JP5668255B2 - Operation monitoring system and operation monitoring program - Google Patents

Description

  The present invention relates to a technique for monitoring operation statuses at a plurality of terminals connected to a communication network, and more particularly to a technique for monitoring operations at terminals belonging to a set.

  With the recent development of information processing devices, the number of information processing devices such as computers used in the workplace has increased. Originally, such an information processing device is intended to improve business efficiency. However, on the other hand, there are problems of unauthorized operations such as private use of information processing equipment during business hours.

  In order to solve such problems, various techniques for monitoring the operation of computers connected via a network have been studied. For example, when detecting that a specific event has occurred, a system audit that detects an unauthorized event by comparing a sequence of events that occurred before and after the event and a sequence of events such as preset unauthorized operations An apparatus has been proposed (see Patent Document 1).

  In this technique, an unauthorized operation can be detected by comparing a sequence of operations in a computer with a predetermined sequence of operations. That is, by grasping the operation in the computer as a flow, it is possible to perform a more accurate determination than the determination of an unauthorized operation based on each operation.

Japanese Patent Laying-Open No. 2005-222216 (paragraph numbers 0006 and 0008)

  However, in the technique of Patent Document 1, a predetermined event sequence must be set in advance. In addition, the event series related to illegal operations is not uniform, and may vary depending on the business contents of the computer operator, the department to which the computer operator belongs, and the like. In order to cope with such a case, it is necessary to take measures such as setting a large number of event sequences in accordance with the business and situation, which causes a problem of increasing the burden on the administrator.

  In view of the above situation, an object of the present invention is to provide a technique for monitoring an operation on a terminal without setting the content of the operation to be monitored in advance.

In order to solve the above problems, a plurality of terminals connected to the operation monitoring system, a WEB page and application identification information relating to date and time information and the browsing operation of the browsing operation according to the browsing operation of the WEB page in the terminal, respectively and operation log information acquiring unit that acquires operation log information including the an operation time operation statistics for the WEB page that by the application according to Oite the browsing operation from the operation log information of the one said terminal to the terminal the operation object information indicating the date and time information and another WEB page by the application according to the browsing operation performed after the browsing operation of the operation log information according to the viewing operation on the WEB page by application according to the browsing operation and the date and time information of the operation log information related to the browsing operation against, Based on a comparison result between the operation target information generation unit that generates the time difference, the operation target information of one terminal, and the operation target information of a plurality of terminals that belong to a predetermined set, the uniqueness of the one terminal with respect to the set A unique operation determination unit that determines the operation target information as the specific operation target information.

  In this configuration, the operation target information of one terminal is compared with the operation target information of terminals belonging to a predetermined set, and based on the comparison result, the operation target information of one terminal is unique to the set. It is determined whether or not there is.

In one preferred embodiment of the operation monitoring system according to the present invention, when the set includes the one terminal and there are a plurality of the sets having the one terminal, the specific operation determination unit includes: For each set, specific operation target is generated by generating set operation target information based on operation target information of a plurality of terminals belonging to the set, and comparing the set operation target information with the operation target information of the one terminal The information is determined, and the union of the specific operation target information, which is the determination result for each set, is set as new specific operation target information, and the specificity added to the new specific operation target information is unique over a plurality of sets. The degree of being determined to be present is calculated, and the specific operation target information is determined based on the specificity .

  In this configuration, since the specificity indicating the degree of specificity of the operation target information to be determined is calculated and the specific operation target information is determined based on the specificity, the specific operation target information can be determined more accurately. Can do.

Further, in this configuration, information representing operation statistics for all terminals belonging to the set is generated, and the information is compared with the operation target information of one terminal, thereby enabling efficient information processing.

  In addition, since a set to which a terminal belongs has a variety of positions and work contents depending on a person (user) who uses the terminal, it is possible to create a set in consideration of various aspects. Therefore, each terminal may belong to a plurality of sets. In such a case, the operation target information of one terminal may be determined to be unique in a certain set, but may be determined not to be unique in another set.

Even in the case described above, this configuration can execute accurate processing .
Further, as a preferred embodiment of the operation monitoring system according to the present invention, the operation log information acquired by the operation log information acquisition unit includes operation targets related to various operations including a browsing operation of a WEB page in each of the terminals and the operation. The operation object information including operation date and time information, the application identification information related to the operation, and the active state of the application, and the operation object information generation unit represents operation statistics that are operation times for the WEB page as the operation object. The date and time information of the operation log information indicating that an application related to an operation on a WEB page has become active, and the operation log information having an operation content for switching to another application next after the date and time information. It is generated as the time difference between the date and time information.

  Moreover, in one of the suitable embodiment of the operation monitoring system in this invention, it is provided with the display part which displays the said operation target information of the said terminal, and the said display part is the said specific operation target information and other operation target information. Are displayed in an identifiable manner.

  In this configuration, since the specific operation target information and the other operation target information are displayed so as to be identifiable, the administrator can easily visually recognize the specific operation target information.

  One of the further purposes of the operation monitoring system as described above is to detect a terminal that is performing a suspicious operation. For this reason, in a preferred embodiment of the operation monitoring system of the present invention, a suspicious terminal determination unit that determines whether or not the terminal is performing a suspicious operation based on the specific operation target information is provided.

  In this configuration, since it can be determined whether or not the terminal is performing a suspicious operation based on the specific operation target information, it is possible to detect a terminal performing a suspicious operation without defining a suspicious operation in advance. it can.

The technical features of the operation monitoring system according to the present invention described above can also be applied to similar operation monitoring programs. For example, in the operation monitoring program for the operation monitoring system and a plurality of terminals and a server are connected, according to the date and time information and the browsing operation of the WEB page and the browsing operation according to the browsing operation of the WEB page in the terminal each application and operation log information acquiring function of acquiring an operation log information including the identification information is the operation time for the WEB page that by the application according to Oite the browsing operation from the operation log information of the one said terminal to the terminal the operation object information representing an operation statistics, another by the date and time information and applications according to the browsing operation performed after the browsing operation of the operation log information according to the viewing operation on the WEB page by application according to the browsing operation the operation log information relating to the browsing operation against the WEB page Based on the comparison result of the operation target information generation function generated as a time difference between the date and time information of the terminal, the operation target information of the one terminal, and the operation target information of a plurality of terminals belonging to a predetermined set. A specific operation determination function for determining the specific operation target information of the one terminal as the specific operation target information is realized in a computer. Naturally, such an operation monitoring program can also obtain the effects described in the above-described operation monitoring system, and can further incorporate the above-described additional technology.

1 is a system configuration diagram of an operation monitoring system according to the present invention. It is a functional block diagram in 1st Embodiment of the operation monitoring system by this invention. It is a flowchart showing the flow of the production | generation process of the operation target information of the operation monitoring system by this invention. It is a flowchart showing the flow of the extraction process of the specific operation target information of the operation monitoring system by this invention. It is an example of the operation target information in the embodiment of the operation monitoring system according to the present invention. It is an example of collective operation object information in embodiment of the operation monitoring system by this invention. It is a flowchart showing the flow of the whole process of the operation monitoring system by this invention. It is an example of a display in 1st Embodiment of the operation monitoring system by this invention. It is a functional block diagram in 2nd Embodiment of the operation monitoring system by this invention. It is a flowchart showing the flow of the whole process in 2nd Embodiment of the operation monitoring system by this invention. It is an example of a display in 2nd Embodiment of the operation monitoring system by this invention. It is a flowchart showing the flow of the determination process of the specific operation target information in 3rd Embodiment of the operation monitoring system by this invention. It is an example of the specific operation object information for every set in 3rd Embodiment of the operation monitoring system by this invention. It is an example of the integrated specific operation target information in 3rd Embodiment of the operation monitoring system by this invention. It is an example of the table which prescribed | regulated the specificity in embodiment of the operation monitoring system by this invention. It is an example of collective operation object information in 3rd Embodiment of the operation monitoring system by this invention. It is an example of the table which prescribed | regulated the operation level value in another embodiment of the operation monitoring system by this invention.

[First Embodiment]
〔System configuration〕
Hereinafter, a first embodiment of the present invention will be described with reference to the drawings. The operation monitoring system of the present invention in the present embodiment is configured by connecting a server S, which is a general-purpose computer, and a terminal C, which is a general-purpose computer, via a network N, as shown in FIG. Each of the server S and the terminal C includes displays 2 and 5 and input devices 3 and 6 (keyboards 3a and 6a, pointing devices 3b and 6b, etc.). A pointing device is an input device that specifies an input position and coordinates on the screen, and a mouse, joystick, touch pad, touch panel, trackball, or the like can be used, but is not limited thereto. .

  FIG. 2 shows a functional block diagram of the server S and terminal C constituting the operation monitoring system of the present invention. The terminal C includes an operation log information generation unit 11 that generates operation information indicating the operation content and operation target related to the operation on the terminal and transmits the operation information to the server S via the network I / F 10.

  The server S acquires the operation log information transmitted from the terminal C via the network I / F 20, and stores the operation log information acquisition unit 31 and the operation log information acquisition unit 31 that store the operation log information in the operation log information storage unit 24. An operation object information generating unit 32 that generates operation object information representing operation statistics for each operation object in each terminal C from log information, operation object information of one terminal C, operation object information of a terminal C belonging to a predetermined set, and Based on the comparison result, a specific operation determination unit 33 that determines specific operation target information of one terminal for this set as specific operation target information, a control unit 34 that performs control based on the specific operation target information, and a display 2 A GUI unit 21 that performs output control and input control from the input devices 3a and 3b is provided.

  The server S also includes an information management unit 25 that manages various types of information. The information management unit 25 further includes at least terminal identification information (described later) of the terminal C and user identification information of a user who uses the terminal C. A terminal information management unit 22 for managing the user identification information (described later) and a user information management unit 23 for managing the user identification information and the department to which the user belongs. In the present embodiment, various processes are executed using information managed by the terminal information management unit 22 and the user information management unit 23. Of course, the information management unit 25 manages the processes according to the necessary processes. The type and form of information to be changed can be changed as appropriate.

  Usually, the operation log information generation unit 11, the operation log information acquisition unit 31, the operation target information generation unit 32, the specific operation determination unit 33, and the control unit 34 have hardware (programs, modules, etc.) for executing the processing. The processing is executed by being read, but these may be configured in combination with hardware, or may be configured only by hardware combined with logic or the like.

  In each terminal C, various operations are performed on the terminal C by the user operating the keyboard 6a, the pointing device 6b, and the like, and the operation log information generation unit 11 responds to the operation by the operation log information generation unit 11. Operation log information including information indicating (operation content) and an operation target (operation target) is generated and transmitted from the network I / F 10 to the server S via the network N.

  The operation log information in this embodiment includes operation details, operation targets, terminal identification information that can uniquely identify the terminal C on which the operation was performed, and date / time information indicating the date and time when the operation was performed on the terminal C. . That is, each operation log information is composed of a set of (operation content, operation target, terminal identification information, date and time information), but is not limited to this, and the items are limited or added as necessary. be able to. The operation contents include an instruction operation from the input device 6 by the user (user), an application start / end operation, an application active / inactive switching operation, and an application control instruction (API (Application Program Interface) from the application to the OS). ), Middleware operation, network driver transmission / reception operation, information on the operation of the terminal C such as screen control by the window manager, and information on the operation of the keyboard 6a and the pointing device 6b. As the operation target, application target information such as application identification information, file identification information, URL (Uniform Resource Locator), external storage medium identification information, server identification information, and the like can be used. Further, as the application identification information, information that can uniquely identify the application such as a numerical value or an application name assigned exclusively for each application can be used. As the file identification information, information that can uniquely identify a file such as a numerical value or a file name (including a path) allocated exclusively for each file can be used. Further, the operation log information may include accompanying information such as the operation content and the window position and size associated with the operation target, the cursor position of the pointing device 6b, the display coordinate information of the display object, and the active state. The external storage medium includes not only a semiconductor memory such as a USB memory, but also an optical disk, a magneto-optical disk, a magnetic disk, etc., and any storage medium or storage device that is connected to a computer terminal and stores data. It may be a thing.

  In the present embodiment, the terminal name of the terminal C is used as the terminal identification information. However, the present invention is not limited to this, and the IP address of the terminal C, the MAC address, a numerical value allocated exclusively for each terminal, etc. Information that can uniquely identify the terminal C can be used. The date / time information uses a character string representing year / month / day / hour / minute / second. However, the present invention is not limited to this, and a numerical value indicating an elapsed time from a specific date / time (for example, midnight on January 1, 1970). For example, information that can specify the date and time can be used. Further, the operation log information may include user identification information that can identify a user who operates the terminal C. As this user identification information, a user name that can be specified based on a user's login operation at the terminal C, a numerical value allocated exclusively for each user, or the like can be used.

  In the present embodiment, the operation to be monitored is browsing a WEB page, and the operation target is a WEB page. There are a method of detecting operation log information to be determined using a content of operation included in operation log information, a method of using operation target of operation log information, and the like.

  In the method using the operation content of the operation log information, operation log information including an operation for browsing a WEB page is detected as operation log information to be determined. Specifically, the operation contents include a WEB page acquisition operation (such as a link click operation) by a link operation in the WEB browser, a WEB page acquisition operation (such as a direct input using the keyboard 6a) by inputting a URL, and network communication from the WEB browser. This includes a function call to the socket API, execution of a WEB page acquisition request by OS network software (specifically, network driver software, etc.), acquisition of a WEB page by a WEB browser and completion of drawing. Information on the WEB page (that is, URL) is included in the operation target in the operation log information including these operation contents.

  In the method using the operation target of the operation log information, the operation log information including the WEB page as the operation target is detected as the operation log information to be determined. When this method is used, it is preferable that application information (application name or the like) such as a WEB browser is included in the operation target or accompanying information.

  In this embodiment, the operation log information generation part 11 shall generate operation log information, when operation (monitoring a WEB page) used as monitoring object is performed. Of course, operation log information related to other operations may be generated, or an operation log may be generated at other timing, for example, at regular time intervals. Further, in this embodiment, the operation log information generation unit 11 is configured to transmit the operation log information to the server S every time the operation log information is generated. The operation information can be changed as appropriate, such as temporarily storing the operation information and transmitting it after a predetermined time.

  The operation log information acquisition unit 31 acquires the operation log information transmitted from each terminal C as described above, and stores the operation log information in the operation log information recording unit 24 including a hard disk and the stored operation log information. To perform a search based on an arbitrary extraction condition.

  The operation target information generation unit 32 acquires the operation log information of each terminal C via the operation log information acquisition unit 31, and generates operation target information representing operation statistics for each operation target of the acquired operation log information. The operation statistics in the present invention indicate the operation status of the operation target, and are calculated based on the operation frequency, operation time, and the like. The operation target information includes an operation target and operation statistics in association with each other. The details of the operation target information generation method will be described later.

  The unique operation determination unit 33 includes the operation target information of the terminal C to be monitored (hereinafter referred to as a specific terminal) and the operation target information of the terminal C belonging to a set to which the specific terminal belongs (hereinafter referred to as a specific set). Based on the comparison result, the specific operation target information of the specific terminal in the specific set (hereinafter referred to as specific operation target information) is determined. The peculiarity in this embodiment is a state in which the operation statistics for the operation target of the operation target information in the specific terminal are significantly different from the operation statistics for the operation target of the operation target information in the specific set. In this embodiment, the case where the specific terminal belongs to the specific set is described, but the specific terminal does not necessarily need to belong to the specific set. Details of the method for determining the specific operation target information will be described later.

  It is preferable to perform operation determination by acquiring operation log information in the same period of the specific terminal and the terminals included in the specific set. In this way, it is possible to more accurately grasp the operation target performing a specific operation during the period.

  The control unit 34 performs predetermined control based on the result determined as the specific operation target information by the specific operation determination unit 33. In the present embodiment, the control unit 34 displays a list of operation target information for each terminal C, and displays the specific operation target information and other operation target information so as to be identifiable. Thereby, the control part 34 comprises the display part in this invention.

[Method for generating operation target information]
FIG. 3 is a flowchart showing the flow of operation target information generation processing in the present embodiment. The following processing is processing in the operation target information generation unit 32 unless otherwise specified.

  First, one operation log information is acquired through the operation log information acquisition unit 31 (# 01). At this time, a specific period may be set, and operation log information having date and time information within the specific period may be extracted. The specific period is an arbitrary period, and can be set as necessary, such as one day or business hours.

  The terminal identification information, the operation target, and the operation content are extracted from the acquired operation log information (# 02).

  As described above, in the present embodiment, the operation is browsing the WEB page, and the operation target extracted from the operation log information is a URL. In this embodiment, based on a technical standard such as RFC (Request For Comments), a domain name is extracted from the URL (# 03), and operation target information is generated with the domain name as an operation target. In the above description, the operation target information is generated with the domain name as the operation target. However, the operation target information may be generated with the URL as the operation target. Further, the URL may be extracted by dividing it into a predetermined range and length, and any method may be used as long as the purpose is to classify and distinguish the operation objects.

  On the other hand, operation statistics are obtained from the extracted operation log information (# 04). In the present embodiment, the number of browsing is used as the operation statistics. That is, the operation target information in the present embodiment is information consisting of a set of (terminal identification information, domain name, browsing count), and each time operation log information is acquired, terminal identification information corresponding to the operation log information The number of browsing of the operation target information having the domain name is incremented (# 05).

Next, the presence / absence of unprocessed operation log information is checked (# 06). If unprocessed operation log information exists (Yes branch of # 06), the process proceeds to # 01, and the above-described process Is repeated. On the other hand, when there is no unprocessed operation log information (No branch of # 06), the operation target information generation process ends.

  The operation statistics can also be the number of browsing times per unit time. In this case, after the processing of all operation log information is completed, the elapsed time is calculated from the date and time information of the oldest operation log information and the latest operation log information for each terminal C, and each operation target information is browsed. By dividing the number of times by the calculated elapsed time, it is converted into the number of browsing times per unit time. In addition, the number of browsing times in the most recent time (for example, 1 hour, 1 day, 1 week, etc.) may be used.

  Moreover, operation time can also be used as operation statistics. In the present embodiment, the operation time is (1) the time when one WEB page is displayed on the WEB browser, (2) one WEB page is displayed on the WEB browser, and the WEB browser is activated. (3) time calculated by the time over which the cursor of the pointing device 6b is superimposed on the WEB browser, and (4) time calculated from the number of operations on the WEB browser, but not limited thereto. Any method may be used as long as it is a means capable of determining the time during which the WEB browser is operated. The calculation method of the operation time using each method is as follows.

  (1) In order to calculate the time during which the WEB page is displayed on the WEB browser, first, after the date / time information of the operation log information including the operation content indicating that one WEB page is accessed, and the date / time information, Date and time information of operation log information including operation contents indicating that the next different WEB page is accessed is extracted. Then, the difference between the extracted times is obtained, and the calculated time can be set as the time (operation time) when the one WEB page is accessed.

  (2) To calculate the time during which the browser displaying one WEB page is active, first, an operation content indicating that the WEB browser displaying one WEB page is activated is displayed. The date and time information of the operation log information to be included, and the date and time information of the operation log information having the operation contents for switching the other application to active next are extracted after the date and time information. Then, the difference between the extracted times is obtained, and the calculated time can be set as the time (operation time) in which the browser displaying the one WEB page is active. Further, after that, when operation log information is acquired in which the browser displaying the one WEB page is actively switched, the calculation method similar to the above is repeated, and the newly calculated display is performed at the already calculated display time. Add time.

  (3) In order to calculate the time when the cursor of the pointing device 6b is superimposed on the WEB browser, first, display coordinate information and date / time of operation log information including operation contents indicating that one WEB page is accessed Extract information. Further, the coordinate position information and date / time information of the operation log information indicating the operation of the pointing device is extracted. Then, the extracted coordinate information of both is compared, and the date and time information at the time when it is determined that the two are superimposed is specified. There is a method in which the time calculated from the specified date and time information is used as the time when the pointing device is superimposed on the WEB browser. When this method is used, display coordinate information of a display object displayed on the operation screen and coordinate position information of the pointing device 6b are also acquired as operation log information. Here, the display object refers to an icon displayed on the terminal C, an application window, or the like, and the display coordinate information refers to the display position and shape of the display object on the screen and display hierarchy information indicating the front / rear surface. It is information to include.

  (4) In order to calculate the time calculated from the number of operations for the WEB browser, the number of operation log information for the WEB browser is acquired, and the number and a predetermined time (for example, 1 minute, 5 minutes, 10 minutes, etc.) ) Can be regarded as a time during which the WEB browser is operated (operation time). Furthermore, it is preferable to calculate the operation time of the WEB browser according to the operation content by changing the predetermined time for each type of operation content included in the operation log information.

  As described above, by using the operation time as the operation statistics, it is possible to more accurately grasp the user's operation that is difficult to grasp based on the number of browsing times, and thus it is possible to improve the accuracy of the operation target information. .

  Furthermore, the display area of the WEB browser displaying one WEB page can be used as the operation statistics. The display area here is an area of a portion of the WEB browser window that is not hidden by other windows. When calculating the display area of the WEB browser, it is necessary to include display coordinate information of a display object displayed on the operation screen in the operation log information. At this time, the display coordinate information is required not only for the operation log information indicating the operation for the WEB browser, but also for the operation log information regarding other applications and files. Keep it.

  In order to calculate the display area of the WEB browser, first, display coordinate information is extracted from the operation log information at the time of accessing one WEB page, and the display coordinate information of the WEB browser (window window) included in the display coordinate information is extracted. The display area of the window of the WEB browser is obtained from the coordinates of the upper left corner and the lower right corner. Then, using the display coordinate information and the display hierarchy information of the WEB browser window from the acquired display coordinate information, the WEB browser window displaying one WEB page and the window of the other application are superimposed. Determine if there is any. At this time, if there is an overlapping window, the area of the overlapping part of the window and the window of the WEB browser is calculated, and is actually displayed by subtracting the area of the overlapping part from the display area of the WEB browser. The display area can be calculated. Based on the above processing, the display area of the WEB browser displayed on the operation screen is calculated by determining the area of each window and its superposition relationship from the operation log information.

  In this way, by using the display area as operation statistics, it is possible to grasp the display form on the operation screen of the terminal that is difficult to grasp based on the number of browsing times and operation time, so the accuracy of operation target information is improved Can be made. Further, the operation statistics may be calculated by combining the respective methods.

[Judgment method of specific operation target information]
FIG. 4 is a flowchart showing a process flow of the method for determining a specific operation in the present embodiment. Note that, unless otherwise specified, the subject of this processing is the singular operation determination unit 33.

  First, a specific terminal to be determined for a specific operation is specified (# 11). In this embodiment, a list of terminals C is displayed on the display 2, and the administrator designates a specific terminal by designating one terminal C using the pointing device 3b or the like. In this embodiment, the terminal identification information of all the terminals C is acquired from the terminal information management unit 22 and the list of the terminals C is generated. However, the present invention is not limited to this, and the operation log information Other configurations, such as generation based on the terminal identification information included in, may be used.

  Next, the specific set to which the specific terminal belongs is specified (# 12). In the present embodiment, the specific set is configured by a terminal C used by a user in the same department as the department of the user who uses the specific terminal. Therefore, in this embodiment, the user identification information is acquired from the terminal information management unit 22 using the terminal identification information of the specific terminal as a key, and the department to which the user belongs is acquired from the user information management unit 23 using the acquired user identification information as a key. A user identification information group belonging to the same department as the department to which the user belongs is acquired, and a terminal C group associated with the user identification information is further acquired from the terminal information management unit 22, and a specific set is formed therefrom. In the above description, the user information and the terminal information are used to identify the specific set to which the specific terminal belongs. However, by managing the terminal identification information and the department to which the terminal C belongs in association with the terminal, The specific set may be specified by using another method such as specifying the specific set only by information.

  The specific set is not limited to the above, but includes all terminals C connected to the network N, terminals C having a terminal environment (hardware configuration, software configuration, etc.) similar to the specific terminals. It doesn't matter.

  A method of grouping terminals having a terminal environment similar to a specific terminal is as follows. First, in the terminal information management unit 22, the terminal C connected in the network, the software information installed in the terminal C, and the information Information on external devices connected to the terminal C and asset information such as hardware specifications of the terminal C itself are stored in association with each other. Next, the unique operation determination unit 33 extracts terminal identification information having a similar terminal environment from the information stored in the terminal information management unit 22, and configures a specific set using the terminal identification information. .

  In addition, in order to determine whether or not the terminal environment is similar, for example, a terminal C having a terminal environment similar to the specific terminal is selected as a terminal C whose installed software information matches a specific terminal by a predetermined ratio or more. It is possible to use a method of grouping as follows. In addition, when the external devices used are the same, or the terminal C in which the hardware information and the specification information of the terminal C are the same or match at a predetermined ratio or more can be determined as a similar terminal environment. The use of such a determination condition is preferable because a terminal having a specification such as software or hardware similar to that of a specific terminal is also considered to have a similar use application. Similarly, the specific set may be configured using information such as whether the setting contents of hardware and software are similar. Note that the method for determining a similar terminal environment is not limited to the above-described method, and other methods may be used as long as the similarity of the terminal state and configuration can be determined.

  As described above, the specific set can be determined not only statically based on predetermined user identification information but also dynamically determined depending on how the actual terminal is used. As a result, it is not necessary to predetermine groups such as departments, and a specific set can be automatically configured according to the contents of work actually performed. For example, the specific set can be configured from dynamically changing conditions such as the startup time of the terminal and the startup time of the application. As a result, terminals that use the same time zone can be configured as a specific set, and a specific set can be configured due to a difference in work system.

  When the specific set is specified, the operation target information of the terminal C belonging to the specific set is acquired from the operation target information generation unit 32 (# 13), and the set operation target information representing the operation statistics in the specific set based on them is the operation target. It is generated every time (# 14). The operation statistic in the specific set indicates the tendency of the operation on the operation target of the terminal C belonging to the specific set.

  In this embodiment, operation statistics in a specific set are calculated based on an average value and a standard deviation calculated from operation statistics of each operation target information. For example, when the operation target information illustrated in FIG. 5 is acquired from the operation target information generation unit 32, the operation targets are “domain A”, “domain B”, “domain C”, “domain D”, and “domain”. E ”and the operation target information (terminal identification information, WEB page, operation statistics) related to“ domain A ”is two (PC0001, domain A, 5) and (PC0002, domain A, 1). Therefore, the operation statistics of the collective operation target information relating to “domain A” are calculated as an average value and a standard deviation value from 5, 1, 0 and 0, which are the operation statistics of the respective operation target information, and the collective operation target information ( Domain A, 1.5, 2.38) is obtained. Operation statistics for other domains are similarly obtained, and set operation target information shown in FIG. 6 is generated. Note that the set operation target information may be generated by excluding the operation target information of the specific terminal. In this case, collective operation target information excluding the influence of the specific terminal can be generated, which is preferable.

  Next, the operation target information of the specific terminal is compared with the set operation target information for the same operation target among the set operation target information generated by the above processing, and whether the operation target information is unique in the specific set. It is determined whether or not the operation target information determined to be unique is extracted as the specific operation target information (# 15).

  As a method of determining whether or not it is peculiar, (1) determination by comparing the operation statistics of the operation target information with an average value for the operation statistics of the set operation target information, and (2) operation statistics of the operation target information and the set operation Determination by comparison with standard deviation value for operation statistics of target information, (3) Determination by presence / absence of operation on operation target, (4) Determination by using rank based on operation statistics of set operation target information, (5) Operation target of specific terminal It is possible to use a determination by comparing the ranking of the operation statistics of the information and the ranking of the operation statistics of the set operation target information, but by comparing and comparing the operation target information of the specific terminal and the set operation target information, Various methods can be used as long as the purpose of determining whether the operation status of the operation target is unique is achieved. Furthermore, it is preferable to perform the determination by combining a plurality of methods because the accuracy of the determination can be improved.

[Unique operation target information determination method 1]
A determination method by comparing the operation statistics of the operation target information with the average value for the operation statistics of the set operation target information will be described. For example, the specific terminal is assumed to be PC0001. At this time, referring to FIG. 5, the operation target information of the specific terminal “PC0001” is for “Domain A”, “Domain B”, and “Domain D”. When determining whether or not the operation target information for the domain A (PC0001, domain A, 5) is unique, it is compared with the set operation target information for the domain A (domain A, 1.5, 2.38). Is done. That is, the operation statistics “5” of the operation target information of the specific terminal is compared with the average value “1.5” of the set operation target information, and the operation statistics of the operation target information of the specific terminal are When the average value is greater than the predetermined value TH1, the operation target information is determined to be unique. For example, when TH1 is set to 2, since 5> 1.5 + 2, the operation target information (PC0001, domain A, 5) is determined to be unique. Note that the determination criterion may be a case where it is smaller than a predetermined value. Of course, it is also possible to determine that a case not included in the range of ± 2 is unique.

[Judgment method 2 of unique operation target information]
A determination method by comparing the operation statistics of the operation target information with the standard deviation values for the operation statistics of the collective operation target information will be described. In this case, the operation statistics “5” of the operation target information of the specific terminal and the standard deviation “2.38” of the collective operation target information are compared. For example, it is assumed that the distribution of operation statistics of the operation target information of the terminal C belonging to the specific set follows a normal distribution N (μ, σ) defined by the average value μ and the standard deviation σ of the set operation target information. operation when operating statistics object information is not less than mu + sigma and mu + 2 [sigma], and determines the operation target information to be singular. At this time, if the determination criterion is μ + σ, then 5> 1.5 + 2.38, and the operation target information (PC0001, domain A, 5) is determined to be unique, and if the determination criterion is μ + 2σ, 5 <1.5 + 2 It is determined that the operation target information is not unique. Here, the determination criteria are μ + σ and μ + 2σ or more. However, the present invention is not limited to this. For example, determination criteria μ−σ and μ−2σ or less may be determined to be unique.

[Unique operation target information determination method 3]
The determination based on whether or not the operation target is operated will be described. In the example of FIG. 5, the specific set is configured by four PC0001 to PC0004, and among these, the terminal C browsing “Domain A” is PC0001 and PC0002. That is, the browsing rate in a specific set of terminals C browsing “domain A” is 50%. Here, when the predetermined value TH2 is 75%, the browsing rate in the specific set (50%) <the predetermined value TH3 (75%), and it can be determined that this operation target is unique.

[Determination method 4 for specific operation target information]
The determination using the rank based on the operation statistics of the set operation target information will be described. The operation statistics of the operation target in the specific set are 6 for “Domain A”, 93 for “Domain B”, 30 for “Domain C”, 1 for “Domain D”, 16 for “Domain E”. “Domain B”, “Domain C”, “Domain E”, “Domain A”, “Domain D”. At this time, if the predetermined value TH4 is second and the operation target included in the second or higher position is not unique, the operation target “domain A” of the specific terminal is second, so it is determined that it is not unique. Here, the set operation target information is arranged in descending order of the operation statistics. However, the present invention is not limited to this, and the arrangement operation order information may be arranged in ascending order and determined to be more than a predetermined value (above a predetermined order) as unique. I do not care. Furthermore, a predetermined value may be provided with an upper limit value (upper limit order) and a lower limit value (lower limit order), and an operation target outside that range may be determined to be unique.

[Unique operation target information determination method 5]
A description will be given of a determination method based on a comparison between the operation statistics rank of the operation target information of the specific terminal and the operation statistics rank of the set operation target information. This determination method includes the order of the operation target information to be determined when the operation target information of the specific terminal is arranged in descending order of the operation statistics, and the monitoring when the set operation target information in the specific set is arranged in the descending order of the operation statistics. This is a method of comparing the order of target operation target information and determining whether or not it is peculiar from the difference in the order. For example, when the operation target information is arranged in descending order of operation statistics in the specific terminal “PC0001”, the operation target “domain A” is ranked second. On the other hand, when the set operation target information is arranged in descending order of the operation statistics in the specific set, the operation target “domain A” ranks fourth. Therefore, the difference in rank is 2. At this time, if the predetermined value TH5 is 3, the difference in rank (2) <predetermined value TH5 (3), and it is determined that it is not unique.

  Furthermore, the determination may be made by combining the respective determination methods. For example, the result of determination method 1 is unique, the result of determination method 2 is not unique, the result of determination method 3 is unique, the result of determination method 4 is not unique, and the result of determination method 5 is not unique. Then, it is determined to be unique in the two determination methods. At this time, for example, if the determination criterion to be unique is 3, since 2 <3, it is determined that the operation target is not unique in the final determination result. Further, the determination may be made by weighting each determination result.

  In the above description, the determination result in each determination method is “unique” or “non-singular”, but is not limited to this, and the value calculated by each determination method is expressed as the degree of peculiarity. It is also possible to use it as a value (specificity) to indicate, for example, a probability function in a normal distribution that substitutes the difference between the operation statistics of the operation target information to be determined and the average value of the set operation target information into a predetermined function. Specificity can be calculated by substitution or the like. It is also possible to determine whether or not it is peculiar by summing up the values indicating the degree of peculiarity output from each determination method and obtaining a sum value, an average value, or an output value by a function.

  Also, the specificity can be obtained from the difference from the average value of the set operation target information. In this case, the difference with the average value of the set operation target information and the specificity are set in association with each other (FIG. 15), and the specificity corresponding to the difference with the average value can be acquired. Furthermore, by dividing the range into a predetermined value range, and setting the association between the difference between the average value of the set operation target information and the specificity for each value range, setting the specificity association according to the average value A configuration may be adopted in which an appropriate specificity is acquired.

  In this embodiment, the specific operation extraction unit 23 is configured to determine the specific operation target information after generating the collective operation target information. However, the present invention is not limited to this, and the operation target information of the specific terminal is not limited thereto. And the operation target information of the terminal C belonging to the specific set may be compared, and the specific operation target information may be determined based on the comparison result. In this case, the determination can be performed by appropriately responding to the above-described determination method.

[Flow of overall processing]
Next, the overall processing flow in the present embodiment will be described with reference to the flowchart of FIG. First, when the administrator operates the input device 3 of the server S and instructs the server S to start operation monitoring, the following processing is started.

  In the server S instructed to start operation monitoring, the operation target information generation unit 32 generates operation target information for each terminal C (# 21). It should be noted that the generation of the operation target information is not generated from the initial state when the operation monitoring start is instructed, but is generated at a predetermined timing or updated every time operation log information is generated. This is preferable because the operation target information can be efficiently generated. The administrator can also specify a period for generating operation target information together with an instruction to start operation monitoring. In this case, operation target information is generated using operation log information having date and time information included in the specified period.

  Further, the control unit 34 acquires a list of terminals C connected to the network N from the terminal information management unit 22 and displays a list of terminals C on the display 2 (# 22). For this list display, various display modes such as a list display of terminal names and an icon display with terminal names can be used.

  When the administrator designates a specific terminal to be monitored using the pointing device 3b or the like, the specific operation target information in the specific terminal is determined (# 23). At this time, information that can be determined to be the specific operation target information is added to information determined as the specific operation target information among the operation target information of the specific terminal, and is sent to the control unit 34. The information that can be identified as the specific operation target information is realized by, for example, providing a flag area in the operation target information and setting 1 if it is the specific operation target information, and setting 0 otherwise. can do. Therefore, the operation target information in this embodiment is composed of a set of (terminal identification information, operation target, operation statistics, singular flag). Of course, you may identify using another method.

  The control unit 34 that has acquired the operation target information of the specific terminal displays the operation target information in a list so that the specific operation target information and the other operation target information can be identified (# 24).

  For example, in the example of FIG. 5 and FIG. 6, if the specific terminal is “PC0001” and the criterion for the specific operation target information is μ + σ in the normal distribution N (μ, σ), the operation target information (PC0001, domain A, 5 ) Is determined as the specific operation target information. At this time, the control unit 34 displays a list as shown in FIG. In this display example, the operation targets and operation statistics of the operation target information of the specific terminal are displayed in a list in descending order of the operation statistics. At this time, the domain name of the specific operation target information is displayed in reverse so that the specific operation target information and other operation target information can be identified. Of course, the display mode is not limited to this, and other display modes are used as long as the object of the present invention is achieved, such as different display colors of the specific operation target information and the other operation target information. It doesn't matter.

  Further, the control by the control unit 34 is not limited to the above-described list display, but specific operation target information that transmits a message regarding the specific operation target information to the administrator or the user of the terminal C related to the specific operation target information. Various modes can be used, such as displaying and printing reports on

  In the present embodiment, the administrator designates a specific terminal and determines the specific operation target information in the specified specific terminal. However, all the terminals C are sequentially specified terminals, and the specific operation target for each terminal C is used. A configuration for determining information may be used.

[Second Embodiment]
Next, a second embodiment of the operation monitoring system of the present invention will be described with reference to the drawings. FIG. 9 is a functional block diagram of the server S and the terminal C constituting the operation monitoring system in this embodiment, and the same reference numerals are given to the same functional units as those in the first embodiment.

  The operation monitoring system according to the present embodiment includes a suspicious terminal determination unit 35 that determines whether or not a specific terminal is performing a suspicious operation based on the specific operation target information determined by the specific operation determination unit 33. However, this is different from the first embodiment. Moreover, although the control aspect of the control part 34 differs from 1st Embodiment, since other function parts are the same as that of 1st Embodiment, detailed description is abbreviate | omitted.

  Below, the determination method of the terminal (henceforth a suspicious terminal) which is performing suspicious operation in this embodiment is demonstrated. The determination of the suspicious terminal is not based on single specific operation target information but based on two or more specific operation target information. For example, (1) the number of specific operation target information of a specific terminal, (2) the ratio of the number of specific operation target information to the number of operation target information of the specific terminal, (3) the operation statistics of the specific operation target information of the specific terminal It is determined whether or not the specific terminal is performing a suspicious operation by comparing the sum total (hereinafter collectively referred to as a suspicious operation determination amount) or the like with a predetermined threshold. Note that other methods may be used as the suspicious terminal determination method as long as the object of the present invention is achieved.

[Suspicious terminal determination method 1]
In the method (1), first, the specific operation determination unit 33 transmits the specific operation target information determined to be a specific operation in the specific terminal to the suspicious terminal determination unit 35. The suspicious terminal determination unit 35 counts the acquired unique operation target information and sets the counted value as the suspicious operation determination amount. Then, the suspicious terminal determination unit 35 compares the suspicious operation determination amount with a predetermined value, and determines that the suspicious terminal is a suspicious terminal when the suspicious operation determination amount exceeds the predetermined value.

[Suspicious terminal determination method 2]
In the method (2), first, the specific operation determination unit 33 transmits the operation target information in the specific terminal and the specific operation target information determined to be a specific operation in the specific terminal to the suspicious terminal determination unit 35. . The suspicious terminal determination unit 35 counts the acquired operation target information and specific operation target information, calculates the ratio of the number of specific operation target information to the number of operation target information, and sets the calculated value as the suspicious operation determination amount. . Then, the suspicious terminal determination unit 35 compares the suspicious operation determination amount with a predetermined value, and determines that the suspicious terminal is a suspicious terminal when the suspicious operation determination amount exceeds the predetermined value.

[Suspicious terminal determination method 3]
In the method (3), first, the specific operation determination unit 33 transmits the specific operation target information determined to be a specific operation in the specific terminal to the suspicious terminal determination unit 35. The suspicious terminal determination unit 35 extracts operation statistics of the acquired specific operation target information. This extraction process is performed on all the specific operation target information, and all the extracted operation statistics are added together, and the added value is set as the suspicious operation determination amount. Then, the suspicious terminal determination unit 35 compares the acquired suspicious operation determination amount with a predetermined value, and determines that the suspicious terminal is a suspicious terminal when the suspicious operation determination amount exceeds the predetermined value.

  In the above methods (1) to (3), the suspicious operation determination amount is calculated by the specific operation determination unit 33 and transmitted to the suspicious terminal determination unit 35. The suspicious terminal determination unit 35 acquires the suspicious operation determination amount obtained. It is good also as a structure of determining a suspicious terminal based on this.

  The overall processing flow in this embodiment will be described below using the flowchart of FIG.

  First, the operation target information generation unit 31 generates operation target information by the above-described method (# 31). The unique operation determination unit 33 acquires the terminal identification information of all the terminals C from the terminal information management unit 22 (# 32), and selects one terminal C as a specific terminal from the terminal identification information (# 33).

  Next, the specific operation determination unit 33 determines the specific operation target information by the above-described method, and sends it to the suspicious terminal determination unit 35 (# 34).

  The suspicious terminal determination unit 35 that acquired the specific operation target information determines whether or not the specific terminal is a suspicious terminal by the above-described method, and sends the determination result to the control unit 34 (# 35).

It is determined whether or not there is a terminal C that is not selected as a specific terminal (# 36). If there is a terminal C that is not selected as a specific terminal (Yes branch of # 36), the process proceeds to # 33, Unselected terminal C is selected as the specific terminal, and the above-described processing is repeated.

  On the other hand, when all the terminals C are selected as specific terminals (No branch of # 36), the control unit 34 performs control for making the suspicious terminal perceived by an administrator or the like (# 37). For example, as shown in FIG. 11, a list of terminals C is displayed on the display 2. At this time, a suspicious terminal is highlighted and displayed so that it can be distinguished from other terminals C. In this example, PC0002 and PC0004 are terminals C determined to be suspicious terminals, and the suspicious operation determination amount is displayed together with the terminal name. The display mode is not limited to this, and other display modes can be used as long as the display mode can identify the suspicious terminal and the other terminal C.

  Further, the control by the control unit 34 not only performs the display as described above, but also displays a report regarding the suspicious terminal that notifies the administrator or the user of the suspicious terminal of the terminal C determined to be the suspicious terminal. Printing or the like can be performed. Of course, other controls can be performed as long as the object of the present invention is achieved. In addition, an unauthorized terminal can be detected in real time by determining a suspicious terminal each time it detects operation log information of an operation target that is a monitoring target at a predetermined timing.

[Third Embodiment]
In the above-described embodiment, the specific operation target information is determined based on the single set operation target information. However, generally, the concept of a set can be set in various ways, and a specific terminal may belong to a plurality of sets. Therefore, in this embodiment, the specific operation target information is determined based on a plurality of set operation target information. Since the functional units other than the specific operation determination unit 33 are the same as those in the above embodiment, only the processing flow of the specific operation determination unit 33 will be described based on the flowchart of FIG.

  First, as in the embodiment described above, when a specific terminal is specified (# 41), a set to which the specific terminal belongs is determined (# 42). In the present embodiment, as described above, the specific terminal belongs to a plurality of sets. For example, a set based on the department to which the user of the specific terminal belongs, a set based on the user's job title, a set based on the user's job title, or the like can be used. In order to use such a set, necessary information can be added to the user information managed by the user information management unit 22, and the set can be configured by the same method as in the first embodiment based on the information. .

  Next, one set is selected as a specific set from the plurality of sets determined by the above-described method (# 43), and the specific operation target information in the selected specific set is obtained by the same processing as # 13 to # 15. Determination is made (# 44 to # 46).

Thereafter, it is determined whether there is a set not selected in # 43 among the sets determined in # 42 (# 47). If there is an unselected set (Yes branch in # 47), the process is # The process moves to 43, one set is selected as a specific set from the unselected set, and the above-described processing is repeated.

  On the other hand, if there is no unselected set (No branch of # 47), the process proceeds to # 48, and the unique operation target information in the plurality of sets extracted in the process of # 46 is integrated to create a new unique Operation target information is generated (# 48). Specifically, the union of the specific operation target information in each set becomes new specific operation target information. For example, in the example of FIG. 13, the specific terminal belongs to the set 1, the set 2, and the set 3, and the specific operation target information is extracted as shown in the figure. When these unique operation target information is integrated, the specific operation target information shown in FIG. 14 is generated. Specifically, the specific operation target information {(domain A, 28), (domain B, 24), (domain D, 16)} in set 1 and the specific operation target information {(domain A, 28), (domain E in set 2) , 35)}, and the union of the specific operation target information {(domain A, 28), (domain D, 16)} in the set 3 becomes the specific operation target information in FIG. At this time, the specificity representing the degree of specificity of the operation target information is calculated and added to the specific operation target information. That is, the operation target information in the present embodiment is composed of a set of (terminal identification information, operation target, operation statistics, specificity). In addition, the specificity in this embodiment represents the degree determined to be unique across a plurality of sets. In other words, the value is larger as the number of sets determined to be unique is larger, and smaller as the number is smaller. In the example of FIG. 14, the ratio of the number of sets determined to be unique with respect to the number of sets is used as the specificity. For example, since the operation target information (domain A, 28) is determined to be unique in all sets, specificity = 3/3 = 1.0. Further, since the operation target information (domains E and 35) is determined to be unique only in the set 2, the specificity = 1/3 = 0.33.

  In addition to the above description, the calculation may be performed using the degree of peculiarity of the specific operation target information of each set (hereinafter referred to as individual specificity). In this case, the specific operation determination unit 33 is configured to calculate the individual specificity of the operation target information instead of determining whether the operation target information is specific.

  Further, the calculation of the specificity of the operation target information in the union is not limited to the above-described one, and a determination reference range R (for example, a range of μ−σ ≦ R ≦ μ + σ) is set and the operation is performed. A difference between the operation statistics of the target information and the determination reference range R (difference between the lower limit value / upper limit value of the determination reference range R) is set in association with the specificity (see FIG. 15), and the sets of sets 1 to 3 When the operation target information is FIG. 16, it can be calculated as follows. For the operation target (domain A), the difference from the determination criterion range R in the set 1 is “15”, so the individual specificity is “3”, and in the set 2, the difference from the determination criterion range R is “20”. Therefore, the individual specificity is “4”, and in the set 1, the difference from the determination reference range R is “8”, so the individual specificity is “2”. A specificity “9” of A) can be obtained. In addition, although the specificity of the operation target information is the sum of the individual specificities, it is not limited to this, and operations can be performed by performing various calculations as necessary, such as the average, maximum, and minimum of individual specificities. It may be configured to calculate the specificity of the target information. Furthermore, it is possible to set a weight for each set and calculate the specificity of the operation target information by performing an operation using the weight.

  In addition, when calculating the specificity from the individual specificity, a common threshold or determination criterion is used for each set, but different criteria may be used for each set.

  In the present embodiment, the specificity is included in the specific operation target information. However, the specific operation target information in a plurality of sets may be simply integrated to generate new specific operation target information. Further, when integrating the specific operation target information, a weight may be set for each set, and integration may be performed according to the weight. The weight is information determined from various factors such as the importance and scale of the set, the job range, etc., and the higher the weight, the higher the priority in integrating the specific operation target information. For example, the weight of each set is set 1: “1”, set 2: “1”, set 3: “2”, and only set 3 among the specific operation target information of set 1, set 2, and set 3 Does not include the operation target (domain A). At this time, when the specificities in the set 1 and the set 2 are equal to or less than a predetermined threshold corresponding to the weight of the set 3, the specific operation target information in the set 3 is given priority, and the operation target information for the operation target (domain A) Is determined to be non-singular. On the contrary, when the specificity of the set 1 and the set 2 exceeds a predetermined threshold according to the weight of the set 3, the operation target information for the operation target (domain A) is determined to be unique.

[Another embodiment]
(1) In the above-described embodiment, the operation target in the terminal C has been described as a WEB page. However, as described above, the operation target in the terminal C can be a file or an application. At this time, in the former case, the operation target information is generated in units of a file name, a folder / file server in which the file is stored, and in the latter case, the application name and application type (document creation application, table) are generated. Operation target information is generated in units of calculation applications, mailers, WEB browsers, and the like.

  (2) In the above-described embodiment, the specific operation determination unit 33 determines whether or not the operation target information is specific based on operation statistics based on a single scale (number of accesses). It can also be determined using operational statistics. For example, the number of operations and the operation time may be adopted as the operation statistics, and the determination may be made based on these operation statistics. For example, whether or not the operation target information is unique by obtaining an approximate line indicating the relationship between the number of operations and the operation time, and determining whether the operation target information is included in a predetermined range including the approximate line Can be determined.

  (3) In the above-described embodiment, the operation monitoring system is composed of the plurality of terminals C and the server S. However, a management terminal provided with a part of the functional unit of the server S is installed to achieve load distribution. You can also. Moreover, the function part of the server S can be provided in each terminal C, and each terminal C can be configured to function as the server S. Further, the operation log information acquisition unit 31, the operation log information storage unit 24, and the operation target information generation unit 32 of the server S may be provided in each terminal C.

  (4) In the above-described embodiment, the suspicious operation is determined based on the suspicious operation determination amount in the predetermined period. However, the specific operation target information is stored in a specific operation target information storage unit (not shown). The suspicious operation can also be determined based on the change in the suspicious operation determination amount along the time series. For example, a plurality of periods in the past are set, the specific operation target information is extracted for each period by the method described above, and the suspicious operation determination amount for each period is calculated based on the extracted specific operation target information. At this time, the transition of the suspicious operation determination amount is observed along the time series, and if there is a period in which the displacement becomes significant, it can be determined that the suspicious operation has been performed. Note that significant displacement detection can be realized by comparing the time differential value of the suspicious operation determination amount with a predetermined threshold value or the like.

  (5) In the above embodiment, the specific operation is determined for each terminal C. However, the specific operation may be determined for each user using the user identification information included in the operation log information.

  In this case, in an operation monitoring system in which a plurality of terminals are connected, user identification information of a user who uses the terminal is acquired, and operation log information including an operation target related to a user operation on the terminal is acquired. An operation log information acquisition unit, an operation target information generation unit that generates operation target information representing the operation statistics of the operation target of the user from the operation log information, the operation target information of the one user, and the one user A specific operation determination unit that determines, as specific operation target information, specific operation target information of the one user in the set based on a comparison result with operation target information of a plurality of users belonging to the set to which Become.

  In addition, when one user belongs to a plurality of sets, the unique operation determination unit determines the specific operation target information of one user for each set, and creates a new specific operation based on the determined specific operation target information. It can also be set as the structure which produces | generates object information.

  In this configuration, the operation target information of one user is compared with the operation target information of a user belonging to a set to which the one user belongs (for example, a set determined by user attribute information such as job title, affiliation, etc.) Based on the comparison result, it is determined whether or not the operation target information of one user is peculiar to the set. With this configuration, it is possible to determine whether or not the user's operation on the operation target is unique even when the terminal used for the user is not fixed. Furthermore, when the user belongs to a plurality of sets, the specific operation target information can be newly obtained by extracting the specific operation target information in each set, and it is comprehensive and high whether or not the group is unique. Judgment can be made with accuracy.

  (6) In the above-described embodiment, the specificity of the operation with respect to the operation target is determined, but it is also possible to determine the specificity of the operation content included in the operation log information.

  In this case, in an operation monitoring system in which a plurality of terminals are connected, an operation log information acquisition unit that acquires operation log information including operation contents related to operations at the terminals, and the terminal from the operation log information of the terminals Based on a comparison result between an operation target information generating unit that generates operation target information representing operation statistics of the operation content, operation target information of one terminal, and operation target information of a plurality of terminals belonging to a predetermined set And a specific operation determination unit that determines specific operation target information of the one terminal in the set as specific operation target information.

  In this configuration, the operation target information representing the operation statistics of the operation content at the specific terminal is compared with the operation target information in the predetermined set, and based on the comparison result, the operation target information of the specific terminal is specific to the set. It is determined whether or not. By setting it as this structure, it can be determined whether it is peculiar with respect to the operation content in a specific terminal.

  For example, the operation statistics of the operation target information for the operation content “file copy” in the specific terminal (in this embodiment, the operation count) is “32”, and the set operation for the operation content “file copy” in the set 1 Assume that the operation statistics of the target information is “22”. Here, the operation statistics of the set operation target information for the operation content “copy file” of the set 1 uses the average value of the number of operations, but other statistical values such as the maximum value, the minimum value, and the standard deviation may be used. It doesn't matter. Then, when the operation statistics “32” of the operation target information of the specific terminal is compared with the operation statistics “22” of the operation target information of the set 1, and the predetermined threshold TH is set to “8”, the operation target information of the specific terminal Since the operation statistics exceed the operation statistics of the operation target information of the set 1 by a predetermined threshold TH or more, it is determined that the operation content “file copy” at the specific terminal is unique.

  Similarly, the operation statistic of the operation target information for the operation content “delete file” of the specific terminal C is “3”, and the operation statistic of the operation target information for the operation content “delete file” of the set 1 is “8”. If there is, since the operation statistics of the specific terminal do not exceed the operation statistics of the set operation target information of the set 1, the operation content “delete file” at the specific terminal is determined not to be unique.

  In the above description, the operation content is “copy file” and “delete file”, but the operation content is not limited to this, and “send mail”, “insert USB”, “start application” Various operation contents can be used as long as the operation contents indicate the operation of the terminal C, such as “end application” and “browse WEB page”.

  By setting it as such a structure, it can be determined whether the operation content in a specific terminal is peculiar. In the above description, the number of operations is used in the determination of the specific operation. However, the present invention is not limited to this, and various information can be used as in the specific determination for the operation target described above. it can. Moreover, it is also possible to use the operation content of the user instead of the terminal.

  (7) The operation statistics of the above-described embodiment may be generated using an operation of the keyboard 6a or the pointing device 6b with respect to the operation target. That is, the operation of the input device 6 such as the keyboard 6a or the pointing device 6b is acquired, and it is determined whether the operation is performed on the operation target. When it is determined that the operation is performed on the operation target, the number of the operations is integrated and used for operation statistics. The operation of the input device 6 may be acquired as operation log information, or a device operation information acquisition unit (not shown) is provided, and the operation target generation unit 32 controls the operation of the input device 6 from the device operation information acquisition unit. You may make it acquire.

  In addition, as a means for determining whether the operation of the keyboard 6a or the pointing device 6b has been performed on the operation target, when the application is performed during activation, when the application is performed in the active state, the application is the input device 6. Judgment is made by using the case of receiving information (event message etc.) related to the operation.

  (8) The operation statistics of the above-described embodiment may be obtained by using the operation content for the operation target to obtain more operation statistics reflecting the user operation content. That is, an operation level value is set in advance for each operation content, and when the operation target information generation unit 32 obtains operation log information for the operation target, the operation content information is extracted and the operation content included in the operation log information is extracted. Get the corresponding operation level value. A value obtained by accumulating the operation level values is generated as operation statistics. For example, when an operation level value as shown in FIG. 17 is preset for the operation content, the operation content is “Browse web page” 3 times, “Browser activation” 6 times, If “input to WEB page” occurs once, {(3 times × 10 pt) + (6 times × 1 pt) + (1 time × 15 pt)} = 51 pt is obtained as the operation statistic.

  (9) The display unit in the control unit 34 of the above-described embodiment changes the display form of the operation target information such as color and character size according to the level of specificity of the operation target information included in the specific operation target information. You may do it. In other words, when the specificity of the operation target information is large, the distinguishability can be further increased, and when the specificity is small, the distinguishability can be further decreased. As a result, it is possible to easily determine how much a specific operation is performed in the group.

  (10) In the above-described embodiment, it is described that a specific set can be dynamically configured. In this case, a terminal C that is not included in any specific set is specified, and the terminal C is A grouped specific set may be configured. The specific operation target information of the terminal C may be determined in the specific set configured as described above, or the suspicious terminal in the specific terminal may be specified.

  (11) In the above-described embodiment, only the control in the display unit of the control unit 34 is described, but the present invention is not limited to this. Control as necessary may be performed as appropriate, such as displaying a list of specific operation target information and suspicious terminal information, or outputting in a report format (including printing).

  (12) In the above-described embodiment, all operated operation targets are set as determination targets. However, the present invention is not limited to this. You may make it determine whether it is specific operation object information only with respect to the operation object in which the operation statistics in a specific set exceed a predetermined threshold value. Thereby, it is possible to reduce the determination process in the system and improve the accuracy of the determination result.

  (13) In the above-described embodiment, the operation target information is obtained based on the operation log information whose operation content is the browsing of the WEB page, but the operation target information is generated using only the operation log information of the further limited operation content. It doesn't matter. For example, only operation log information with respect to a WEB page, the operation content having a predetermined operation content such as an operation of writing information to the WEB page or an operation of uploading data, is extracted, and an operation is performed from the operation log information. The operation target information for the target is obtained. As a result, the determination can be made only for the operation contents that require more monitoring, so that the monitoring accuracy can be improved and the burden on the administrator can be reduced.

  (14) In the above-described embodiment, the operation target information may be generated based on an access method to the WEB page. There are various methods for accessing the WEB page, such as access from a search site, direct URL input, and bookmark access. For this reason, access source information indicating how the WEB page is accessed is recorded in the operation log information, and operation target information is generated based on the access source information. That is, when it can be determined from the access source information included in the operation log information that the access to the WEB page is from a predetermined access source, the operation log information is calculated from the calculation of the operation statistics for the operation target. Exclude and generate operation target information for the operation target. In this way, it is possible to determine whether the access is from a predetermined access source, and the target of monitoring is such as intentionally accessing a WEB page outside the business or accessing a dangerous WEB page. Since the determination can be limited to the power operation, the monitoring accuracy can be improved and the burden on the administrator can be reduced.

  (15) In the above-described embodiment, the operation target information may be generated based on the operation time zone for the operation target. In this case, an evaluation point is provided for each operation time period, and the evaluation point is calculated for each operation. Then, the operation target information is generated by setting the evaluation values for each operation target as operation statistics. In addition to this, the operation target information may be generated using a time zone in which an operation target is most frequently operated and a time zone in which the operation target is the least specified and an evaluation point is determined from the time zone. . For example, the evaluation point is increased during a holiday or a time zone when access to the operation target is low. Thereby, it is possible to make a determination in consideration of the operation time zone (within business hours, outside business hours, early morning, midnight, weekdays, holidays, etc.) for the operation target, and the accuracy of monitoring can be improved.

31: Operation log information acquisition unit 32: Operation target information generation unit 33: Singular operation determination unit 34: Control unit

Claims (6)

In an operation monitoring system with multiple terminals connected,
And operation log information acquiring unit that acquires operation log information including the WEB page and date information and the application identification information related to the browsing operation of the browsing operation according to the browsing operation of the WEB page in each of the terminal,
The operation object information representing an operation time operation statistics for the WEB page that by the application according to Oite the browsing operation from one the operation log information of the terminal to the terminal, the WEB by application according to the browsing operation It said date and time information of the operation log information according to the browsing operation for a page, and the date and time information of the operation log information according to the viewing operation to another WEB page by the application according to the browsing operation performed after the browsing operation, An operation target information generation unit that generates a time difference between
Based on the comparison result between the operation target information of one terminal and the operation target information of a plurality of terminals belonging to a predetermined set, the specific operation target information of the one terminal with respect to the set is determined as the specific operation target information A singular operation determination unit;
An operation monitoring system characterized by comprising: When the set includes the one terminal and there are a plurality of the sets having the one terminal,
The specific operation determination unit generates set operation target information for each set based on operation target information of a plurality of terminals belonging to the set, and sets the set operation target information and the operation target information of the one terminal. The unique operation target information is determined by comparing, and the union of the specific operation target information that is the determination result for each set is set as new specific operation target information.
As a degree of specificity added to the new specific operation target information, a degree to be determined to be specific over a plurality of sets is calculated, and the specific operation target information is determined based on the specificity The operation monitoring system according to claim 1. The operation log information acquired by the operation log information acquisition unit includes operation targets related to various operations including browsing operation of the WEB page in each terminal, date and time information of the operation, application identification information related to the operation, and active of the application Including state,
The operation object information generation unit represents operation object information representing operation statistics that are operation times for the WEB page as the operation object.
The date and time information of the operation log information indicating that an application related to an operation on the WEB page is activated;
The operation monitoring system according to claim 1, wherein the operation monitoring system is generated as a time difference from the date and time information of the operation log information having an operation content for switching to another application next after the date and time information. A display unit for displaying the operation target information of the terminal;
The operation monitoring system according to any one of claims 1 to 3 , wherein the display unit displays the specific operation target information and other operation target information in an identifiable manner. Based on the specific operation object information, the terminal operation monitoring as claimed in any one of claims 1 to 4, characterized in that with a suspicious terminal determining unit to determine whether performing suspicious activity system. In an operation monitoring program for a terminal monitoring system in which a plurality of terminals and servers are connected,
And operation log information acquiring function of acquiring an operation log information including the WEB page and date information and the application identification information related to the browsing operation of the browsing operation according to the browsing operation of the WEB page in each of the terminal,
The operation object information representing an operation time operation statistics for the WEB page that by the application according to Oite the browsing operation from one the operation log information of the terminal to the terminal, the WEB by application according to the browsing operation It said date and time information of the operation log information according to the browsing operation for a page, and the date and time information of the operation log information according to the viewing operation to another WEB page by the application according to the browsing operation performed after the browsing operation, Operation target information generation function to generate as the time difference between,
Based on the comparison result between the operation target information of one terminal and the operation target information of a plurality of terminals belonging to a predetermined set, the specific operation target information of the one terminal with respect to the set is determined as the specific operation target information Singular operation judgment function,
An operation monitoring program that realizes this on a computer.

Images