JP6636605B1 - History monitoring method, monitoring processing device, and monitoring processing program - Google Patents

Abstract

Provided is a history monitoring system that utilizes a known log data obtained from a monitoring system to efficiently realize a monitoring process of a user terminal device according to a business type of a user. A history monitoring system (1) uses a known detection log data determined as a detection target by a monitoring system (50, 51) for monitoring a user terminal device (3A). Then, based on the detection log data, information about the operation user and history data having the path of the operation file or directory and the operation content are acquired as operation history data. The determination process is performed using one or more of the correspondence between the user and the computer used by the user, the operation authority of the file or directory, the correspondence between the user, and the correspondence between the customer and the user, and the operation history data. including. The determination process is based on the determination data for performing the determination process as to whether or not to be notified using the acquired history data. [Selection diagram] Fig. 1

Description

  The present invention relates to a history monitoring method, a monitoring processing device, and a monitoring processing program for monitoring an operation history of a client computer.

Some employees use the client PCs lent for business during work hours or breaks, and perform the following actions.
・ Browse inappropriate videos by accessing adult video sites.
・ Play online games.
-Access to a bulletin board, SNS, etc. to write.
・ Illegal exchange of files using file exchange software.
・ Send confidential data such as customer information that is confidential to the outside world by e-mail or cloud storage.
-The confidential data is stored in an auxiliary storage device such as a CD / DVD-ROM or a flash memory and taken out.
-Use the client computer outside business hours.

  Techniques for detecting such illegal acts are described below. For example, a monitor computer may have a sound output information receiving unit that receives sound output information from each of the client computers that are communicatively connected, a sound output information storage unit that stores the received sound output information, and the sound output information. Reference means for determining whether or not there is a possibility of computer operation outside the business by comparing with a sound output form in a normal business, wherein the client computer outputs sound output information on sound output to the monitor computer. There is known a technology for providing a computer operation monitoring technology that includes a sound output information transmitting unit that transmits to a computer and that can detect a non-business operation and can issue a warning notification or the like (Patent Document 1).

  In addition, a capture image acquisition unit that acquires operation screen information captured from a terminal, an operation log information acquisition unit that acquires operation log information from a terminal, and an operation evaluation value of an operation event included in the operation log information are calculated. An operation event evaluation unit that performs an operation event, an operation event special image generation unit that generates an emphasized image that clearly indicates an operation event that needs to be specified based on the operation evaluation value, and an emphasized image combined with the operation screen information (Patent Document 2).

Patent No. 3963278 JP 2008-191858 A

  In the related art, a monitoring device is used to determine permission / prohibition of an operation on a client computer based on a predetermined determination condition, and when the operation is not possible, the operation itself is disabled or a notification to an administrator is performed. By doing so, illegal operations were monitored.

  However, in the monitoring system, if the conditions for the impossibility are too loose, there is a risk that the use or operation of improper data may be overlooked. Frequent operations may occur, making it impossible for the person in charge to perform the intended operation, or increasing the cost of operation on the administrator side, such as checking log data.

  For this reason, in the existing monitoring system as in the conventional technology, it is not possible for companies with different types of clients and different business forms to operate by making detailed settings according to the actual situation of the company.

  Further, from the viewpoint of business efficiency, there is a demand for using customer information in business operations of existing CRM (Customer Relationship Management) service and cloud storage service. For example, even in a business type in which multiple persons work for one customer, such as a business office, sharing information and data between related parties can greatly improve the efficiency of business. Can be.

  On the other hand, when using such services, the data can be freely accessed via the network, and there is a risk that unauthorized use of data cannot be discovered, such as the taking out of customer information, and illegal data is taken out. In such cases, there is a problem that it is not possible to maintain sufficient evidence to apply the penal provisions.

  From the above, it is ideal to use a monitoring processing device and a system for improving work efficiency that are individually tuned in accordance with the business procedure of each company, but it is not realistic in terms of development and other costs. For this reason, there has been a demand for a history monitoring method that can be used in actual operation while suppressing development costs by using an existing system.

  The present invention has been made in view of the above situation, and uses a known log data obtained from a monitoring system, and records a history for efficiently implementing a monitoring process according to a business type of a user. Providing a monitoring method is an issue to be solved.

In order to solve the above problem, the present invention is a history monitoring method for performing a monitoring process using known detection log data determined as a detection target in a monitoring system that monitors a client computer,
A monitoring processing device, based on the detection log data, information on a user who performs an operation, a path of an operated file or directory, and acquiring history data having the operation content as operation history data;
Using the acquired history data, storing determination data for performing a determination process of whether or not to be notified,
Performing a determination process based on the determination data,
The determination process includes: a correspondence between a user and a computer used by the user;
File or directory operation authority and correspondence with user,
One or more of the correspondence between the customer and the user and the determination using the operation history data are included.

Further, the present invention is a monitoring processing apparatus for performing monitoring processing using known detection log data determined as a detection target in a monitoring system that monitors a client computer,
Based on the detection log data, information about the user performing the operation, the path of the operated file or directory, history data having the operation content, a means for acquiring as operation history data,
Means for storing determination data for performing a determination process as to whether or not to be notified, using the acquired history data,
Means for performing a determination process based on the determination data,
The determination process includes: a correspondence between a user and a computer used by the user;
File or directory operation authority and correspondence with user,
One or more of the correspondence between the customer and the user and the determination using the operation history data are included.

Further, the present invention is a monitoring processing program for performing monitoring processing using known detection log data determined as a detection target in a monitoring system that monitors a client computer,
Computer, based on the detection log data, information about the user performing the operation, the path of the operated file or directory, history data having the operation content, means to obtain as operation history data,
Means for storing determination data for performing a determination process as to whether or not to be notified, using the acquired history data,
Means for performing a determination process based on the determination data,
The determination process includes: a correspondence between a user and a computer used by the user;
File or directory operation authority and correspondence with user,
One or more of the correspondence between the customer and the user and the determination using the operation history data are included.

  With such a configuration, the log provided by the existing monitoring system can be more finely determined according to the business procedure of the monitoring target organization as to whether or not to be notified. In addition to eliminating unnecessary notifications as described above, monitoring processing that satisfies the order for each monitoring target organization can be realized at lower cost.

In a preferred aspect of the present invention, the determination process includes determining whether or not a specific keyword is included in a file name, a directory name, or a path with respect to the operation history data, and determining using the authority of the user who performed the operation. It is characterized by including.
With such a configuration, a highly effective monitoring process can be realized only by setting the file name and the directory name used for the job on the client computer in accordance with a predetermined rule. For example, a file name or the like can be managed by assigning a customer name or a customer identification number, or by setting a name such as "internal secret" for data that cannot be taken out.

In a preferred embodiment of the present invention, the monitoring processing device performs a processing round the storage destination using the storage destination information of the detection log data for each monitoring target organization, to obtain the history data,
The storage destination information using the storage destination information for defining the correspondence relationship for each monitoring target organization, processing the storage destination, collecting information for determining the correspondence relationship,
A determination process is performed using the history data and the correspondence obtained by the traveling process.
When detecting a copy operation by another user with respect to customer information that can be operated only by a specific user in business, a copy operation by a specific user is permitted by a whitelist, and other users are excluded by a blacklist. However, when the person in charge changes or a new stakeholder arises, it is troublesome to reconsider these definitions every time. Not a target. With such a configuration, management of customer data, management of file authority, management of user authority, and the like can be performed using an existing cloud service and the like, and information set there can be used for monitoring processing. And an efficient monitoring process can be realized.

In a preferred embodiment of the present invention, the monitoring processing device includes a step of performing a notification process to a notification destination based on the determination processing result,
The determination process is characterized in that a notification determination is made for a history that satisfies a predetermined condition based on the determination data among detection log data determined as a detection target in the monitoring processing system.
With such a configuration, the notification process can be executed.

In a preferred embodiment of the present invention, the determination data includes a determination condition for performing a determination process based on the correspondence between the user and its authority and a time stamp included in the history data.
With such a configuration, it is possible to perform the determination process using the authority of the user and the time stamp included in the history data.

In a preferred aspect of the present invention, the operation history data includes, as the operation content, a type and an operation of a drive on which the operation is performed,
The determination process is characterized in that, based on the path of the file or directory, a notification determination is made when data relating to a plurality of customers has been moved, copied, or generated to an external storage device.
By adopting such a configuration, in particular, it becomes possible to perform a monitoring process on an operation to the external storage device of data on a plurality of customers, which is not usually performed in an accounting office or the like.

In a preferred embodiment of the present invention, the monitoring processing device acquires, as access history data, a URL of a website accessed by a client computer and history data having information on an accessing user based on the detection log data. With steps,
The determination process includes a determination using a correspondence relationship between the user and an access right to a website and a URL included in the access history data.
With such a configuration, a determination process based on the access history can be performed.

In a preferred aspect of the present invention, the monitoring processing device acquires, as input history data, input data at a client computer and history data having information on an application on which the input has been performed, based on the detection log data. With
The determination process includes a determination using a correspondence between the customer and the user and an input content included in the input history data.
With such a configuration, a determination process can be performed on the client computer based on the contents of an input made to a predetermined application, such as taking out customer data by a user who is not in charge.

  According to the present invention, it is possible to provide a history monitoring method for utilizing a known log data obtained from a monitoring system and efficiently implementing a monitoring process according to a business type of a user.

1 is a diagram illustrating a configuration of a history monitoring system according to an embodiment of the present invention. FIG. 2 is a hardware configuration diagram of a terminal device according to the embodiment of the present invention. FIG. 2 is a hardware configuration diagram of the monitoring processing device according to the embodiment of the present invention. It is a conceptual diagram of the judgment processing in the monitoring system and the monitoring processing device according to the embodiment of the present invention. It is an example of the information which shows the correspondence which concerns on embodiment of this invention. It is a processing flowchart regarding collection processing of the information which shows the correspondence concerning the embodiment of the present invention. 5 is an example of history data according to the embodiment of the present invention. It is an example of the determination data according to the embodiment of the present invention. 6 is a processing flowchart when monitoring processing of a client computer is performed using detection log data according to the embodiment of the present invention.

  Hereinafter, a history monitoring system according to an embodiment of the present invention will be described with reference to the drawings. The embodiments described below are examples of the present invention, and the present invention is not limited to the following embodiments, and various configurations can be adopted.

  In the present embodiment, for example, a case will be described in which a client computer used by an employee (user) is monitored in an accounting office, and a history is monitored using a monitoring processing device. The present invention can be used by organizations of various business forms, and there is no particular limitation on the organization to use.

  In the present embodiment, the configuration, operation, and the like of a history monitoring system including a monitoring processing device will be described. However, a method, a computer program, a recording medium, and the like having a similar configuration can also provide similar functions and effects. Further, the program may be stored in a recording medium. By using this recording medium, for example, the program can be installed in a computer. Here, the recording medium storing the program may be a non-transitory recording medium such as a CD-ROM.

  Referring to FIG. 1 illustrating a system configuration according to an embodiment, a history monitoring system is embodied as a history monitoring system 1.

  The history monitoring system 1 includes a monitoring processing device 2, a plurality of terminal devices 3, a communication network 4, a monitoring system 5, a cloud storage system 6, and a customer information management system 7. The monitoring processing device 2 cooperates with the plurality of terminal devices 3 (3A, 3B), the monitoring system 5, the cloud storage system 6, and the customer information management system 7 via the communication network 4.

  The communication network 4 includes an IP (Internet Protocol) network such as the Internet. In the following description, the intervention of the communication network 4 will be omitted unless it becomes unclear.

  The plurality of terminal devices 3 include a user terminal device 3A and a supervisor terminal device 3B. As long as the user terminal device 3A and the supervisor terminal device 3B have a data communication function, each of the user terminal device 3A and the monitor terminal device 3B has a single configuration or a composite configuration including at least one of computer terminals (including a personal computer, a tablet terminal, and a smartphone terminal). obtain.

  The user terminal device 3A and the supervisor terminal device 3B are assigned IP addresses for performing data communication via the communication network 4. The user terminal device 3A performs data communication with at least the monitoring system 5, the cloud storage system 6, and the customer information management system 7, which will be described later. The supervisor terminal device 3B performs data communication with at least the supervisory processor 2.

  More specifically, the plurality of terminal devices 3 (3A, 3B) in the history monitoring system 1 include hardware and functional components as illustrated in FIG. That is, each terminal device 3 includes an arithmetic device (CPU (Central Processing Unit)) 11 and a main storage device (RAM (Random Access Memory)) 12 as a working memory as hardware components.

  Each of the terminal devices 3 includes an auxiliary storage device 13 such as an HDD (SSD), a flash memory, or the like, which rewritably stores an OS (Operating System), an application program, and various information (including data); a communication control unit 14; (IF), a communication interface (IF) unit 15 such as a (Network Interface Card), a display control unit 16, a display unit 17, an information input / designation unit 18, and the like.

  To logically realize the functions described in detail later in each terminal device 3, a web browser, electronic mail software, a terminal control program, and the like are installed in the auxiliary storage device 13 as application programs. Then, in each terminal device 3, when the power is turned on or an instruction from a user (user) is triggered, the arithmetic device (CPU) 11 loads the application program into the main storage device (RAM) 12 and executes it.

  Further, regarding the user terminal device 3A, in the monitoring system 5, in addition to the monitoring software for monitoring the client computer and the cloud storage system 6 and the customer information management system 7, work files and customer information (for example, It is assumed that business use software for managing sales and financial management of customers is installed as an application program.

  The monitoring processing device 2 has a data communication function, and includes hardware and functional components as illustrated in FIG. That is, the monitoring processing device 2 includes an arithmetic device (CPU (Central Processing Unit)) 21 as a hardware component and a main storage device (RAM (Random Access Memory)) 22 as a working memory.

  The monitoring processing device 2 includes an auxiliary storage device 23 such as a HDD, SSD, or flash memory that rewritably stores an OS (Operating System), an application program, and various information (including data); a communication control unit 24; And a communication interface (IF) unit 25 such as a (Network Interface Card).

  The monitoring processing device 2 includes, as functional components described in detail below, a traveling processing unit 201, an acquisition processing unit 202, a storage processing unit 203, a determination processing unit 204, a notification processing unit 205, and a database DB.

  To logically realize the above-described functional components (201 to 205) in the monitoring processing device 2, a monitoring processing program is installed in the auxiliary storage device 23 as an application program. In the monitoring processor 2, when the power is turned on, the arithmetic unit (CPU) 21 expands the processing program in the main storage device (RAM) 22 and executes it.

  Next, the processing in the history monitoring system 1 will be described in more detail with reference to FIG. 1 and related drawings (FIGS. 4 to 9).

  In the present embodiment, the history monitoring system 1 is realized by a third party using the monitoring system 5, the cloud storage system 6, and the customer information management system 7 provided in the form of a web service.

  The monitoring system 5 includes a database 50 and a monitoring device 51. The user terminal device 3A is a terminal device 3 used by a user (employee) to be monitored, and its log data is collected by existing monitoring software and an existing monitoring system 5 installed in the user terminal device 3A. You.

  The monitoring software installed on the user terminal device 3A monitors an operation on the user terminal device 3A based on a preset condition. The pre-set conditions include an impossibility condition, a detection condition, a white list, and a black list, and the monitoring processing by the monitoring system 5 is performed based on these.

  In the conventional monitoring software (monitoring system 5), the monitoring process of the user terminal device 3A is performed based on the preset unconditional condition, whitelist, and blacklist. FIG. 4A is a conceptual diagram of a determination process for log data in the monitoring system 5. The monitoring system 5 includes an operation prohibited by the user (client computer) (if the condition is prohibited or the blacklist is satisfied) and an operation permitted (a whitelist or a condition excluding the prohibited operation if the notification condition is satisfied). Operation other than).

  Here, the unconditional condition is, for example, execution of an exe file or the like, or restriction on access to a specific URL or domain. As a result of the monitoring processing, the operation in the user terminal device 3A is suppressed for the operation that is determined to correspond to the impossible condition.

  The unconditional condition is an operation that may cause a serious problem in business when executed, and an operation to be suppressed in all or a majority of client computers can be set. For example, for operations performed by only a small number of users in business operation, a condition is set such that an unconditional condition is set and only a small number of users are allowed to operate exceptionally in a white list.

  In the present embodiment, the unusable condition, the blacklist and the whitelist determination conditions are stored in monitoring software installed in the user terminal device 3A, and the monitoring device 51 updates the definition file.

  The detection condition does not mean that the operation itself is suppressed in the client computer, but may be set to an operation (detection target) that notifies the monitoring person and requires confirmation. When log data corresponding to the detection condition is found by the monitoring device 51, the monitoring device 51 normally performs a notification process to the monitor terminal device 3B, but overlaps with a notification process by the monitoring processing device 2 described below. It is preferable to set a setting to suppress the notification to the monitoring terminal device 3B when the monitoring device 51 satisfies the notification condition by turning off the notification process or the like.

  When the log data corresponds to the detection target (permitted operation), the monitoring processing device 2 determines whether or not to notify the monitoring person through a determination process described later. Note that the detection condition determination process may also be executed on the monitoring software side.

  The monitoring device 51 receives the log data, and stores the collected log data as detected log data when the collected log data corresponds to a detection target. The detection log data is stored in the database 50, and is used for the determination processing in the monitoring processing device 2. Here, the log data relating to the operation for which the determination of the unconditional condition is performed may be stored.

  The log data and the detection log data include log data relating to the operation history of the user in the client computer (hereinafter referred to as operation log data) and log data relating to the access history of the client computer via the network (hereinafter referred to as access log data). And log data (hereinafter, referred to as input log data) relating to the input history of the keyword by the client computer.

  On the other hand, the monitoring processing device 2 in the present application uses the notification conditions, whitelists, and blacklists set by the determination data for the log data determined as the detection conditions in the monitoring system 5 under more detailed conditions. A determination process is performed, and a monitoring process of the user terminal device 3A is performed. The whitelist and the blacklist here are different from the whitelist and the blacklist in the monitoring system 5.

  FIG. 4B is a conceptual diagram of the determination processing on the history data in the monitoring processing device 2. The monitoring processing device 2 performs a log (when a notification condition or a blacklist is applied) to the log data determined to be detected by the monitoring system 5 and notifies the monitor terminal device 3B of the log data. It is determined that the log is not to be performed (whitelist, if the notification condition is satisfied, other operations except the log corresponding to the blacklist).

  The cloud storage system 6 includes a database 60 and a storage management device 61. The database 60 stores work files, user data, and operation authority data used by the monitored organization for business.

  FIG. 5A is a diagram illustrating an example of the user data. The user data uses the employee ID and name for identifying the individual user, the computer name for identifying the computer used by the user, and the user name for logging on to the computer, by the user and the user. Included as user information indicating the correspondence between computers. Also, the position of the user is included as authority information (post authority information) indicating the correspondence between the user and the authority based on the position.

  FIG. 5B is a diagram illustrating an example of the operation authority data. The operation authority data includes a file ID for specifying a work file stored in the database 60 and an employee ID for specifying a user who has operation authority for the work file. It is included as authority information (operation authority information) indicating the correspondence between files or directories for which authority is given.

  The customer information management system 7 includes a database 70 and a customer information management device 71. The database 70 stores customer data.

  FIG. 5C is a diagram illustrating an example of customer data. The customer data indicates a customer ID and a customer name for identifying a customer, an employee ID for identifying a user set as the person in charge of the customer, and the correspondence between the user and the customer in charge of the user. Include as customer information.

  The traveling processing unit 201 travels through the monitoring system 5, the cloud storage system 6, and the customer information management system 7 using the storage destination information to acquire data. The storage destination information has a data storage destination for each of one or a plurality of monitoring target organizations, and the traveling processing unit 201 accesses the storage destination and acquires necessary data. For example, data is acquired using an API (Application Programming Interface) provided by the monitoring system 5, the cloud storage system 6, the customer information management system 7, and the like.

  First, the traveling processing unit 201 collects information on the correspondence using the storage destination information. In the present embodiment, the patrol processing unit 201 accesses the cloud storage system 6 and, for the monitoring target organization, sets user information indicating the correspondence between the user and the computer used by the user, and the correspondence between the user and the authority based on the position. Position authority information, and operation authority information indicating the correspondence between the user and the file or directory to which the user has the operation authority. The acquisition processing unit 202 stores information indicating the acquired correspondence in the database DB.

  Further, the patrol processing unit 201 accesses the customer information management system 7 using the storage destination information, and obtains customer information indicating the correspondence between the user and the customer in charge of the user for the monitored organization. The acquisition processing unit 202 stores information indicating the acquired correspondence in the database DB.

  FIG. 6 is a process flowchart relating to a process of collecting information indicating the correspondence. The processing of collecting the correspondence is periodically executed. When the correspondence collection process is performed (YES in step S11), information on the correspondence of each monitored organization is sequentially acquired based on the storage destination information of the information on the correspondence. Note that, in the present embodiment, an example is described in which information (user information, post authority information, operation authority information, and customer information) relating to a plurality of correspondences is collected and collected in a series of processes. A configuration is also possible in which individual collection timing is set for each destination and collection is performed in individual processing.

  The correspondence between the monitoring target organizations 0 to N is collected in accordance with a predetermined order set in the storage destination information. In step S12, first, the traveling processing unit 201 refers to the storage location information for the information on the correspondence relationship of the monitoring target organization 0, and acquires information on the correspondence relationship of the monitoring target organization 0 (step S13). In step S14, the acquisition processing unit 202 stores the acquired information in the database DB.

  If there is a monitoring target organization for which information has not been collected (NO in step S15), the procedures of steps S13 to S14 are executed for the next monitoring target organization i + 1, and information collection processing is performed ( Step S16). If the information on the correspondence relationship has been stored for all the monitoring target organizations 0 to N (YES in step S15), the process ends.

  The process of collecting information on the correspondence may be performed together with the process of collecting history data and the process of determining which will be described later. In that case, prior to the determination process of the history data, a process of collecting information on the correspondence is performed, and a determination process on the history data is performed based on the newly collected relationship (updated relationship). .

  The patrol processing unit 201 accesses the monitoring system 5 using the storage destination information, and executes a collection process for the detection log data for the monitoring target organization. The acquisition processing unit 202 acquires the detection log data as history data and stores it in the database DB.

  FIG. 7 is a diagram illustrating an example of the history data. FIG. 7A shows an example of operation history data. The operation history data includes a computer name and a user name indicating a user, a date and time indicating an operation time, an action (operation method) and a drive type (operation location) indicating an operation, and a source file (path indicating a file or a directory). Operation target).

  FIG. 7B shows an example of the access history data. The access history data includes a computer name and a user name indicating a user, a date and time indicating an operation time, and a URL (access destination) indicating an operation.

  FIG. 7C shows an example of the input history data. The input history data includes a computer name and a user name indicating a user, a date and time indicating an operation time, an action (input method) indicating an operation, a keyword (input content), and a title (input destination). .

  The storage processing unit 203 receives, from the monitor terminal device 3B, determination data for performing a determination process as to whether or not to be notified using the acquired history data, and stores the determination data in the database DB.

  FIG. 8 is a diagram illustrating an example of the determination data. The determination data in the present embodiment is a text file in which predetermined conditions are described, and the conditions are set by one or a combination of file conditions, user conditions, operation conditions, and time conditions. .

  For example, the determination condition may include a condition for performing the determination process based on the correspondence between the user and the authority and the time stamp included in the history data. In the illustrated example, when the operation of the client computer by an unauthorized user outside business hours is detected (“use outside business hours” in the illustrated example), the position of the user falls under certain conditions such as a managerial position. If there is no such data and the reception time of the history data (any of the operation history data, the access history data, and the input history data) is the one received at a predetermined time, it is determined that the notification condition is satisfied.

  For the operation history data, a determination may be made as to whether a specific keyword is included in the file name, directory name, or path, and the authority of the user who performed the operation. In the illustrated example, “data operation by a non-customer person” means that a customer name is included in a file name, a directory name, or a path (source file), and a user (computer name, user name) not in charge of the customer is assigned to the file. When a certain operation (action, drive type) is performed, it can be determined that the notification condition is satisfied.

  In addition, a notification determination using a whitelist or a blacklist may be performed on the determination data. Regarding detection of access to an unauthorized web site (“unauthorized site access” in the illustrated example), the URL of the access history data and the user (computer name, user name) are not allowed in the whitelist. In this case, it can be determined that the notification condition is satisfied.

  In addition, detection of access to customer data by a person who is not a customer representative (“data access by a non-customer representative” in the illustrated example) is performed based on an action, a keyword, and a title in the input history data. When a user (computer name, user name) who is not a customer representative performs an operation (action) for inputting a customer ID (keyword), it is determined that the condition is satisfied.

  The determination processing unit 204 performs a determination process using the determination data, the correspondence, and the history data. In this embodiment, the correspondence is set by user information, post authority information, operation authority information, and customer information stored in the database DB, and the history data is the operation history data, the access history data, and the input history stored in the database DB. Data is targeted.

  Also, as described in the above-described condition data, a determination process is performed using a whitelist and / or a blacklist in addition to or instead of the determination data, the correspondence, and the history data. May be. Further, a determination process using only the determination data and the history data may be included. For example, when the operation of the client computer outside business hours is prohibited for all employees, the judgment data defining the prohibited time and the time stamp included in the history data (the date and time of the history data in this embodiment) ) Is determined.

  The history data determined as a notification target by the determination processing unit 204 may be stored in the database DB and stored.

  The notification processing unit 205 performs a notification process to a notification destination based on a result of the determination process. As a result of the determination processing, when history data that satisfies the condition is detected, the notification processing unit 205 is used to notify a preset notification destination (monitoring terminal device 3B). The notification is performed by various methods such as transmission to an e-mail or SMS to an e-mail address or a telephone number set as a notification destination, transmission of a notification to an application installed in the monitor terminal device 3B, or the like. Good.

  FIG. 9 is a processing flowchart when monitoring processing of a client computer is performed using detection log data. Collection processing of history data is periodically executed. When the history data collection process is performed (YES in step S21), the history data of each monitoring target organization is sequentially acquired based on the storage destination information of the history data.

  The history data of the monitoring target organizations 0 to N is collected according to a predetermined order set in the storage destination information. In step S22, the patrol processing unit 201 first refers to the storage location information of the history data of the monitoring target organization 0, and refers to the detection log data of the monitoring target organization 0 (step S23). In step S24, the acquisition processing unit 202 acquires the history data and stores it in the database DB.

  In step S25, of the plurality of acquired history data ij (j = 0, 1,..., M), first, the history data i0 is referred to, and the determination processing unit 204 performs a determination process (step S26). . The determination process is executed using the determination data and the history data, one or more correspondences as needed, and a whitelist or a blacklist. If the determined history data ij corresponds to the notification target (YES in step S27), the notification processing unit 205 performs a notification process (step S28).

  If there is history data for which the determination process has not been completed among the history data of the monitoring target organization (NO in step S29), steps S26 to S28 are executed for the next history data i (j + 1). Then, a judgment process is executed (step S30).

  When the determination process has been completed for all of the history data of the monitoring target organization (YES in step S29), there is a monitoring target organization for which no history data has been collected (NO in step S31). Then, the procedures of steps S23 to S30 are executed for the monitoring target organization i + 1 in the next order (step S32), and a determination process is performed on the history data of each monitoring target organization. When the determination process on the history data has been completed for all the monitoring target organizations 0 to N (YES in step S32), the process ends.

  In the above-described determination process, the determination process is performed for each piece of history data. However, for example, the determination process may be performed using a plurality of pieces of history data. For example, based on the path (source file) of a file or directory included in the operation history data and the operation location (drive type), when data relating to a plurality of customers is moved, copied, or generated to an external storage device, a notification determination is made. The configuration may be performed. In addition to the above-described determination conditions, determination conditions using a file, a user, an operation, and time may be arbitrarily set and performed. Further, judgment conditions using items other than these may be separately set and judgment processing may be performed.

1 history monitoring system 11 arithmetic unit (CPU)
12 Main storage device (RAM)
Reference Signs List 13 auxiliary storage device 14 communication control unit 15 communication interface (IF) unit 16 display control unit 17 display unit 18 information input / designation unit 2 monitoring processing unit 21 arithmetic unit (CPU)
22 Main storage device (RAM)
Reference Signs List 23 auxiliary storage device 24 communication control unit 25 communication interface (IF) unit 201 tour processing unit 202 acquisition processing unit 203 storage processing unit 204 judgment processing unit 205 notification processing unit DB database 3 terminal device 3A user terminal device 3B supervisor terminal device 4 Communication network 5 Monitoring system 50 Database 51 Monitoring device 6 Cloud storage system 60 Database 61 Storage management device 7 Customer information management system 70 Database 71 Customer information management device

Claims (10)

Known monitors client computer, the operation and execution is allowed at the client computer, which at the monitoring system that at least determines the operation execution is prohibited in the client computer, obtained in connection with the execution is permitted operation the log data, a log monitoring method for performing monitoring processing of the client computer by determination processing,
Monitoring processing device, from the monitoring system via the network, information about the user performing the operation, the path of the operated file or directory, the operation content, to obtain history data, as operation history data,
A step of the acquired history data storing determination data conditions are described for performing determination processing of whether notification target,
Performing one or more pieces of information included in the operation history data, the determination data , and a process of determining the operation history data based on information indicating a correspondence relationship ,
The information indicating the correspondence includes the correspondence between the user and the computer used by the user, the operation authority of the file or directory and the correspondence between the user, and the correspondence between the customer and the user obtained from the customer information management system via the network. Including one or more of each of the relationships,
The determination process uses the correspondence and the condition for one or more combinations of information on the user included in the operation history data, an operated file or directory path, and operation content. A history monitoring method characterized in that it is a process of determining a notification target using a condition specified in the history.   The determination process includes, for the operation history data, whether or not a specific keyword is included in a file name, a directory name, or a path, and a determination using authority of a user who performed the operation. Item 1. The history monitoring method according to Item 1. A step wherein the monitoring apparatus is, for cyclically processing a storage location by using the storage location information of the log data of each monitored tissue, acquiring the historical data,
Circulating the storage destination using storage destination information of the information for defining the correspondence relationship for each monitoring target organization, collecting information indicating the correspondence relationship,
3. The history monitoring method according to claim 1, wherein a determination process is performed for each monitoring target organization using the history data and the correspondence acquired by the patrol process. 4. The monitoring processing device includes a step of performing notification processing to a notification destination based on the determination processing result,
The determination process is the one of the determined log data as the detection target in the monitoring system, based on the determination data, according to claim 1, characterized in that a notification decisions about the history corresponding to a predetermined condition The history monitoring method according to any of the above.   The method according to any one of claims 1 to 4, wherein the determination data includes a determination condition for performing a determination process based on the correspondence between the user and its authority and a time stamp included in the history data. History monitoring method. The operation history data includes, as the operation content, the type and operation of the drive on which the operation was performed,
The method according to claim 1, wherein the determining process performs a notification determination when data relating to a plurality of customers is moved, copied, or generated to an external storage device based on the path of the file or the directory. The history monitoring method according to any of the above. Said monitoring processing apparatus, before based on kilometers Gudeta, URL of a website accessed by the client computer and the history data having the information about the user who accessed, comprising the step of acquiring the access history data,
The history according to any one of claims 1 to 6, wherein the determination process includes a correspondence relationship between the user and an access right to a website and a determination using a URL included in the access history data. Monitoring method. It said monitoring processing apparatus, before based on kilometers Gudeta, entries on the client computer and the history data having the information about the input is performed application, comprises a step of obtaining as input history data,
The history monitoring method according to any one of claims 1 to 7, wherein the determination process includes a determination using a correspondence between the customer and the user and an input content included in the input history data. Known monitors client computer, the operation and execution is allowed at the client computer, which at the monitoring system that at least determines the operation execution is prohibited in the client computer, obtained in connection with the execution is permitted operation A monitoring processing device for performing monitoring processing of the client computer by performing determination processing of the log data of
From the monitoring system via the network, information about the user who performs the operation, the path of the operated file or directory, the operation content, history data having, as operation history data,
Means the acquired history data storing determination data conditions are described for performing determination processing of whether notification target,
Means for performing a determination process of the operation history data based on one or more information included in the operation history data, the determination data , and information indicating a correspondence relationship ,
The information indicating the correspondence includes the correspondence between the user and the computer used by the user, the operation authority of the file or directory and the correspondence between the user, and the correspondence between the customer and the user obtained from the customer information management system via the network. Including one or more of each of the relationships,
The determination process uses the correspondence and the condition for one or more combinations of information on the user included in the operation history data, an operated file or directory path, and operation contents. A monitoring processing apparatus for determining a notification target using a condition specified by the monitoring processing apparatus. Known monitors client computer, the operation and execution is allowed at the client computer, which at the monitoring system that at least determines the operation execution is prohibited in the client computer, obtained in connection with the execution is permitted operation A monitoring processing program for performing monitoring processing of the client computer by performing determination processing of the log data,
Computer, from the monitoring system via the network, information about the user performing the operation, the path of the operated file or directory, the operation content, the history data having as operation history data,
Means the acquired history data storing determination data conditions are described for performing determination processing of whether notification target,
One or more pieces of information included in the operation history data, the determination data, and a unit that performs a determination process of the operation history data based on information indicating a correspondence relationship ,
The information indicating the correspondence includes the correspondence between the user and the computer used by the user, the operation authority of the file or directory and the correspondence between the user, and the correspondence between the customer and the user obtained from the customer information management system via the network. Including one or more of each of the relationships,
The determination process uses the correspondence and the condition for one or more combinations of information on the user included in the operation history data, an operated file or directory path, and operation content. A monitoring processing program for determining a notification target by using a condition specified by the monitoring processing.