information, and stores the malware detection information in the malware detection information storage unit 40. FIG.

S9: In addition, the notification unit 54 of the device management server 50 notifies the administrator by e-mail or the like that malware has been detected.

S10: Similarly, the restriction request unit 55 of the device management server 50 transmits malware detection information together with a blocking request to the image forming apparatus 20A that detected malware. If the image forming apparatus 20A that has detected malware has a specification in which malware detection information has already been saved, the process of step S10 may be omitted.

S<b>11 : The communication unit 28 of the image forming apparatus 20</b>A that detected the malware receives the blocking request and the malware detection information, and stores the malware detection information in the malware detection information storage unit 40 .

S12: The data receiving unit 23 of the image forming apparatus 20A discards the received print job because it contains malware.

S13: Then, the terminal device 10 that has transmitted the print job containing malware transmits the print job containing malware to another image forming device 20B.

S14: The blocking unit 24 of the image forming apparatus 20B acquires the IP address from the IP header of the IP packet that transmits the communication connection request, and adds the IP address to the list of IP addresses stored in the malware detection information storage unit 40. Determines whether an address is included. Here, it is assumed that the IP address is in the list.

S15: Therefore, the data receiving unit 23 of the image forming apparatus 20B does not receive the print job, and the blocking unit 24 blocks communication with the terminal device 10. FIG. If the data receiving unit 23 receives the print job, it discards the print job.

As described above, the image forming apparatus 20 of the present embodiment blocks communication from a transmission source based on information that another image forming apparatus 20 has detected malware, so infection can be easily suppressed. Since the other image forming apparatuses 20 do not execute malware detection processing, the load is less likely to increase.

In FIG. 8, the image forming apparatus 20B blocks communication with the terminal device 10 having the IP address of the malware detection information, but the image forming apparatus 20B may block communication with the network itself. In the first place, since malware attempts to spread automatically, it is effective to block communication even when the image forming apparatus 20B is not in a state of receiving a print job.

<<USB memory identification information>>
Next, a case where the USB memory 9 is attached to the image forming apparatus 20 will be described with reference to FIG. FIG. 9 is an example of a sequence diagram illustrating processing performed by the information processing system 100 when the USB memory 9 is attached to the image forming apparatus 20 and malware is detected. In addition, in the explanation of FIG. 9, mainly the difference from FIG. 8 will be explained.

S1-2: The user logs into the image forming apparatus 20A. This identifies the user ID. If the login is successful, the user attaches the USB memory 9 to the image forming apparatus 20 .

S2-2: The blocking unit 24 of the image forming apparatus 20 determines whether or not the list of identification information of the USB memory 9 stored in the malware detection information storage unit 40 includes the identification information. Here, it is assumed that the identification information of the USB memory 9 is not included in the list. Data receiving unit 23 reads the file from USB memory 9 . Subsequent steps S3 to S12 may be the same as in FIG. 8 except for S7.

S7: The restriction request unit 55 of the device management server 50 sends a blocking request and malware detection information (USB memory (at least one of identification information and user ID).

S13-2: The user logs in to the image forming apparatus 20B. This identifies the user ID. A user attaches the USB memory 9 to the image forming apparatus 20B.

S14-2: The blocking unit 24 of the image forming apparatus 20B reads the identification information from the USB memory 9. FIG. The blocking unit 24 determines whether the identification information is included in the list of identification information of the USB memory 9 stored in the malware detection information storage unit 40 . Here, it is assumed that the identification information of the USB memory 9 is in the list.

S15: The data receiving section 23 of the image forming apparatus 20B discards the file.

In this way, even when a file is saved in the USB memory, the blocking unit 24 can block receiving the file.

<<User ID>>
Next, referring to FIG. 10, a case where image forming apparatus 20 cuts off communication based on a user ID will be described. FIG. 10 is an example of a sequence diagram illustrating the process of restricting the reception of data by the information processing system 100 based on the user ID when malware is detected from the print job received by the image forming apparatus 20 from the terminal device 10. is.
S1-3: The terminal device 10 transmits a print job containing malware to the image forming device 20A via the network.
S2-3: The blocking unit 24 of the image forming apparatus 20A determines whether the user ID included in the print job is included in the list of user IDs stored in the malware detection information storage unit 40 or not.
Steps S3 to S12 may be the same as in FIG. 8 except for S7.

S7: The restriction requesting unit 55 of the device management server 50 sends a blocking request and malware detection information (user ID) to the other image forming apparatus 20B stored in the device information storage unit 57 via the communication unit 53. to send.

S13-3: The user transmits a print job to the image forming apparatus 20B from the terminal device 10B different from that used in step S1.

S14-3: The blocking unit 24 of the image forming apparatus 20B can detect that the user ID included in the print job is stored in the malware detection information storage unit 40. FIG. If the IP address is not referenced, the data receiving unit 23 of the image forming apparatus 20B once receives the print job.

S15: Therefore, the data receiving unit 23 of the image forming apparatus 20B receives the print job, but discards the print job. Supplementally, since the user sent the print job from the terminal device 10B different from the terminal device 10A, the IP address stored in the malware detection information storage unit 40 does not include the IP address of the terminal device 10B. However, by focusing on the user ID, the blocking unit 24 can suppress infection even when the user transmits a print job from another terminal device 10B.

<IP address, identification information of USB memory 9, priority order for determination of user ID>
8 to 10, the blocking unit 24 determines the IP address, the identification information of the USB memory 9, or the user ID alone. It may be determined whether both IDs are registered in the malware detection information storage unit 40 . That is, the blocking unit 24 blocks reception of data when at least one of the IP address and the user ID, or the identification information of the USB memory 9 and the user ID is registered in the malware detection information storage unit 40 .

In this case, regarding the IP address and the user ID, the blocking unit 24 determines whether the IP address is stored in the malware detection information storage unit 40 with priority over the user ID, so that the data receiving unit 23 can process the print job. no need to receive. Regarding the USB memory 9 and the user ID, the blocking unit 24 determines whether the user ID is stored in the malware detection information storage unit 40 with priority over the identification information of the USB memory 9. there is no need to receive Therefore, by setting priorities for determining the IP address, the identification information of the USB memory 9, and the user ID, it becomes easier to suppress infection.

<Delete malware detection information>
Next, the management screen 200 will be described with reference to FIG. 11 . FIG. 11 is an example of a management screen displayed by the console 8. As shown in FIG. The management screen 200 has detection date and time 203, user ID 204, IP address 205, memory identification information 206, and cancel button 201 associated with each piece of malware detection information. The malware detection information is the same as that stored in the malware detection information storage unit 56 . The release button 201 is a button that is highlighted when pressed by the administrator and causes the console 8 to accept a request to release blocking in response to pressing of the send button 202 .

The administrator performs a virus check on the terminal device 10 that transmitted the malware data or the USB memory 9 that stored the malware data, and presses the release button 201 associated with the malware detection information when it is judged to be safe. do.

<Acquisition of data after deletion of malware detection information>
12 to 14, data acquisition processing after malware detection information is deleted based on the IP address, the identification information of the USB memory 9, and the user ID will be described below.

<<IP Address>>
FIG. 12 is an example of a sequence diagram showing a procedure in which the administrator deletes the malware detection information (IP address) determined to be safe from the malware detection information storage unit 56 and the device management server 50 cancels the blocking.

S21: The administrator operates the console 8 (keyboard and mouse) connected to the device management server 50 to display the management screen 200 on the display. The management screen 200 displays a list of malware detection information. From the management screen 200, the administrator inputs an operation (pressing the release button 201) to release the malware detection information determined to be safe. An administrator may connect the terminal device 10 to the image forming apparatus 20A and display the management screen 200 on the display.

S22: The screen generation unit 51 of the device management server 50 receives the operation and deletes the malware detection information from the malware detection information storage unit 56. FIG.

S23, S25: The release transmission unit 52 of the device management server 50 transmits the updated malware detection information to the image forming apparatuses 20A and 20B stored in the device information storage unit 57 via the communication unit 53.

S24, S26: The communication units 28 of the image forming apparatuses 20A and 20B receive the updated malware detection information, and update the malware detection information storage units 40. FIG.

S27: It is assumed that the terminal device 10 corresponding to the deleted malware detection information has transmitted the print job to the image forming device 20B.

S28: The blocking unit 24 of the image forming apparatus 20B acquires the IP address from the IP header of the IP packet that transmits the communication connection request, and adds the IP address to the list of IP addresses stored in the malware detection information storage unit 40. Determines whether an address is included. Assume here that the IP address is not on the list. The data receiving unit 23 of the image forming device 20 receives the print job from the terminal device 10 .

S29: Next, the malware detection unit 25 of the image forming apparatus 20 checks the received print job for malware. Here, it is assumed that no malware is detected.

S30: The printing section 27 executes the print job.

In this manner, the terminal device 10 can transmit a print job when the administrator cancels the cutoff of communication.

<<USB memory identification information>>
Next, referring to FIG. 13, the case where the USB memory 9 is attached to the image forming apparatus 20 will be described. FIG. 13 is an example of a sequence diagram showing a procedure in which the administrator deletes the malware detection information (USB memory identification information) determined to be safe from the malware detection information storage unit 56 and the device management server 50 cancels the blocking. .

Steps S21 to S26 may be the same as in FIG. However, the administrator deletes the USB memory identification information on the management screen 200 .

S27-2: The user logs in to the image forming apparatus 20B. A user attaches the USB memory 9 to the image forming apparatus 20B.

S 28 - 2 : The blocking section 24 of the image forming apparatus 20 reads the identification information from the USB memory 9 . The blocking unit 24 determines whether the identification information is included in the list of identification information of the USB memory 9 stored in the malware detection information storage unit 40 . Here, it is assumed that the identification information of the USB memory 9 is not included in the list. A data receiving unit 23 of the image forming apparatus 20 receives the file from the USB memory 9 .

Subsequent steps S29 to S30 may be the same as in FIG.

<<User ID>>
Next, with reference to FIG. 14, the case where the image forming apparatus 20 determines the presence or absence of malware detection information based on the user ID will be described. FIG. 14 is an example of a sequence diagram showing a procedure in which the administrator deletes malware detection information (user ID) determined to be safe from the malware detection information storage unit 56 and the device management server 50 cancels blocking.

Steps S21 to S26 may be the same as in FIG. However, the administrator deletes the user ID on the management screen 200. FIG.

S27-3: The user transmits a print job from the terminal device 10 to the image forming device 20B. The data receiving section 23 of the image forming apparatus 20B receives the print job.

S28-3: The blocking unit 24 of the image forming apparatus 20B determines that the user ID included in the print job is not saved in the malware detection information storage unit 40. FIG.

Subsequent steps S29 to S30 may be the same as in FIG.

<Summary>
As described above, in the information processing system 100 of the present embodiment, malware detection information is aggregated in the device management server 50, and each image forming apparatus 20 matches the source of the malware detection information based on the malware detection information. Block print jobs from the source. Therefore, in the information processing system 100, when malware is detected in a certain image forming apparatus 20, infection from the same infection source can be suppressed.

In addition, in the conventional technology, when malware is detected in one image forming apparatus 20, malware check is started in the other image forming apparatus 20 all at once, so the processing load of the image forming apparatus 20 increases. On the other hand, in the present embodiment, it is possible to reduce the number of times malware scans are performed, thereby suppressing an increase in the processing load.

In this embodiment, an information processing system 100 in which the image forming apparatus 20 suppresses malware infection without using the device management server 50 will be described.

In the present embodiment, description will be made on the assumption that the hardware configuration diagrams of FIGS. 3 and 4 described in the above embodiments can be used.

FIG. 15 shows an example of a functional block diagram of the image forming apparatus 20. As shown in FIG. As shown in FIG. 15 , the image forming apparatus 20 has a cancellation transmission section 52 . The function of the cancellation transmission unit 52 may be the same as that of FIG. 5 of the first embodiment.

FIG. 16 is an example of a sequence diagram illustrating processing performed by the information processing system 100 when malware is detected. Note that FIG. 16 mainly describes differences from FIG. 8 .

The processing of S41-S44 may be the same as steps S1-S4 in FIG.

S45: The transmission source identification unit 26 saves the malware detection information in the malware detection information storage unit 40. FIG.

S46: Further, the data receiving unit 23 of the image forming apparatus 20A discards the received print job because it contains malware.

S47: The communication unit 28 of the image forming apparatus 20A transmits malware detection information and a blocking request to devices on the network. The communication unit 28 uses broadcast communication for transmission. By doing so, devices (including other image forming apparatuses 20B) connected to the same network can acquire the malware detection information.

S48: The communication unit 28 of the other image forming apparatus 20B receives the blocking request and the malware detection information, and stores the malware detection information in the malware detection information storage unit 40. FIG.

S49: Then, the terminal device 10 that has transmitted the print job containing malware transmits the print job containing malware to another image forming device 20B.

S50: The blocking unit 24 of the image forming apparatus 20B acquires the IP address from the IP header of the IP packet that transmits the communication connection request, and adds the IP address to the list of IP addresses stored in the malware detection information storage unit 40. Determines whether an address is included. Here, it is assumed that the IP address is in the list.

S51: Therefore, the data receiving unit 23 of the image forming apparatus 20B does not receive the print job and cuts off the communication with the terminal device 10. FIG. If the data receiving unit 23 receives the print job, it discards the print job.

In this manner, the information processing system 100 of this embodiment can share malware detection information and block communication from a transmission source without the device management server 50 .

Also in this embodiment, the image forming apparatus 20B may cut off communication with the network itself when malware detection information is detected.

In FIG. 15, the blocking unit 24 determines whether or not the IP address of the terminal device 10 is stored in the malware detection information storage unit 40, but the same processing is performed in the case of the identification information of the USB memory 9 or the user ID. can.

<Acquisition of data after deletion of malware detection information>
FIG. 17 is an example of a sequence diagram showing a procedure in which the administrator deletes the malware detection information determined to be safe from the malware detection information storage unit 40 and the image forming apparatus 20 cancels the blocking.

S61: The administrator displays a screen equivalent to the management screen on the operation panel. From this screen, the administrator inputs an operation (pressing the release button 201) to delete the malware detection information determined to be safe. An administrator may connect the terminal device 10 to the image forming apparatus 20A and display the management screen 200 on the display.

S62: The operation reception unit 21 of the image forming apparatus 20A receives the operation, and the transmission source identification unit 26 deletes the malware detection information selected by the administrator from the malware detection information storage unit 40. FIG.

S63: The release transmission unit 52 of the image forming apparatus 20 broadcasts the updated malware detection information to devices (including other image forming apparatuses 20) on the network via the communication unit .

S64: The communication unit 28 of the other image forming apparatus 20B receives the updated malware detection information and updates the malware detection information storage unit 40. FIG.

S65: Assume that the terminal device 10 corresponding to the deleted malware detection information has sent the print job.

S66: The blocking unit 24 of the image forming apparatus 20B acquires the IP address from the IP header of the IP packet that transmits the communication connection request, and adds the IP address to the list of IP addresses stored in the malware detection information storage unit 40. Determines whether an address is included. Here, it is assumed that it is not in the list. The data receiving unit 23 of the image forming device 20 receives the print job from the terminal device 10 .

S67: Next, the malware detection unit 25 of the image forming apparatus 20 checks the received print job for malware. Here, it is assumed that no malware is detected.

S68: The printing section 27 executes the print job.

In this way, even without the device management server 50, the terminal device 10 can transmit a print job by canceling the cutoff of communication by the administrator.

<Main effects>
According to the present embodiment, in addition to the effects of the first embodiment, malware infection can be easily suppressed even without the device management server 50 .

<Other application examples>
Although the best mode for carrying out the present invention has been described above using examples, the present invention is by no means limited to such examples, and various modifications can be made without departing from the scope of the present invention. and substitutions can be added.

For example, although the image forming apparatus 20 performs the malware check in the present embodiment, the device management server 50 may perform the malware check instead of the image forming apparatus 20 .

Further, in this embodiment, the image forming apparatus 20 detects malware, and another image forming apparatus 20 restricts reception of malware data from the same source. However, a device other than the image forming device 20 may detect malware, and another device may restrict reception of malware data from the same source. Also, a device that detects malware and a device that restricts reception of malware data from the same source may be of different types. For example, the device that detects malware may be the PC, and the device that restricts reception of malware data from the same source may be the image forming device 20, or vice versa.

A device that limits the receipt of malware data can be a router. For example, if a device different from the device that detected malware receives malware data before receiving a blocking request, it is possible to prevent malware data from being transferred from this device to another network. .

Also, there may be a dedicated device for detecting malware. The user sends data from the terminal device 10 to this device and requests detection of malware. This device returns malware detection results to the user and transmits malware detection information to the device management server 50 .

Further, the configuration examples of FIG. 4 and the like are divided according to main functions in order to facilitate understanding of processing by the terminal device 10 and the device management server 50 . The present invention is not limited by the division method or name of the unit of processing. The processing of the terminal device 10 and the device management server 50 can also be divided into more processing units according to the content of the processing. Also, one processing unit can be divided to include more processing.

Moreover, the devices described in the examples are only representative of one of several computing environments for implementing the embodiments disclosed herein. In some embodiments, device management server 50 includes multiple computing devices, such as a server cluster. Multiple computing devices are configured to communicate with each other over any type of communication link, including a network, shared memory, etc., to perform the processes disclosed herein.

Further, the device management server 50 can be configured to share the processing steps disclosed in this embodiment, such as FIG. 8, in various combinations. For example, a process executed by a given unit may be executed by multiple information processing devices included in the information processing system 100 . Also, the device management server 50 may be integrated into one server device, or may be divided into a plurality of devices.

Each function of the embodiments described above may be implemented by one or more processing circuits. Here, the "processing circuit" in this specification means a processor programmed by software to perform each function, such as a processor implemented by an electronic circuit, or a processor designed to perform each function described above. Devices such as ASIC (Application Specific Integrated Circuit), DSP (Digital Signal Processor), FPGA (Field Programmable Gate Array) and conventional circuit modules are included.

10 terminal device 20 image forming device 50 device management server

Japanese Patent Application Laid-Open No. 2018-073035

Claims (10)

An information processing system having a plurality of devices,
The first device is
a data receiving unit for receiving data from the device;
a communication unit that, when malware is included in the data received by the data receiving unit, transmits a message to the effect that malware has been detected over a network;
The second device is
1. An information processing system, wherein receiving of data is restricted when a notification that said malware has been detected is received. The information processing system has an information processing device,
The communication unit transmits to the information processing device that the malware has been detected,
The information processing device is
a restriction requesting unit configured to transmit a request to restrict reception of data to the second device when receiving a notification that malware has been detected from the first device;
The second device is
2. The information processing system according to claim 1, wherein reception of data is restricted. The communication unit transmits information about the device from which the data reception unit received the data to the information processing device,
3. The information processing system according to claim 2, wherein said restriction request unit transmits a request to restrict reception of data from said device to said second device. If the device is a terminal device,
The communication unit transmits identification information of the terminal device to the information processing device as information about the device,
4. The information processing system according to claim 3, wherein said restriction requesting unit transmits identification information of said terminal device and a request to restrict reception of data from said terminal device to said second device. If the device is a removable storage medium,
The communication unit transmits identification information of the storage medium as information about the device to the information processing device,
4. The information processing system according to claim 3, wherein said restriction request unit transmits identification information of said storage medium and a request to restrict reception of data from said storage medium to said second device. If the device is a terminal device,
The communication unit transmits user identification information included in the data as information about the device to the information processing device,
4. The information processing system according to claim 3, wherein said restriction requesting unit transmits identification information of said user and a request to restrict reception of data from said user to said second device. having an operation reception unit that receives user identification information;
If the device is a removable storage medium,
The communication unit transmits identification information of the user to the information processing device as information related to the device,
4. The information processing system according to claim 3, wherein said restriction requesting unit transmits said user's identification information and a request to restrict reception of data from said storage medium to said second device. The information processing device is
a screen generation unit that displays a list of information about the device received from the device and accepts deletion of information about the device;
a release transmission unit that specifies information about the device for which deletion has been accepted by the screen generation unit and transmits a request to release the restriction on receiving the data to the device;
Said device comprises:
8. The information processing system according to any one of claims 3 to 7, wherein restrictions on receiving data from said device are lifted. An information processing method performed by an information processing system having a plurality of devices,
The first device is
receiving data from the device;
and, if the received data contains malware, transmitting over a network that malware has been detected;
The second device is
An information processing method, comprising: restricting reception of data when receiving a notification that said malware has been detected. a data receiving unit for receiving data from the device;
A device that communicates with a second device having a communication unit that transmits over a network that malware has been detected when malware is included in the data received by the data receiving unit,
A device characterized by restricting reception of data when receiving a notification that said malware has been detected.

Images