JP4843546B2 - Information leakage monitoring system and information leakage monitoring method - Google Patents

Description

  The present invention relates to an information leakage monitoring system and an information leakage monitoring method, and relates to prevention of leakage of confidential information such as personal information stored in a database on a network.

In recent years, services such as electronic commerce using networks, such as virtual shops on the Internet, have become widespread. In these services, customer information such as personal information is generally stored in a database system. For example, in Internet services based on IT equipment, there is a need to handle personal information such as customer information and credit numbers for service operation, and such information is stored in a database system.
Such customer information is confidential information, and is required to be strictly managed so that information leakage does not occur.

  On the other hand, customer information stored in the system by service providers is steadily increasing with the rapid increase in users. Along with this, the risk and management cost of service providers due to the leakage of such information are also increasing. Once such information is leaked on the Internet, it is difficult to delete leaked information completely by tracing all leaked destinations due to the characteristics of a large-scale network.

By the way, regarding the information leakage on the network, in the process of developing the Internet, countermeasures against the information access by the intrusion to the network from the outside have been mainstream. On the other hand, the threat of internal crime has increased recently.
Various countermeasure techniques have already been developed for conventional external intrusion. For example, as a method for protecting stored information against unauthorized access from outside the company, various methods such as a firewall and an access control function are used. Furthermore, the robustness against external intrusion is further improved by improving the encryption method and the processing speed of the hardware device.
As a result, the inside of the network is strictly protected from the outside, and the threat of information leakage caused by illegally accessing or illegally referring to or acquiring the information is reduced.

However, many of the problems represented by recent information leakage cases are unauthorized access by persons inside the network, such as system developers, system operators, and contractors for maintenance.
Such unauthorized access within the protected network is difficult to prevent with the existing countermeasure technology described above.
That is, the access of a person having an authorized access right inside the network is not different from the normal system use state on the surface even if it is an unauthorized access such as extraction or duplication of information. For this reason, it is difficult to identify internal unauthorized access with the above-described countermeasure technology that assumes the outside, such as firewall and encryption. In recent years, information leakage due to such unauthorized internal access has become a problem.
These can hinder the trust of the company and, in turn, future business development using the Internet.

For such internal unauthorized access, recently, statistical methods such as Poisson distribution have been adopted based on the access history (log) to the database that stores the information to be protected, and deviated from the regular access pattern. A technique has been developed for detecting intentional behavior other than the normal normal access by detecting access and notifying the administrator (see Patent Document 1).
In addition, as a technology to prevent crimes of system operators, it has been common to grant privileges to the system, that is, broad access rights, to conventional system operators, but in order to reduce the risks of the operators themselves, A technology has been developed in which only the necessary minimum access authority is granted and privileges are granted only when necessary, such as during maintenance (see Patent Document 2).

JP 2005-259140 A Japanese Patent No. 3793944

However, the above-described fraud detection by statistical processing may cause a malfunction when a database access due to a change in the specification of an application that uses the database system or sudden maintenance occurs. Moreover, there is a difficulty in recognizing that it is a steady access pattern. For this reason, human intervention is required to review the statistical information, and uniform monitoring is difficult due to individual differences in judgment. And it is necessary to scrutinize the contents of analysis by human means, resulting in an increase in management cost and variation in monitoring quality from a practical viewpoint.
On the other hand, in the method of switching access rights according to the situation described above, once access rights have been granted for operational purposes, specific data can be accessed within the scope of those rights, and if there is malicious information at this stage There is a problem that it becomes possible to acquire.

  An object of the present invention is to provide an information leakage monitoring system and an information leakage monitoring method capable of avoiding the problems of the conventional methods described above.

An information leakage monitoring system according to the present invention is an information leakage monitoring system that suppresses information leakage of a database that stores secret information, and is registered in response to a registration request for access plan information related to a specific user for the database. Generating access plan registration means, generating access plan approval means for receiving approved access plan information upon receiving an approval request for the registered access plan information, and generating security policy information of the database from the approved access plan information Security policy generation means, means for accumulating and storing actual access information for the database in an audit log database, and detecting abnormal access from the actual access information stored in the audit log database with reference to the security policy information Abnormal action And a scan detector, the access plan approval means has access risks tolerance input means for receiving an input of the access risk tolerance value for the access plan information, the said security policy information includes the access risk tolerance The abnormal access detecting means calculates an access risk value from the actual access information, and detects the abnormal access when the access risk value exceeds the access risk allowable value .

  In the present invention, a specific user (an internal accessor accessing the database) registers his / her access plan in advance, and the approver approves it. The approved access plan is converted into a policy that can be referred to from the system, and is used for monitoring actual access. Of the actual access, access according to an access plan registered or approved in advance is not determined to be abnormal, but access that does not comply with the access plan is determined to be abnormal. For this reason, even an internal access person having access authority can detect this if an unauthorized access not included in the access plan is performed, and this can be used to prevent unauthorized internal access. The access plan is mainly registered by the accessor himself / herself, but may be substituted by another person based on the application.

In the information leakage monitoring system according to the present invention, it is preferable that the information leakage monitoring system further includes an abnormal access notification means for notifying a designated person in advance when the abnormal access is detected.
In the present invention, by notifying related parties when abnormal access is detected, the related parties who have received the notification can respond appropriately and prevent even unauthorized internal access. Can do.

In the information leakage monitoring system of the present invention, the access plan approval unit includes an access risk allowable value input unit that receives an input of an access risk allowable value related to the access plan information, and the security policy information includes the access risk allowable value. Preferably, the abnormal access detection means calculates an access risk value from the actual access information, and detects the abnormal access when the access risk value exceeds the access risk allowable value.
In the present invention, an approver sets an allowable access risk value for an accessor, and performs anomaly detection by evaluating an access risk in actual access, thereby performing reliable detection while reducing the processing load. it can.

In the information leakage monitoring system of the present invention, it is preferable that the security policy information includes only the access risk allowable value.
In the present invention as described above, it is possible to reduce the processing load and to secure a sufficient detection system by limiting the abnormality detection to the access risk of the accessor.

In the information leakage monitoring system according to the present invention, the abnormal access detection means is configured to provide confidentiality for information including at least one of an SQL statement statement, a command type, and an object to be accessed in calculating the access risk value. It is desirable to use a risk table that weights the degree as a risk index.
In the present invention, the access risk can be calculated easily and reliably by referring to the risk table according to the information.

The information leakage monitoring system of the present invention is an information leakage monitoring system that suppresses information leakage of a database that stores secret information,
Application authentication information registration means for registering an access sequence and access timing of application software to the database as application authentication information;
Security policy generation means for generating security policy information of the database from the application authentication information;
Means for accumulating and storing actual access information for the database in an audit log database;
Characterized in that said with reference to the security policy information, and a abnormality access detection means for detecting an abnormal access by comparing said audit of the application software stored in the log database access pattern information based on actual access information And

In the present invention as described above, it is possible to detect unauthorized access caused by falsification of application software using a database, in addition to abnormal access by an accessor.
That is, when the application software is operating normally, the access behavior shows a certain pattern. On the other hand, if the application software is tampered with to execute unauthorized access or the like, the access behavior becomes different from that in the normal state. For this reason, the application software's normal access behavior (access sequence and access timing) is recorded as application authentication information, and the actual access behavior is inspected with reference to this information. Can be detected.

In the information leakage monitoring system of the present invention, it is preferable that the security policy information related to the application software is configured only by an access sequence of the application software.
In the present invention as described above, the processing load can be reduced and a sufficient detection system can be ensured by limiting the abnormality detection to only the access sequence of the application software.

The information leakage monitoring method of the present invention is an information leakage monitoring method for suppressing information leakage of a database that stores secret information, and the information leakage monitoring system receives a registration request for registration of access plan information for the database. An access plan registration step for generating plan information, an access plan approval step for generating approved access plan information in response to an approval request for the registered access plan information, and security policy information of the database from the approved access plan information A security policy generating step for generating the database, a storage step for accumulating and storing the actual access information for the database in the audit log database, and referring to the security policy information for abnormal access from the actual access information stored in the audit log database The Conducted an abnormal access detecting step of leaving, wherein the access plan approval step receives an input of the access risk tolerance value for the access plan information, the said security policy information includes the access risk tolerance, the abnormality In the access detection step, an access risk value is calculated from the actual access information, and an abnormal access is detected when the access risk value exceeds the access risk allowable value .

The information leakage monitoring method of the present invention is an information leakage monitoring method for suppressing information leakage of a database that stores secret information, and the information leakage monitoring system determines the access sequence and access timing of application software to the database as application authentication information. registered as the generated an application security policy information of the database from the authentication information, the accumulated store actual access information to the audit log database to the database, with reference to the security policy information, stored in the audit log database Further, abnormal access is detected by comparing with access pattern information based on actual access information of the application software.

  In these information leakage monitoring methods of the present invention, as described in the information leakage monitoring system of the present invention described above, the actual database access is inspected with reference to preset approved access plan information or application authentication information. Thus, it is possible to detect unauthorized access by application software due to unauthorized access or tampering by an accessor.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 shows an electronic commerce service system 1 to which the present invention is applied.
The electronic commerce service system 1 provides an electronic commerce service by the database system 2 to a large number of customers (service users) 31 connected via a network.

  The database system 2 includes a database server 10 and an application server 20, stores information necessary for various services in the database server 10, and provides various services by application software 21 stored in the application server 20.

Here, the database server 10 includes secret information such as customer information. In order to prevent leakage of the secret information, the information leakage monitoring system 40 according to the present invention is installed in the electronic commerce service system 1. ing.
Hereinafter, each part of the system will be described in detail.
In the following description, the term “service user 31” refers to a person involved in the system. However, since it is a computer terminal or the like that is directly involved in the system, it is displayed as a picture of the terminal device on the drawing. Yes.
A plurality of databases may be constructed in the database server 10, and if at least one of them is a monitoring target of the information leakage monitoring system, the database system 2 is a monitoring target. The identification of the plurality of databases in the database server 10 is appropriately identified by an existing database name or the like.

[1] Connection of Service User As shown in FIG. 2, an external network 4 such as the Internet is connected to the electronic commerce service system 1 through a DMZ (demilitarized zone) 3. A service user 31 who uses an electronic commerce service (hereinafter also referred to as a web service) of the electronic commerce service system 1 is connected to the web server 23 via the router 25 and the firewall 24 in the external network 4.
The web server 23 provides an interface between the service user 31 and the electronic commerce service system 1, and provides a screen display and input / output function for instructing information input and article purchase from the service user 31 necessary for the web service. Are provided to the terminal of the service user 31. Customer information input by the service user 31 is delivered to the application server 20 via the firewall 22 and recorded in the database server 10.
Therefore, customer information and the like that should be strictly managed are stored as secret information in the database server 10.

[2] Access to Database Server In the electronic commerce service system 1, the database server 10 is accessed by the application software 21 that is stored in the application server 20 and provides the Web service, as well as system maintenance management. There is access for.
As shown in FIG. 3, in the database system 2, the database server 10 and the application server 20 require the involvement of a system maintenance person 32 including a system developer from the development to the operation. In order to set or maintain the application software 21, the database server 10 and the application server 20 require the involvement of an application operation person 33 including a data maintenance person. Further, the application developer 21 or the application maintenance person 34 is required to set or update the application software 21.

As for the access to the database system 2 by the system maintenance person 32, the application operation person 33, and the application maintenance person 34, the necessary minimum access authority necessary for each of the assigned duties is usually given.
Here, many of the problems that occur inside the database system 2 may be leaked by access that can be performed within the scope of the granted authority, and it is very difficult to prevent with the conventional security technology.
Therefore, in the electronic commerce service system 1 of the present embodiment, an information leakage monitoring system 40 that targets the database system 2 is installed.

[3] Overview of Information Leakage Monitoring System 40 Returning to FIG. 1, the information leak monitoring system 40 of this embodiment is an unauthorized access from an internal access person such as the application operation person 33 and the application maintenance person 34 described above. And the function of monitoring unauthorized access due to the alteration of the application software 21 described above.

  As a function of monitoring unauthorized access from an internal access person, an access person (32 to 34) receives a registration request for access plan information 51 to the database in the database server 10 and generates registered access plan information 52; In response to the approval request for the registered access plan information 52, the approved access plan information 53 is generated, the security policy information 59 of the database server 10 is generated from the approved access plan information 53, and the database is referenced by referring to the security policy information 59. Each procedure of detecting an abnormal access from the actual access record information (access log 12) of the server 10 is executed.

  As a function of monitoring unauthorized access due to falsification of the application software 21, the access sequence and access timing of the application software 21 to the database in the database server 10 are registered as application authentication information 54, and the security policy of the database server 10 is determined from the application authentication information 54. Each procedure of generating information 59 and detecting abnormal access from the actual access record of the application software 21 with respect to the database server 10 by referring to the security policy information 59 is executed.

  In order to execute each of these procedures, the agent 11 is installed in the database system 2 to be monitored, and the workflow server 41, the policy database 42, and the log monitoring server 43 are installed in the information leakage monitoring system 40. ing.

[4] Details of information leakage monitoring system 40 (workflow server)
Based on the information leakage monitoring method of the present invention, the workflow server 41 performs access plan registration, approval, and security policy generation.
Of the information leakage monitoring method according to the present invention, access plan registration, approval, and security policy generation are performed.

As shown in FIG. 4, the workflow server 41 includes an access plan registration function 411 that is an access plan registration unit, an access plan approval function 412 that is an access plan approval unit, a security policy generation function 413 that is a security policy generation unit, and application authentication. In addition to an information registration function 415, a Web server system management function 417, a Web server monitoring function 418, and a countermeasure implementation confirmation function 419 are provided. The policy determination function 432, which is an abnormal access detection means in the present invention, is arranged in the log monitoring server 43.
5 shows access plan information 51 and registered access plan information 52 registered by the access plan registration function 411 described above, approved access plan information 53 generated by the access plan approval function 412, and application authentication information registration function 415. Details of the application authentication information 54 generated in the above are shown.

The access plan registration function 411 registers the access plan information 51 for the database in the database server 10 by the access person (system maintenance person 32, application operation person 33, application maintenance person 34), and the registered access plan. A process of generating information 52 is performed.
The access plan information 51 is a plan for “who, when and for what purpose to access” before an accessor who needs to access the database system 2 to be monitored accesses the system. The information is set as information. Normally, when the person requests registration from the access plan registration function 411, the registered access plan information 52 is obtained.
The registered access plan information 52 has the same contents as the access plan information 51.

  In FIG. 5, registered access plan information 52 (same for access plan information 51) is for an access person (32 to 34) to input plan information regarding the access prior to accessing the database system 2. Target “work name”, accessor “worker name” and “affiliation”, access “work date / time zone”, “access destination DB name”, “access destination host name”, “DB user name” , “IP address”, “terminal name” and “OS user name” to be accessed, “action”, “target object”, “personal mail address”, and “policy expiration date”.

In FIG. 4, the access plan approval function 412 performs a process of generating the approved access plan information 53 when the approver 39 approves the registered access plan information 52.
The approver 39 is a person in charge of managing an operator such as an accessor (32 to 34), confirms the registered access plan information 52 registered by the operator, and inputs an approval request and necessary information. .
In FIG. 5, the approved access plan information 53 includes information of “approver name”, “approver mail address”, and “access risk allowable value” input by the approver in the contents of the registered access plan information 52 described above. Is added.
The approver 39 sets an access risk allowable value of this access plan according to the contents of the work described in the registered access plan information 52.

In FIG. 4, the application authentication information registration function 415 checks the access sequence and access timing of the application software 21 with respect to the database server 10 as a function for monitoring unauthorized access due to falsification of the application software 21, and uses this as application authentication information 54. Perform the registration process.
In FIG. 5, it consists of access pattern information (M1, M2, etc.) and access time information (1, 2, etc.) indicating the time zone in which the application operates.
Application authentication is a legitimate application that analyzes the access pattern of the application that accesses the monitoring target database at the stage of test operation after the completion of system development and application development for Web services, and uses its feature information. It authenticates, and it can detect abnormal access to the database due to tampering of the application itself, tampering with SQL statements, etc.
Details regarding application authentication will be described later.

  In FIG. 4, the security policy generation function 413 generates the security policy information 59 of the database server 10 from the approved access plan information 53 and also generates the security policy information 59 of the database server 10 from the application authentication information 54. .

(Policy database)
The policy database 42 records a security policy generated based on the information leakage monitoring method of the present invention, and provides this information as necessary.
As shown in FIG. 5, in the policy database 42, registered access plan information 52 and approved access plan information 53 are registered, and pre-registered application authentication information 54 is stored. Further, an access risk table 55 created in advance for each individual database stored in the database server 10 is registered.

The access risk table 55 is a “risk” indicating an assumed access risk for each combination of “database name” constructed in the database server 10, “action name” for each database, “SQL” and “object” indicating the target object. The index is recorded.
The risk index is set by the administrator according to the degree of confidentiality of information stored in the monitored database, and a larger numerical value indicates higher confidentiality and higher leakage risk.
By referring to this access risk table 55, the risk index of an arbitrary access plan can be investigated.

(Agent)
The agent 11 provides the actual access information of the database server 10 to which the information leakage monitoring system 40 is subject to abnormal access detection based on the information leakage monitoring method of the present invention.
As shown in FIG. 4, the agent 11 is installed on the database system 2 to be monitored and generates an access log every time the database server 10 is accessed, and includes an audit log setting function 111, an audit log A collection function 112, an audit log transmission function 113, and a command processing function 114 are provided.

  The audit log setting function 111 performs initial setting for the database system 2, and the command processing function 114 processes a command such as an audit log request 122 from the log monitoring server 43 serving as a monitoring manager. The audit log collection function 112 collects necessary audit logs by examining the database system 2 based on the audit log request 122 from the log monitoring server 43, and the audit log transmission function 113 logs the collected audit logs 121. This is transmitted to the monitoring server 43.

As shown in FIG. 6, in the agent 11, when the database system 2 to be monitored is started, the process is initialized (S 61), and then the initial setting for generating the audit log for the database system 2 is performed. (S62). Thereafter, it waits for a command from the log monitoring server 43 (S63), analyzes the received command (S64), and if the received command is the audit log request 122 (S65), the necessary audit log 121 from the database system 2 is obtained. (S66), the format is converted, and the audit log is transmitted to the log monitoring server 43 (S67).
When there are a plurality of databases in the database server 10, a plurality of agents 11 may be provided corresponding to each database.

(Log monitoring server)
Based on the information leakage monitoring method of the present invention, the log monitoring server 43 refers to the actual access information of the database server 10 sent from the agent 11 and the security policy information 59 obtained from the policy database 42 to determine abnormal access. Is what you do.
As illustrated in FIG. 4, the log monitoring server 43 includes an audit log collector function 431, a policy determination function 432, an alert function 433, and an audit log database 439.

The audit log collector function 431 receives the audit log 121 collected by the agent 11 and stores it in the audit log database 439.
The policy determination function 432 is an abnormal access detection unit according to the present invention, refers to the security policy information 59 stored in the policy database 42, analyzes the audit log 121 recorded in the audit log database 439, and performs an unscheduled operation. Abnormal access is detected.
The alert function 433 generates alert information 57 when the abnormal access information 58 is output from the policy determination function 432, and notifies the supervisor 38 via the mail server 44 or the like.

In such a log monitoring server 43, the audit log collector function 431 is periodically activated by an interval timer, and performs data reception processing when a preset time has elapsed.
As shown in FIG. 7, in the data reception process in the audit log collector function 431, information of the database system 2 to be monitored set in advance is acquired (S71), connected to the agent 11 (S72), and audit log request 122 is obtained. (S73), and after error check (S74), the audit log 121 is acquired from the agent 11 (S75), and the received audit log 121 is stored in the audit log database 439 (S76).

The policy determination function 432 is activated following the data reception process in the audit log collector function 431.
As shown in FIG. 7, the policy determination function 432 reads the audit log 121 related to the monitoring target database system 2 (S81), and the security policy information 59 corresponding to the audit target database name in the database system 2 is read from the policy database 42. Read (S82). Next, as preprocessing for policy determination, the syntax of the security policy information 59 is analyzed and decomposed into information that can be easily determined (S83). In policy determination (S84), determination of audit log 121 based on access plan information 51, application access determination based on application authentication information 54, risk detection, and the like are performed. If a problem occurs in any of these determinations (S85), an alert flag is set (S86). When all the collected logs have been judged, this process is finished. If the alert flag is set here, policy violation information related to the DB is accumulated in the audit log DB and immediately notified as an alert information 57 by e-mail or the like in order to respond to the related parties.

In the policy determination (S84 in FIG. 8) by the policy determination function 432 described above, determination of the audit log 121 based on the access plan information 51, application access determination based on the application authentication information 54, and access risk determination using the access risk value Detect abnormal access by.
Details of each determination process will be described below.

(Access plan judgment)
One of the policy determinations by the policy determination function 432 is an access plan determination function.
As shown in FIG. 9, the access plan determination function includes an ALC policy for monitoring the access authority of a database user, an object policy for monitoring an access target, a time policy for monitoring an access time zone, and a database command used for access. It consists of each policy judgment such as the action policy to be monitored.
Each policy determination is performed by comparing the audit log 121 collected by the log monitoring server 43 with the security policy information 59 read from the policy database 42. Which policy judgment is used is determined by the security policy information 59 read from the policy database 42.
As shown in FIG. 9, the determination designation of the database to be inspected designated by the security policy information 59 is checked (S91), the corresponding judgment (S92 to S96) is performed, and the policy violation information is accumulated in the audit log DB ( S97).

(Condition list)
In each policy determination in the access plan determination function, the following condition determination based on the security policy information 59 is used.
(A) The OS user name in the audit log 121 matches the OS user name in the approved access plan information 53.
(B) The DB user name in the audit log 121 matches the DB user name in the approved access plan information 53.
(C) The target database name in the audit log 121 matches the access destination DB name in the approved access plan information 53.
(D) The action of the audit log 121 matches the action of the approved access plan information 53.
(E) The host IP address included in the audit log 121 matches the terminal IP address of the approved access plan information 53.
(F) The access date and time included in the audit log 121 are within the policy expiration date of the approved access plan information 53.
(G) The access date and time included in the audit log 121 is within the access date and time range of the approved access plan information 53.
(H) The object name included in the audit log 121 matches the target object of the approved access plan information 53.
(I) The object owner included in the audit log 121 matches the DB user name of the approved access plan information 53.

(ALC policy judgment)
In the ALC policy determination (S92), the condition (b) in the above-described condition list is required, and whether to include other conditions depends on the setting of the security policy generation function 413.
(Action policy judgment)
In the action policy determination (S93), the condition list condition (d) described above is required, and whether to include other conditions depends on the setting of the security policy generation function 413.
(Time policy judgment)
In the time policy determination (S94), the condition (g) in the condition list described above is essential, and whether to include other conditions depends on the setting of the security policy generation function 413.
(Object policy judgment)
In the object policy determination (S95), the condition list condition (h) and condition (i) described above are required, and whether to include other conditions depends on the setting of the security policy generation function 413.
(Custom policy judgment)
In the custom policy determination (S95), any of the above-described condition lists is set by the security policy generation function 413.

(Application authentication)
An application authentication function is performed as one of the policy determinations by the policy determination function 432.
In the application authentication function, application authentication information 54 (see FIG. 1) is used for the determination. The application authentication information 54 describes the access sequence and access timing of the application software 21 that accesses the database server 10, and is registered in advance by the application authentication information registration function 415 of the workflow server 41.
These access sequences and access timings (hereinafter referred to as authentication patterns) are generated from the results of database access in the normal operation of the application software 21. Specifically, the access log 12 (audit log 121) obtained when performing database access in normal operation is referred to.

In FIG. 10, an audit log having the same DB user name as the DB user name of the application software 21 that performs authentication registration is extracted from the audit log 121 (S101). Next, in order to analyze the access pattern for each session, log information having the same session information is further extracted from the audit log having the same DB user name (S102).
A marker indicating the start of database access is searched from the log information thus extracted, and the head of a series of access blocks is detected (S103). The DB user name and IP address are recorded from the detected marker log (S104). SQL statements are sequentially detected from the subsequent extracted logs (S105), information on the detected SQL statements is recorded (S106), and a difference in execution time is recorded (S107). These processes S105 to S107 are repeated until the end marker is detected (S108).
When the end marker is detected, it is checked whether all the markers have been detected (S109). If there is any unprocessed marker, the process is repeated from the recording of the DB user name and IP address of the next marker log (S104).
If all the markers have been detected, it is checked whether all the sessions have been detected (S1010). If any unprocessed sessions remain, the process repeats from the extraction of the same log information as the next session information (S102).
If all the sessions have been detected, the process is terminated (S1011). As a result, access pattern information 54A for each DB user shown in FIG. 12 is obtained.

In FIG. 11, the access pattern information 54 </ b> A has a DB user name 541 and an IP address 542 and a plurality of access pattern lists 543.
The access pattern list 543 includes a series of SQL sentence information 544 and respective time interval information 545.
As a result, the application software 21 identified by the DB user name 541 and the IP address 542 accesses the database in the database server 10 at a certain time using the transmission pattern of the SQL statement described in the access pattern 1, In this case, it can be identified that the operation of the pattern described in the access pattern 2 is normal.
Such access pattern information 54A is recorded in the policy database 42 as part of the security policy information 59. Then, it is referred to in the application authentication function in the policy determination function 432.

In FIG. 12, in the policy determination by application authentication, the audit log 121 is first read (S121), and the application authentication information 54 is read from the policy database 42 (S122). Next, only the application DB user account to be determined is extracted (S123), and further classified for each session (S124).
A start marker is detected from the specific log for each classified session (S125). The execution order of the SQL statements after the start marker and the time interval are compared (S126), and whether or not the access is from an authenticated application is determined based on the similarity (S127).
If the similarity cannot be confirmed, it is determined that the application has been falsified, information for identifying the application such as the corresponding database name, marker name, etc. is accumulated in the audit log (S128), and an application abnormality flag is set (S129). ).
Thereafter, it is checked whether all the markers have been detected (S1210). If any unprocessed markers remain, the processing from S125 to S1210 is repeated for the next marker.
If all the markers have been detected, it is checked whether all the sessions have been detected (S1211). If any unprocessed sessions remain, the processing from S125 to S1211 is repeated.
When all the sessions have been detected, the process is terminated.

(Access risk assessment)
Access risk determination is performed as one of the policy determinations by the policy determination function 432.
In the access risk determination, an access risk allowable value set by the access risk table 55 (see FIG. 5) and the approved access plan information 53 set by the approver is used.
FIG. 13 shows an operation flow of an access risk determination function based on access risk determination.
In the access risk determination, first, the audit log 121 is read (S131), and the access risk table 55 recorded in the policy database 42 is read in order to calculate the risk of access by the accessor (32 to 34) (S132). Next, an audit log related to the user account to be analyzed is extracted (S133), and the extracted log is further classified for each session (S134). Based on the risk index described in the access risk table 55, the risk index for each SQL sentence is integrated, and the transition of the integrated value per unit time is recorded (S135). Similarly, the process is executed for all sessions of the specific user account (S136). After the end of all sessions, the risk integrated value per unit time is compared with the threshold access risk allowable value (S137), and if this access risk allowable value is exceeded, the risk abnormal incident is stored in the audit log DB. (S138), a risk abnormality flag is set (S139).
In such access risk determination, it is possible to perform reliable detection while reducing the processing load by setting an allowable access risk value for an access person and performing abnormality detection by evaluating access risk in actual access.

In FIG. 4, a Web server system management function 417 provides an existing function necessary for managing the database system 2.
The Web server monitoring function 418 and the countermeasure implementation confirmation function 419 provide the following monitoring functions.

(Monitoring function)
The Web server monitoring function 418 includes a function for displaying and dealing with incidents occurring in each database in real time such as the occurrence of an abnormality due to each determination described above. The result of the policy determination by the policy determination function 432 is accumulated in the audit log database 439 each time and is sent as alert information 57 by e-mail or the like to request a quick action.
Upon receiving the alert information 57, the on-site supervisor 38 identifies the access person (32 to 34) of the monitoring target database that generated the alert, confirms the execution, and reports it to the approver 39.
The Web server monitoring function 418 periodically monitors the audit log database 439, and when a new incident occurs, the related information is acquired from the audit log database 439 and displayed on the monitoring terminal. The supervisor 38 who has received the audit report determines that an emergency response is made when there is a problem with the reporter, and blocks the connection from the terminal of the accessor (32 to 34) who created the cause of the alert, Implement the setting to deny subsequent access using the monitoring function.
The countermeasure implementation confirmation function 419 monitors the Web server monitoring function 418, and automatically executes the above-described blocking process when the implementation confirmation described above cannot be obtained within a predetermined time.

  By utilizing the present invention, it is possible to prevent information leakage due to internal crimes, which has been difficult to prevent by the conventional firewall and network security. In addition, most of the damages caused by IT crimes are not attacks from outside, but cases by insiders are increasing, and the damage caused by the loss of credit in the company when a problem occurs is enormous. In conventional network security, limited access by granting access rights is common, but it is not possible to suppress the possibility of information leakage by accessing the information within the scope of the rights that have been granted once. Deterrence effects can be obtained even for problems that occur. In addition, access to the database increases as the number of general users who use the Web service increases, and the generated audit log becomes enormous. It can be expected to reduce the cost and improve the accuracy of the monitor who finds abnormal access from these enormous log information. It is also effective as a tool for compliance with laws such as internal control.

Note that the present invention is not limited to the above-described embodiments, and modifications and the like within a scope in which the object of the present invention can be achieved are included in the present invention.
The network configuration or system configuration in the embodiment can be changed as appropriate.
For example, in the above embodiment, the monitor 38 is set separately from the approver 39 and the alert information 75 is sent, but the alert information 57 may be sent to the approver 39 or the approver 39 In the case of serving also, the supervisor 38 may be omitted.
Details of processing, procedures, or details of the order in the above embodiment can be changed as appropriate. As a specific method of each process, an existing software technique can be appropriately adopted according to the function.

  The present invention can be used for an information leakage monitoring system and an information leakage monitoring method, and can be used for preventing leakage of secret information such as personal information stored in a database on a network.

The block diagram which shows the whole structure of one Embodiment of this invention. The schematic diagram which shows the access of the external customer user in the said embodiment. The schematic diagram which shows the access of the internal access person in the said embodiment. The block diagram which shows the outline | summary of the information leakage monitoring system in the said embodiment. The block diagram which shows the relationship of the data in the said embodiment. The flowchart which shows the access log collection operation | movement of the agent in the said embodiment. The flowchart which shows the access log data reception process of the log monitoring server in the said embodiment. The flowchart which shows the outline of the policy determination process in the said embodiment. The flowchart which shows the policy determination process by the access plan determination in the said embodiment. The flowchart which shows the registration process of the application authentication information in the said embodiment. The schematic diagram which shows the application authentication information in the said embodiment. The flowchart which shows the application authentication determination process in the said embodiment. The flowchart which shows the access risk determination process in the said embodiment.

Explanation of symbols

1 Electronic Commerce Service System 2 Database System 4 External Network 10 Database Server 11 Agent 12 Access Log (Access Record Information)
20 Application Server 21 Application Software 22 Firewall 23 Web Server 24 Firewall 25 Router 31 Service User 32 System Maintenance Person 33 Application Operation Person 34 Application Maintenance Person 38 Monitor 39 Approver 40 Information Leakage Monitoring System 41 Workflow Server 42 Policy database 43 Log monitoring server 44 Mail server 51 Access plan information 52 Registered access plan information 53 Approved access plan information 54A Access pattern information 54 Application authentication information 55 Access risk table 57 Alert information 58 Abnormal access information 59 Security policy information 111 Audit Log setting function 112 Audit log collection function 113 Audit log transmission function 114 Command processing Function 121 Audit Logs 122 audit log request 411 access plan registration function (access plan registration means)
412 Access plan approval function (access plan approval means)
413 Security policy generation function (security policy generation means)
415 Application authentication information registration function (application authentication information registration means)
417 Server system management function 418 Server monitoring function 419 Countermeasure execution confirmation function 431 Audit log collector function 432 Policy determination function (abnormal access detection means)
433 Alert function 439 Audit log database 541 User name 542 Address 543 Access pattern list 544 Statement information 545 Time interval information

Claims (5)

An information leakage monitoring system that suppresses information leakage of a database that stores secret information,
An access plan registration means for generating registered access plan information in response to a request for registration of access plan information for a specific user with respect to the database;
An access plan approval means for generating an approved access plan information in response to an approval request for the registered access plan information;
Security policy generation means for generating security policy information of the database from the approved access plan information;
Means for accumulating and storing actual access information for the database in an audit log database;
An abnormal access detecting means for detecting abnormal access from the actual access information stored in the audit log database with reference to the security policy information ;
The access plan approval unit has an access risk allowable value input unit that receives an input of an access risk allowable value related to the access plan information,
The security policy information includes the access risk tolerance,
The abnormal access detecting means calculates an access risk value from the actual access information, and detects the abnormal access when the access risk value exceeds the access risk allowable value . In the information leakage monitoring system according to claim 1,
The information leakage monitoring system further comprising: an abnormal access notification means for notifying a designated person in advance when the abnormal access is detected. In the information leakage monitoring system according to claim 1 or 2 ,
The information leakage monitoring system, wherein the security policy information includes only the allowable access risk value. In the information leakage monitoring system according to any one of claims 1 to 3 ,
In the calculation of the access risk value, the abnormal access detection means weights the degree of confidentiality as a risk index for information including at least one of an SQL statement statement, a command type, and an object to be accessed. An information leakage monitoring system characterized by using. An information leakage monitoring method for suppressing information leakage of a database for storing secret information,
Information leakage monitoring system
Receiving an access plan information registration request for the database and generating registered access plan information ; and
An access plan approval step for generating an approved access plan information in response to an approval request for the registered access plan information ;
A security policy generation step of generating security policy information of the database from the approved access plan information ;
A storage step of accumulating and storing actual access information for the database in an audit log database ;
An abnormal access detection step of detecting abnormal access from the actual access information stored in the audit log database with reference to the security policy information ;
Carried out
The access plan approval step accepts an input of an access risk allowable value related to the access plan information,
The security policy information includes the access risk tolerance,
The abnormal access detection step calculates an access risk value from the actual access information, and detects the abnormal access when the access risk value exceeds the access risk allowable value .

Images