JP6884652B2 - White list management system and white list management method - Google Patents

Description

The present invention relates to a white list management system and a white list management method. Specifically, it is possible to reduce the operation cost of white list update while achieving both security against cyber attacks and convenience for users and the like. Regarding the technology to do.

In recent years, cyber attacks targeting private companies and national institutions have increased, resulting in large-scale information leakage incidents, and the risk of damaging the interests and safety of society is increasing. Furthermore, with regard to the content of such cyber attacks, there are increasing cases where sophisticated and advanced attack methods such as targeted attacks, especially APT (Advanced Persistent Threat) attacks, are used.

In this type of cyber attack, malware that targets a specific individual or organization and is customized according to the organization is used. It is difficult to define the characteristics of malware, such as frequent changes to the C & C server with which it communicates, and the existence of a large number of variants that differ in detail.

Therefore, it is often impossible to deal with the attack by the method used in existing firewalls and anti-virus software based on the blacklist of the URL of the known C & C server and the hash value of the known malware.

Therefore, anti-malware measures by access control using a white list are attracting attention. In the white list method, files and URLs that are allowed to be accessed are registered as a white list in advance, and various accesses are controlled based on this white list.

Examples include allowing processes to be launched only from whitelisted files, allowing only processes launched from whitelisted files to access sensitive files, and being launched from whitelisted files. Control forms such as permitting communication only to processes and permitting communication only to URLs included in the white list can be mentioned.

In such a white list method, only the processes registered in the white list in advance are permitted, and the others are not permitted. Therefore, even if the attacker changes the attack method in various ways, it can be dealt with.

However, the white list method has a problem that the convenience of the user is lowered. For example, in an environment where only limited processing is performed, such as a control system, in an information system used by users for business, a wide variety of processing occurs every day, so all necessary items are listed in advance in a white list. It is difficult to register.

Therefore, the functions that can be used by the user tend to be limited, which may greatly impair its convenience. On the other hand, in order to maintain the convenience of the user, it is necessary to update the white list every time a new function or the like is used. In that case, the user applies for a whitelist update to the system administrator, etc. whenever necessary, and the system administrator, etc. judges the validity of the application and performs the whitelist update work. To. Therefore, regarding the white list update, the labor and burden on both the user and the system administrator increase, and the operating cost increases.

Therefore, it is necessary to have a technology for easily updating the white list so as not to increase the operating cost while achieving both safety that can reliably deal with cyber attacks and convenience for users and the like.

Such techniques include, for example, detection means for starting a program and detecting generation or change of a program, or searching for a program, identification means for identifying a program, and a program for which network access is permitted or prohibited. It has a registration means for registering a program in a list, and the identification means determines whether or not the program meets a predetermined criterion based on the program whose activation is detected by the detection means or the program information of the detected program. As the registration means, an information processing device (see Patent Document 1) characterized in that a program determined to satisfy the predetermined criteria is registered in the list has been proposed.

Japanese Unexamined Patent Publication No. 2014-96143

In the prior art, process startup control based on whitelist verification of the startup program file is premised for the purpose of suppressing malware activity. That is, when a process is started from a file that is not in the white list, it is automatically added to the white list after evaluating whether a certain condition is satisfied. As a result, the white list update process, which is required when updating a program, is automated.

In this technology, it is assumed that the file name, file path, file hash value, version information, file size, digital signature, host name, etc. are used as criteria for determining whether or not the program can be added to the white list. If they meet the preset conditions, the program is considered credible and is whitelisted.

Such prior art substantially allows the activation of a program that meets preset conditions. Therefore, if the condition setting is strict, the convenience is impaired, and if the condition setting is loose, the safety is impaired. In order to achieve both of these, it is necessary to update the conditions as necessary, which also leads to an increase in operating costs.

Therefore, an object of the present invention has been made in view of the above circumstances, and provides a technique capable of reducing the operating cost of updating a white list while achieving both security against cyber attacks and convenience for users and the like. There is.

Whitelist management system of the present invention to solve the above problems, for each resource which can be mainly or subject of access in a given device, and the security level storing unit that holds the security level information defining a security level of a predetermined event, each resource Based on the security level dependency storage unit that holds the dependency information that defines the dependency of the security level information between the two, and the security level information of each resource related to the predetermined access, the predetermined algorithm determines whether or not the predetermined access is possible. A security level update unit that updates the security level information based on the dependency relationship of the security level information between each resource related to the predetermined access is provided. It is characterized by that.

Further, the whitelist management method of the present invention is between the security level storage unit that holds the security level information that defines the security level of a predetermined event and each resource with respect to each resource that can be the main body or the target of access in the predetermined device. An information processing device provided with a security level dependency storage unit that holds dependency information that defines the dependency of the security level information can perform the predetermined access based on the security level information of each resource related to the predetermined access. Is determined by a predetermined algorithm , and the security level information is updated based on the dependency of the security level information among the resources related to the predetermined access .

According to the present invention, it is possible to reduce the operating cost of updating the white list while achieving both security against cyber attacks and convenience for users and the like.

It is a figure which shows the functional structure example of the white list management system in Example 1. FIG. It is a figure which shows the configuration example of the hardware including the white list management system in Example 1. FIG. It is a figure which shows the example of the file security level table in Example 1. FIG. It is a figure which shows the example of the domain security level table in Example 1. FIG. It is a figure which shows the example of the process security level table in Example 1. FIG. It is a figure which shows the example of the permission communication method table in Example 1. FIG. It is a flow chart which shows the example of the access control processing method in Example 1. FIG. It is a flow figure which shows the example of the process start processing method in Example 1. FIG. It is a flow chart which shows the example of the process security level update processing method at the time of process start in Example 1. FIG. It is a flow chart which shows the example of the communication control processing method in Example 1. FIG. It is a flow chart which shows the example of the process security level update processing method at the time of communication in Example 1. FIG. It is a flow chart which shows the example of the file read control processing method in Example 1. FIG. It is a flow chart which shows the example of the process security level update processing method at the time of reading a file in Example 1. FIG. It is a flow chart which shows the example of the file write control processing method in Example 1. FIG. It is a flow chart which shows the example of the file security level update processing method at the time of writing a file in Example 1. FIG. It is a figure which shows the functional structure example of the white list management apparatus in Example 2. FIG. It is a figure which shows the example of the file security level dependency table in Example 2. FIG. It is a figure which shows the example of the process security level dependency table in Example 2. FIG. It is a figure which shows the example of the dummy file security level table in Example 2. FIG. It is a flow chart which shows the example of the process security level at the time of process start and the dependency update processing method in Example 2. FIG. It is a flow diagram which shows the example of the process security level at the time of communication and the dependency update processing method in Example 2. FIG. It is a flow chart which shows the example of the process security level at the time of reading a file and the dependency update processing method in Example 2. It is a flow chart which shows the example of the file security level at the time of writing a file and the dependency update processing method in Example 2. It is a flow chart which shows the example of the batch correction processing method of the related item at the time of security level correction in Example 2. FIG. It is a figure which shows the example of the security level batch correction screen in Example 2. FIG. It is a figure which shows the functional structure example of the white list management apparatus in Example 3. FIG. It is a flow chart which shows the example of the influence simulation processing method for supporting the correction part determination at the time of the security level correction in Example 3. It is a figure which shows the example of the security level correction support screen in Example 3. FIG.

−−− Example 1 −−−
Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 is a diagram showing a functional configuration example of the white list management system 10 of the present embodiment.

<Function configuration example>
The white list management system 10 is composed of at least terminals 100. The terminal 100 constitutes a necessary function by a plurality of programs installed in the memory 110 and operating on the terminal 100, and a plurality of data stored in the storage device 120.
The terminal 100 is a computer device used by the user 101. Further, the terminal 100 includes a memory 110, a storage device 120, a communication unit 130, and an input / output unit 131. The user 101 operates the terminal 100 via the input / output unit 131.

Subsequently, the function provided by the terminal 100 of the white list management system 10 in the first embodiment will be described. Here, a function realized by executing an appropriate program provided in the terminal 100 will be described.

At the terminal 100, the access trial acquisition program 111, the access permission determination program 112, the security level update program 113, and the access permission result return program 114 are executed. Further, the terminal 100 holds the file security level 121, the domain security level 122, the process security level 123, and the permitted communication method 124 as data.

Among the above-mentioned programs, the access trial acquisition program 111 is a program that hooks an access trial to a predetermined resource generated in the terminal 100 and hands it over to the access enable / disable determination program 112. Access includes, for example, process startup, communication, file access, and the like.

Further, the access permission / disapproval determination program 112 is a program for determining permission or prohibition based on a white list for the above-mentioned access attempt generated in the terminal 100.

Further, the security level update program 113 is a program that calculates the security level of the file and the process related to the process and updates the file security level 121 and the process security level 123 when the above-mentioned access attempt occurs.

Further, the accessability result return program 114 is a program that returns the processing to the hook source so that the processing is performed based on the above-mentioned determination of permission or prohibition of the access trial.

Further, among the data held by the terminal 100, the file security level 121 is a list of security levels given to each file stored in the terminal 100 and which is a standard for determining accessability. Details of this data will be described later (the same applies hereinafter).

Further, the domain security level 122 is a list of security levels given to the domain, which is a standard for determining accessability.

Further, the process security level 123 is a list of security levels given to each process being executed by the terminal 100 and which is a standard for determining accessability.

Further, the permitted communication method 124 is a list of correspondences between the security level of the domain and the permitted communication method, which is a criterion for determining accessability.

Details of this information are given in Tables 300-600. The contents of these tables will be described later with reference to FIGS. 3 to 6.

<Hardware configuration>
Subsequently, the hardware configuration of the terminal 100 in the first embodiment will be described. FIG. 2 is a diagram showing a configuration example of the hardware of the terminal 100 in the first embodiment.

The terminal 100 illustrated in FIG. 2 is composed of a CPU 201, a memory 202, a storage device 203, a communication interface 204, an input device 205, an output device 206, and a bus 207.

Of these, the CPU 201 is a central processing unit, and by executing a program held in the memory 202 (or the storage device 203), necessary functions are implemented.

Further, the memory 202 is a main storage device used by the CPU 201 described above when executing a process, and is composed of a volatile storage element such as a RAM.

Further, the storage device 203 is an auxiliary storage device for supplementing the input data provided to the CPU 201 and the output data output from the CPU 201, and is composed of an appropriate non-volatile storage element such as a hard disk drive or SSD (Solid State Drive). Will be done.
Further, the communication device 204 is a communication device used by the terminal 100 to communicate with an external device, and is composed of a network interface card (NIC: Network Interface Card) or the like.

Further, the input device 205 is an interface for receiving input from an operator, and is composed of a keyboard, a touch panel, a card reader, a voice input device, and the like.

Further, the output device 206 is an interface for outputting data to the operator, and is composed of a display, a speaker, a printer, and the like.

The bus 207 is a communication path that connects the CPU 201, the memory 202, the storage device 203, the communication interface 204, the input device 205, and the output device 206.

<Data structure example>
Next, a configuration example of the data used by the terminal 100 of the white list management system 10 in the first embodiment will be described.

FIG. 3 is a diagram showing a configuration example of the file security level table 300 in the first embodiment. The file security level table 300 has a file ID 301, a file path 302, a file trust level 303, a file confidentiality level 304, a file protection level 305, and a file hash value 306 as data items.

Of these, the file ID 301 is an ID uniquely assigned to the file stored in the storage device 203. Further, the file path 302 is information for specifying a storage location and a file name of the file on the storage device.

Further, the file trust level 303 is information indicating the certainty that the data contained in the file does not include malicious code, malicious information, or the like. The file confidentiality level 304 is information indicating the confidentiality of the data included in the file. The file protection level 305 is information indicating the level of authority required to update the file.

Further, the file hash value 306 is obtained by hashing the file data by an appropriate hash function, and is information for uniquely identifying the file.

The file security level is a general term for the file trust level 303, the file confidentiality level 304, and the file protection level 305.

FIG. 4 is a diagram showing a configuration example of the domain security level table 400 in the first embodiment. The domain security level table 400 has a domain ID 401, a domain name 402, a domain trust level 403, a domain confidentiality level 404, and a domain protection level 405 as data items.

Of these, the domain ID 401 is an ID uniquely assigned to the domain registered in the domain security table 400. Further, the domain name 402 is a character string representing the domain.

Further, the domain trust level 403 is information indicating the certainty that the data that can be downloaded from the domain does not include malicious code or malicious information. The domain confidentiality level 404 is information indicating the confidentiality of the data that can be downloaded from the domain. The domain protection level 305 is information indicating the degree of restriction to be applied when communicating with the domain.

The domain trust level 403, the domain confidentiality level 404, and the domain protection level 405 are collectively referred to as the domain security level.

FIG. 5 is a diagram showing a configuration example of the process security level table 500 in the first embodiment. The process security level table 500 has a process ID 501, a process trust level 502, and a process confidentiality level 503 as data items.

Of these, the process ID 501 is an ID uniquely assigned to the process operating on the memory 202.

Further, the process confidence level 502 is information indicating the certainty that the process does not contain malicious code or the like. Further, the process confidentiality level 503 is information indicating the confidentiality of the data held by the process on the memory 202.

The process trust level 502 and the process confidentiality level 503 are collectively referred to as the process security level.

FIG. 6 is a diagram showing a configuration example of the permitted communication method table 600 in the first embodiment. The authorized communication method table 600 has a domain protection level 601 and an authorized communication method 602 as data items.

Of these, the domain protection level 601 is information indicating the degree of restriction to be applied when communicating with the relevant domain, which corresponds to the value of the domain protection level 405 in the above-mentioned domain security level table 40.

Further, the permitted communication method is the content of the restriction applied at the time of communication with the corresponding domain, and in this embodiment, the communication method permitted for the above-mentioned domain protection level 601 is stored.

<Flow example: Access control processing>
Hereinafter, the actual procedure of the white list management method in the present embodiment will be described with reference to the drawings. Various operations corresponding to the white list management method described below are realized by a program read by the terminal 100 in the white list management system 10 into a memory or the like and executed. The program is composed of code for performing various operations described below.

Here, first, an example of a processing flow when an access trial occurs will be described. FIG. 7 is a flow chart showing an example of access control processing in the first embodiment. The outline of the process when an access trial occurs will be described with reference to FIG. 7.

In this case, the access trial acquisition program 111 of the terminal 100 hooks the access trial by the process generated in the terminal 100 and starts the access control process 700. The hook is to temporarily stop the process execution by temporarily avoiding the access to the resource such as a file or the domain accompanying the execution of the process.

Subsequently, the access availability determination program 112 determines the type of the above-mentioned access attempt (step 701). If the content of the access attempt is related to the start of the process (step 701: Yes), the access availability determination program 112 proceeds to the process control process (step 705). On the other hand, in other cases (step 701: No), the accessability determination program 112 advances the process to step 702.

Subsequently, the access availability determination program 112 determines the type of the access trial described above (step 702), and if the content of the access trial is related to communication (step 702: Yes), the communication control process (step 706). Proceed to the process. On the other hand, in other cases (step 702: No), the accessability determination program 112 advances the process to step 703.

Further, the access availability determination program 112 determines the type of the above-mentioned access attempt (step 703), and if the content of the access attempt is related to file reading (step 703: Yes), the process is a file reading control process (step 703: Yes). Step 707). In other cases (step 703: No), the accessability determination program 112 advances the process to step 704.

Further, the access availability determination program 112 determines the type of the above-mentioned access attempt (step 704), and if the content of the access attempt is related to file writing (step 704: Yes), the process is a file write control process (step 704: Yes). Step 708). In other cases (step 704: No), the accessability determination program 112 advances the process to step 709.

Here, the outline of the above-mentioned process control process (step 705) will be described. In this case, the access permission / disapproval determination program 112 permits the process activation as described above, and transmits the result to the security level update program 113 and the access permission / disapproval result return program 114. Further, the security level update program 113 refers to the file security level table 300, acquires the file trust level 303, the file confidentiality level 304, and the file protection level 305 of the file related to the process, and obtains the file security level update program 113. introduce. Further, the security level update program 113 calculates the process trust level 502 and the process confidentiality level 503 of the process based on the above-mentioned information transmitted, and updates the process security level table 500. Further, the accessability result return program 114 returns the process to the hook source based on the transmitted information. Details of this step will be described later with reference to FIG.

Further, the outline of the above-mentioned communication control process (step 706) will be described. In this case, the access availability determination program 112 refers to the process security level table 500 in connection with the access attempt related to the communication, and acquires the process trust level 502 and the process confidentiality level 503 of the process that tried the communication. Further, the accessability determination program 112 refers to the domain security level table 400 and acquires the domain trust level 403, the domain confidentiality level 404, and the domain protection level 405 of the communication target domain. The accessability determination program 112 determines whether or not communication to the above-mentioned domain by the process is possible based on the acquired information, and transmits the result to the security level update program 113 and the accessability result return program 114. The security level update program 113 calculates the process trust level 502 and the process confidentiality level 503 of the process based on the transmitted information, and updates the process security level table 500. The accessability result return program 114 returns the process to the hook source based on the transmitted information. Details of this step will be described later with reference to FIG.

Further, an outline of the above-mentioned file reading control process (step 707) will be described. In this case, the accessability determination program 112 refers to the process security level table 500 in connection with the file read attempt, and acquires the process trust level 502 and the process confidentiality level 503 of the process that made the access attempt related to the file read. Further, the accessability determination program 112 refers to the file security level table 300 and acquires the file trust level 303, the file confidentiality level 304, and the file protection level 305 of the file to be read. The accessability determination program 112 determines whether or not the above-mentioned file can be read by the process based on the acquired information, and transmits the result to the security level update program 113 and the accessability result return program 114. The security level update program 113 calculates the process trust level 502 and the process confidentiality level 503 of the process based on the transmitted information, and updates the process security level 500. The accessability result return program 114 returns the process to the hook source based on the transmitted information. Details of this step will be described later with reference to FIG.

Further, an outline of the above-mentioned file write control process (step 708) will be described. In this case, the accessability determination program 112 refers to the process security level table 500 in connection with the access attempt for writing the file, and acquires the process trust level 502 and the process confidentiality level 503 of the process that tried to read the file. Further, the accessability determination program 112 refers to the file security level table 300 and acquires the file trust level 303, the file confidentiality level 304, and the file protection level 305 of the file to be read. The accessability determination program 112 determines whether or not the process can write to the above-mentioned file based on the acquired information, and transmits the result to the security level update program 113 and the accessability result return program 114. The security level update program 113 calculates the file trust level 303, the file confidentiality level 304, and the file protection level 305 of the above-mentioned file based on the transmitted information, and updates the file security level 300. The accessability result return program 114 returns the process to the hook source based on the transmitted information. Details of this step will be described later with reference to FIG.

Further, the above-mentioned access permission process (step 709) will be described. In this case, the access permission / disapproval determination program 112 permits the above-mentioned access trial, and transmits the permission to the access permission / disapproval result return program 114. The accessability result return program 114 returns the process to the hook source based on the transmitted information.

<Flow example: Process control processing>
FIG. 8 is a flow chart showing an example of the process control process in the first embodiment. The process control process (step 705) will be described below with reference to FIG.

In this case, the access availability determination program 112 obtains the ID of the process that is about to execute the process start process based on the information transmitted from the access trial acquisition program 111. Further, the accessability determination program 112 refers to the process security level table 500, searches for a record in which the value of the process ID 501 matches the ID of the process obtained as described above, and searches for the process trust level 502 and the process of the record. Acquire confidentiality level 503 (step 801).

Next, the accessability determination program 112 obtains the path of the execution file that is the start source in the process start process based on the information transmitted from the access trial acquisition program 111. Further, the accessability determination program 112 refers to the file security level table 300, searches for a record in which the value of the file path 302 matches the path of the executable file obtained as described above, and searches for a record, and the file trust level 303 of the record. , File confidentiality level 304, file protection level 305 (step 802).

Next, the accessability determination program 112 obtains the paths of all the files such as the library file read in the process start process based on the information transmitted from the access trial acquisition program 111, and for each of the files, the accessability determination program 112 obtains the paths of all the files. Step 804 is performed. (Step 803).

The accessability determination program 112 refers to the file security level table 300, searches for a record in which the value of the file path 302 matches the path of the target file in step 803, and finds the file trust level 303 and the file of the record. Obtain the confidentiality level 304 and the file protection level 305 (step 804).

Further, the accessability determination program 112 transmits the information acquired in steps 801 to 804 described above to the security level update program. The security level update 113 calculates the process trust level 502 and the process confidentiality level 503 of the newly started process based on the transmitted information and adds them to the process security level table 500 (step 805). Details of this step (step 805) will be described later with reference to FIG.

<Flow example: Process security level update process at process startup>
Here, the details of the process security level update process (step 805) at the time of starting the process in the flow of FIG. 8 will be described. FIG. 9 is a flow chart showing an example of the process security level update process at the time of starting the process in the first embodiment.

In this case, the security level update 113 is the minimum between the file trust level 303 and the process trust level 502 of the execution source file and each file read at the time of starting the process, which is indicated by the information transmitted from the accessability determination program 112. Calculate the value and identify it as the process confidence level 502 of the above-mentioned process to be started next. Similarly, the security level update program 113 is used between the file confidentiality level 304 and the process confidentiality level 503 of the execution source file and each file read at the time of starting the process, which is indicated by the information transmitted from the accessability determination program 112. Is calculated and specified as the process confidentiality level 503 of the above-mentioned process to be started next (step 901).

Further, the security level update program 113 adds a new record to the process security level table 500, and adds the ID of the process to be started next to the process ID 501 of the new record to the process ID 501 of the new record, and the process trust level 502 of the new record. And the value calculated in step 901 described above is stored in the process confidentiality level 503 (step 902).

<Flow example: Communication control processing>
FIG. 10 is a flow chart showing an example of communication control processing in the first embodiment. The communication control process (step 706) will be described below with reference to FIG.

In this case, the access availability determination program 112 obtains the ID of the process that is about to execute the communication process based on the information transmitted from the access trial acquisition program 111. Further, the accessability determination program 112 refers to the process security level table 500, searches for a record in which the value of the process ID 501 matches the ID of the process obtained as described above, and searches for a record, and the process trust level 502 of the record. And obtain process confidentiality level 503 (step 1001).

Subsequently, the access availability determination program 112 obtains the domain name of the communication destination in the communication process based on the information transmitted from the access trial acquisition program 111. Further, the accessability determination program 112 refers to the domain security level table 400, searches for a record in which the value of the domain name 402 matches the domain name obtained as described above, and searches for a record having the domain trust level 403 of the record. Obtain domain confidentiality level 404 and domain protection level 405 (step 1002).

Next, the accessability determination program 112 refers to the process confidentiality level 503 acquired in step 1001 described above, and determines whether or not the value is greater than 0 (step 1003). As a result of this determination, if the value is greater than 0 (step 1003: Yes), the accessability determination program 112 advances the process to step 1004. In other cases (step 1003: No), the accessability determination program 112 advances the process to step 1006.

Next, the access permission / disapproval determination program 112 refers to the permitted communication method table 600, searches for a record in which the domain protection level 601 matches the domain protection level 405 acquired in the above step 1002, and uses the permitted communication method 602. Acquire (step 1004).

Further, the access permission / disapproval determination program 112 compares the information regarding the access trial transmitted from the access trial acquisition program 111 with the permitted communication method 602 acquired in step 1004 described above, and the access trial method for the communication is determined. , It is determined whether or not it is included in the above-mentioned permitted communication method 602 (step 1005).

If the result of this determination is included (step 1005: Yes), the accessability determination program 112 advances the process to step 1006. In other cases (step 1005: No), the accessability determination program 112 advances the process to step 1007.

Following the result of "Yes" in step 1003 or step 1005 described above, the access permission / disapproval determination program 112 permits communication by the process (step 1006), and informs the access permission / disapproval result return program 114 that the permission has been granted. introduce. The accessability result return program 114 in this case returns the process to the hook source based on the transmitted information. Further, the accessability determination program 112 transmits the information acquired in the above steps 1001 to 1002 to the security level update program 113.

On the other hand, following the determination of "No" in step 1005 described above, the access availability determination program 112 prohibits communication by the process and transmits the prohibition to the access accessibility result return program 114 (step). 1007). The accessability result return program 114 in this case returns the process to the hook source based on the transmitted information.

Subsequently, the security level update program 113 calculates the process trust level 502 and the process confidentiality level 503 of the process based on the information transmitted from the accessability determination program 112, and updates the process security level table 500 (step). 1008). Details of this step will be described later with reference to FIG.

<Flow example: Process security level update processing during communication>
Next, the details of the process of step 1008 in the flow of FIG. 10 described above, that is, the process security level update process during communication will be described with reference to FIG. FIG. 11 is a flow chart showing an example of the process security level update process during communication in the first embodiment.

In this case, the security level update program 113 compares the process trust level 502 and the domain trust level 403 transmitted from the accessability determination program 112 (step 1101). As a result of this comparison, if the process trust level 502 is greater than the domain trust level 403 (step 1101: Yes), the security level update 113 proceeds to step 1102. In other cases (step 1101: No), the security level update program 113 advances the process to step 1103.

Next, the security level update program 113 refers to the process security level table 500, searches for a record in which the value of the process ID 501 matches the ID of the process, and sets the value of the process trust level 502 of the record as described above. Update with the value of domain trust level 403 of (step 1102)
The security level update 113 also compares the process confidentiality level 503 with the domain confidentiality level 404 (step 1103). As a result of this comparison, if the process confidentiality level 503 is smaller than the domain confidentiality level 404 (step 1103: Yes), the security level update 113 proceeds to step 1104. In other cases (step 1103: No), the security level update program 113 ends this flow.

On the other hand, the security level update program 113 refers to the process security level table 500, searches for a record in which the value of the process ID 501 matches the ID of the process, and sets the value of the process confidentiality level 503 of the record to the above-mentioned domain. Update with the value of confidentiality level 404 (step 1104).

<Flow example: File read control processing>
Subsequently, the details of the file reading control process (step 707) in the flow of FIG. 7 will be described with reference to FIG. FIG. 12 is a flow chart showing an example of the file read control process in the first embodiment.

In this case, the accessability determination program 112 obtains the ID of the process that is about to execute the file reading process based on the information transmitted from the access trial acquisition program 111. Further, the accessability determination program 112 refers to the process security level table 500, searches for a record in which the value of the process ID 501 matches the ID of the process obtained as described above, and searches for the process trust level 502 and the process trust level 502 of the record. Acquire process confidentiality level 503 (step 1201).

Subsequently, the accessability determination program 112 obtains the path of the target file in the file reading process based on the information transmitted from the access trial acquisition program 111. Further, the accessability determination program 112 refers to the file security level table 300, searches for a record in which the value of the file path 302 matches the path of the target file obtained above, and searches for a record having the file trust level 303 of the record. Acquire file confidentiality level 304 and file protection level 305 (step 1202).

In addition, the accessability determination program 112 compares the above-mentioned process trust level 503 with the file confidentiality level 304 (step 1203). As a result of this comparison, if the process trust level 503 is equal to or greater than the file confidentiality level 304 (step 1203: Yes), the accessability determination program 112 proceeds to step 1204. In other cases (step 1203: No), the accessability determination program 112 advances the process to step 1205.

Next, following the result of "Yes" in step 1203 described above, the access availability determination program 112 permits the file reading by the above process and transmits the permission to the access permission result return program 114 (step). 1204). The accessability result return program 114 in this case returns the process to the hook source based on the transmitted information. Further, the accessability determination program 112 transmits the information acquired in steps 1201 and 1202 to the security level update program 113.

On the other hand, following the result of "No" in step 1203 described above, the access permission / disapproval determination program 112 prohibits the file reading by the process described above, and transmits the prohibition to the access permission result return program 114 (step 1205). ). The accessability result return program 114 in this case returns the process to the hook source based on the transmitted information.

Further, the security level update program 113 calculates the process trust level 502 and the process confidentiality level 503 of the above-mentioned process based on the information transmitted from the accessability determination program 112, and updates the process security level table 500 (step). 1206). Details of this step will be described later with reference to FIG.

<Flow example: Process security level update process when reading a file>
Subsequently, step 1206 in the flow of FIG. 12 described above, that is, the details of the process security level update process at the time of reading a file will be described with reference to FIG.

FIG. 13 is a flow chart showing an example of the process security level update process at the time of reading the file in the first embodiment. In this case, the security level update program 113 compares the process trust level 502 and the file trust level 303 transmitted from the accessability determination program 112 (step 1301). As a result of this comparison, if the process trust level 502 is greater than the file trust level 303 (step 1301: Yes), the security level update 113 proceeds to step 1302. On the other hand, in other cases (step 1301: No), the security level update program 113 advances the process to step 1303.

The security level update program 113 in step 1302 refers to the process security level table 500, searches for a record in which the value of the process ID 501 matches the ID of the above-mentioned process, and sets the value of the process trust level 502 of the record. Update with the value of file trust level 303 described above (step 1302).
The security level update 113 also compares the process confidentiality level 503 with the file confidentiality level 304 (step 1303). As a result of this comparison, if the process confidentiality level 503 is smaller than the file confidentiality level 304 (step 1303: Yes), the security level update 113 performs the process of step 1304. Otherwise (step 1303: No), the security level update program 113 ends the flow.

The security level update program 113 in step 1304 refers to the process security level table 500, searches for a record in which the value of the process ID 501 matches the ID of the above-mentioned process, and sets the value of the process confidentiality level 503 of the record. Update with the value of file confidentiality level 304 described above (step 1304).

<Flow example: File write control process>
Subsequently, step 708 in the flow of FIG. 7, that is, the details of the file write control will be described with reference to FIG. FIG. 14 is a flow chart showing an example of the file write control process in the first embodiment.

In this case, the accessability determination program 112 obtains the ID of the process that is about to execute the file writing process based on the information transmitted from the access trial acquisition program 111. Further, the accessability determination program 112 refers to the process security level table 500, searches for a record in which the value of the process ID 501 matches the ID of the process obtained as described above, and searches for the process trust level 502 and the process trust level 502 of the record. Acquire process confidentiality level 503 (step 1401).

Next, the accessability determination program 112 obtains the path of the target file in the file writing process based on the information transmitted from the access trial acquisition program 111. Further, the accessability determination program 112 refers to the file security level table 300, searches for a record in which the value of the file path 302 matches the path of the target file described above, and finds the file trust level 303 and the file confidentiality of the record. Acquire level 304 and file protection level 305 (step 1402).

Subsequently, the accessability determination program 112 compares the above-mentioned process trust level 503 with the file protection level 305 (step 1403). As a result of this comparison, if the process trust level 503 is equal to or greater than the file protection level 305 (step 1403: Yes), the accessability determination program 112 proceeds to step 1404. On the other hand, in other cases (step 1403: No), the accessability determination program 112 advances the process to step 1405.

The accessability determination program 112 in step 1404 permits the file writing by the above-mentioned process, and transmits the permission to the accessability result return program 114 (step 1404). The accessability result return program 114 in this case returns the process to the hook source based on the transmitted information. Further, the accessability determination program 112 transmits the information acquired in the above steps 1401 and 1402 to the security level update program 113.

Further, the accessability determination program 112 in step 1405 prohibits the file writing by the above-mentioned process, and transmits the prohibition to the accessability result return program 114 (step 1405). The accessability result return program 114 in this case returns the process to the hook source based on the transmitted information.

Further, the security level update program 113 calculates the file trust level 303 and the file confidentiality level 304 of the target file described above based on the information transmitted from the accessability determination program 112, and updates the file security level table 300 ( Step 1406). Details of this step will be described later with reference to FIG.

<Flow example: File security level update process when writing a file>
Subsequently, step 1406 in the flow of FIG. 14 described above, that is, the details of the file security level update process at the time of writing a file will be described with reference to FIG. FIG. 15 is a flow chart showing an example of a file security level update process at the time of writing a file in the first embodiment.

In this case, the security level update program 113 compares the process trust level 502 and the file trust level 303 transmitted from the accessability determination program 112 (step 1501). As a result of this comparison, if the process trust level 502 is smaller than the file trust level 303 (step 1501: Yes), the security level update program 113 advances the process to step 1502. On the other hand, in other cases (step 1501: No), the security level update program 113 advances the process to step 1503.

The security level update program 113 in step 1502 refers to the file security level table 300, searches for a record in which the value of the file path 302 matches the path of the target file described above, and searches for a record, and the value of the file trust level 303 of the record. Is updated with the value of the process confidence level 502 described above (step 1502).
Further, the security level update 113 in step 1503 compares the process confidentiality level 503 with the file confidentiality level 304 (step 1503). As a result of this comparison, if the process confidentiality level 503 is greater than the file confidentiality level 304 (step 1503: Yes), the security level update 113 proceeds to step 1504. On the other hand, in other cases (step 1503: No), the security level update program 113 ends the flow.

The security level update 113 in step 1504 refers to the file security level table 300, searches for a record in which the value of the file path 302 matches the path of the target file described above, and searches for a record, and the value of the file confidentiality level 304 of the record. Is updated with the value of the process confidentiality level 503 described above (step 1504).

The white list management system 10 in the first embodiment described above determines whether or not the process can be performed based on the security level set for the file, domain, and process as the process starts the process, communicates, and accesses the file. And the security level is updated to enable access control that does not require maintenance of the white list.

--- Example 2---
In Example 1 described above, the security level is automatically calculated. However, it is expected that the system administrator will have the opportunity to correct the security level due to changes in the security policy and updates of threat information. As described in Example 1, the security levels of files, domains, and processes are calculated based on the security levels of related files, domains, and processes. All other security levels calculated based on the security level to be corrected also need to be corrected. For this reason, the number of security level targets to be corrected becomes enormous, and problems such as the system administrator not being able to grasp all of them and the operational burden increasing occur.

Therefore, as a means to solve these problems, the dependency between the security level of the file, domain, and process is saved in accordance with the security level calculation, and if the security level correction is required later, it is based on this dependency. A possible method is to recalculate all relevant security levels. Hereinafter, an example of a mode for carrying out this method will be described as Example 2.

<Function configuration example>
FIG. 16 is a diagram showing a functional configuration example of the white list management system 10 in the second embodiment. The white list management system 10 in the second embodiment has a plurality of programs installed on the terminals 100_1 to N and operating on the terminals 100_1 to N, a plurality of data stored in the terminals 100_1 to N, a server 140, and a management terminal 150. , Network 160. Such terminals 100_1 to N, the server 140, and the management terminal 150 are communicably connected via the network 160.

Further, the terminals 100_1 to N are computer devices used by the users 101_1 to N. The terminals 100_1 to N include a memory 110, a storage device 120, a communication unit 130, and an input / output unit 131. The users 101_1 to N of the terminals 100_1 to N operate the terminals 100_1 to N via the input / output unit 131.

Further, the server 140 is a server device including a memory 141 and a communication unit 142. Further, the management terminal 150 is an information processing terminal including a communication unit 151 and an input / output unit 152. The system administrator 153 operates the management terminal 150 via the input / output unit 152, and operates the server 140 via the network 160.

Subsequently, the function provided by the white list management system 10 in the second embodiment will be described. Here, the functions realized by executing appropriate programs provided in the terminals 100_1 to N and the server 140 will be described.

In terminals 100_1 to N, the access trial acquisition program 111, the access permission determination program 112, the security level update program 113, the access permission result return program 114, the security level dependency update program 115, and the security level correction program 116 are executed. Program.

Further, in terminals 100_1 to N, file security level 121, domain security level 122, process security level 123, permitted communication method 124, file security level dependency 125, process security level dependency 126, and constant file security level 127. Is retained as data.

Further, on the server 140, the security level correction instruction program 143 and the management screen display program 144 are executed.

Among the above, the access trial acquisition program 111, the access permission / rejection determination program 112, the security level update program 113, and the access permission / rejection result return program 114 are the same programs as those in the first embodiment.

On the other hand, the security level dependency update 115 is a program that updates the file security level dependency 125 and the process security level dependency 126 in accordance with the update of the file security level 121 and the process security level 123 by the security level update 113 described above. Is.

Further, the security level correction program 116 is a program that receives an instruction from the security level correction instruction program 143 and updates the file security level 121 and the process security level 123 based on the file security level dependency 125 and the process security level dependency 126. Is.

The file security level 121, the domain security level 122, the process security level 123, and the permitted communication method 124 are the same information as in the first embodiment described above.

On the other hand, the file security level dependency 125 is a list in which the IDs of the files and domains used for calculating the security level of each file are stored for the files stored in the terminals 100_1 to N. Further, the process security level dependency 126 is a list in which the IDs of the files and domains used for calculating the security level of each process are stored for the processes running on the terminals 100_1 to N. The constant file security level 127 is a list of file security levels input by the system administrator 153. Details of this information will be described later with reference to FIGS. 17 to 19.

Further, the security level correction instruction program 143 is a program that transmits an instruction to the security level correction program 116 according to the input from the system administrator 153. Further, the management screen display program 144 is a program that displays an operation screen and supports input / output when the system administrator 153 operates the server 140.

<Data structure example>
Next, among the data used by the white list management system 10 in the second embodiment, the configuration example of the difference from the above-mentioned first embodiment will be described.

FIG. 17 is a diagram showing a configuration example of the file security level dependency table 2500 in the second embodiment. The file security level dependency table 2500 includes a file ID 2501, a file trust level dependency 2502, a file confidentiality level dependency 2503, and so on. It has a file protection level dependency 2504 as a data item.

Of these, the file ID is an ID uniquely assigned to the file stored in the storage device 203 of the terminal 100, and corresponds to the file ID 301 in the file security level table 300.

Further, the file trust level dependent destination 2502 is the ID of the file and the domain that is the basis of the value of the file trust level 303 of the above-mentioned file. Further, the file confidentiality level dependent destination 2503 is the ID of the file and the domain on which the value of the file confidentiality level 304 of the above-mentioned file is based. Further, the file protection level dependency 2504 is the ID of the file and the domain that is the basis of the value of the file confidentiality level 305 of the above-mentioned file.

FIG. 18 is a diagram showing a configuration example of the process security level dependency table 2600 in the second embodiment. The process security level dependency table 2600 has a process ID 2601, a process trust level dependency 2602, and a process confidentiality level dependency 2603 as data items.

Of these, the process ID 2601 is an ID uniquely assigned to the process operating on the memory 202 of the terminal 100, and corresponds to the process ID 501 in the program security level table 500. Further, the process trust level dependency 2602 is the ID of the file and domain on which the value of the process trust level 502 of the above-mentioned process is based. Further, the process confidentiality level dependent destination 2603 is the ID of the file and domain on which the value of the process confidentiality level 503 of the above-mentioned process is based.

FIG. 19 is a diagram showing a configuration example of the constant file security level table 2700 in the second embodiment. The constant file security level table 2700 has a constant file ID 2701, a constant file trust level 2702, a constant file confidentiality level 2703, and a constant file protection level 2704 as data items.

Of these, the constant file ID 2701 is an ID uniquely assigned to the records in the constant file security level table 2700. Further, the constant file trust level 2702, the constant file confidentiality level 2703, and the constant file protection level 2704 are values corresponding to the file trust level 303, the file confidentiality level 304, and the file protection level 305 in the file security level table 300, respectively. The latter is a value that is automatically updated and changed, while the former is a value that is directly specified by the system administrator 153 and is not automatically updated.

<Flow example: Process security level and dependency update processing at process startup>
When an access trial occurs, the white list management system 10 in the second embodiment executes substantially the same processing as that described with reference to FIGS. 7 to 15 in the first embodiment. Therefore, among the processing flow examples in the second embodiment, the differences from the first embodiment will be described with reference to FIGS. 20 to 23.

FIG. 20 is a flow chart showing an example of updating the process security level and the dependency at the time of starting the process in the second embodiment. The change from the process startup process security level update process 900 in FIG. 9 of the first embodiment is that step 903 is added after step 902. Therefore, step 903 will be described below.

The security level dependency update 115 adds a new record to the process security level dependency table 2600, and uses the process ID 501 and file ID 301 acquired in steps 801, 802, and 804 for the process trust level dependency 2602 and process of the record. It is added to the confidentiality level dependency 2603 (step 903).

<Flow example: Process security level during communication and dependency update processing>
FIG. 21 is a flow chart showing an example of update processing of the process security level during communication and the dependency relationship in the second embodiment. The change from the communication process security level update process 1100 in FIG. 11 of the first embodiment is that step 1105 is added after step 1104. Therefore, step 1105 will be described below.

The security level dependency update program 115 refers to the process security level dependency table 2600, searches for a record in which the process ID 2601 matches the process ID of the process, and uses the domain ID 401 acquired in step 1002 as the process of the record. Add to trust level dependency 2602 and process sensitivity level dependency 2603 (step 1105).

<Flow example: Process security level and dependency update processing when reading a file>
FIG. 22 is a flow chart showing an example of updating the process security level and the dependency at the time of reading the file in the second embodiment. The change from the file reading process security level update process 1300 in FIG. 13 of the first embodiment is that step 1305 is added after step 1304. In the following, step 1305 will be described.

The security level dependency update program 115 refers to the process security level dependency table 2600, searches for a record in which the process ID 2601 matches the process ID of the process, and uses the file ID 401 acquired in step 1202 as the process of the record. Add to trust level dependency 2602 and process sensitivity level dependency 2603 (step 1305).

<Flow example: Process security level and dependency update processing when writing a file>
FIG. 23 is a flow chart showing an example of updating the process security level and the dependency at the time of writing a file in the second embodiment. The change from the file writing process security level update process 1500 in FIG. 15 of the first embodiment is that step 1505 is added after step 1504. Therefore, step 1505 will be described below.

The security level dependency update 115 refers to the process security level dependency table 2600, searches for a record in which the process ID 2601 matches the process ID of the process, and determines the process trust level dependency 2602 and the process confidentiality level of the record. Get the dependency 2603. Further, the security level dependency update program 115 refers to the file security level dependency table 2500, searches for a record in which the file ID 2501 matches the file ID 301 acquired in step 1402, and searches for a record in which the file ID 2501 depends on the file trust level of the record 2502. , File confidentiality level dependent destination 2503 and file protection level dependent destination 2504 are added with the values of process trust level dependent destination 2602 and process confidentiality level dependent destination 2603 (step 1505).

<Flow example: Security level batch correction processing>
Next, an example of the processing flow at the time of security level correction in the second embodiment will be described. FIG. 24 is a flow chart showing an example of the security level batch correction process in the second embodiment.

Here, the system administrator 153 shall transmit the security level correction instruction information to the server 140 via the management terminal 150. This security level correction instruction information includes information on the file or domain subject to security level correction and the security level correction value. On the other hand, the security level correction instruction program 143 of the server 140 transmits the security level correction instruction information to the terminals 100_1 to N based on the security level correction instruction information received from the management terminal 150 described above.

Therefore, the security level correction program 116 in the terminals 100_1 to N receives the above-mentioned security level correction instruction information (step 3201).

Subsequently, the security level correction program 116 determines whether or not the security level correction target included in the above-mentioned security level correction instruction information is a file (step 3202).

If the result of the above determination is a file (step 3202: Yes), the security level correction program 116 advances the process to step 3204. On the other hand, in other cases (step 3202: No), the security level correction program 116 advances the process to step 3203.

The security level correction program 116 in step 3203 refers to the domain security level table 400, searches for a record in which the domain name 402 matches the domain name of the security level correction target specified in the above-mentioned security level correction instruction information, and finds the relevant record. Of the domain trust level 403, domain confidentiality level 404, and domain protection level 405 of the record, for the item for which the correction value is specified in the above-mentioned security level correction instruction information, the item is updated with the correction value (step 3203). ).

On the other hand, the security level correction program 116 in step 3204 refers to the file security level table 300, and the file path 402 or the file hash value 306 is the file path or the file path to be corrected for the security level specified in the above-mentioned security level correction instruction information. A record that matches the file hash value is searched, and among the file trust level 303, file confidentiality level 304, and file protection level 305 of the record, the item for which the correction value is specified in the above-mentioned security level correction instruction information is selected. The item is updated with a correction value (step 3204).

Subsequently, the security level correction program 116 adds a new record to the constant file security level table 2700, and among the constant file trust level 2702, the constant file confidentiality level 2703, and the constant file protection level 2704, the above-mentioned security level correction instruction information. For the item for which the correction value is specified in, the correction value is stored in the item (step 3205). For items for which a correction value is not specified in the above-mentioned security level correction instruction information, the value of the item is left empty.

Next, the security level correction program 116 refers to the file security level dependency table 2500, searches for a record in which the file ID 2501 matches the file ID 301 of the record updated in step 3204 described above, and the file trust level dependency destination 2502. , File confidentiality level dependent destination 2503, File protection level dependent destination 2504, the value of the item corresponding to the item updated in the above step 3204 is deleted, and the value of the constant file ID of the record added in the above step 3205 is set. Store (step 3206).

Further, the security level correction program 116 refers to the file security level dependency table 2500, identifies all the files that depend on the domain or file specified in the above-mentioned security level correction instruction information, and identifies the security level of each file. Is recalculated to update the record in the file security level table 300 (steps 3207 to 3208).

Specifically, the security level correction program 116 performs the following processing. The security level correction program 116 refers to the file security level dependency table 2500 and searches for a record containing the search target ID in any of the file trust level dependency 2502, the file confidentiality level dependency 2503, and the file protection level dependency 2504. To do.

Further, the security level correction program 116 has a file security level table 300 and a domain security level table having records having IDs included in the file trust level dependency 2502 as file ID 301, domain ID 401, and constant file ID 2701 for each corresponding record. 400, search from the constant file security level table 2700, and calculate the minimum values of these file trust level 303, domain trust level 403, and constant file trust level 2702.

Further, the security level correction program 116 refers to the file security level table 300, and updates the value of the file trust level 303 of the record whose file ID 301 matches the file ID 2501 with the above-mentioned minimum value. The security level correction program 116 performs the same processing for the file confidentiality level dependent destination 2503, calculates the maximum value of each confidentiality level, and updates the file confidentiality level value of the corresponding record. Further, the security level correction program 116 performs the same processing for the file protection level dependent destination 2504, and updates the value of the file protection level of the corresponding record using the registered protection level.

After that, the security level correction program 116 sets all the IDs included in the file trust level dependent destination 2502, the file confidentiality level dependent destination 2503, and the file protection level dependent destination 2504 of each record as new search target IDs, and each search target ID. The above process is recursively executed.

As the initial value of the search target ID, the domain ID 401 of the record searched in step 3203 or the file ID 301 of the record searched in step 3204 is set as the first search target ID.

Subsequently, the security level correction program 116 refers to the process security level dependency table 2600, and sets the IDs of the domains and files whose security levels have been updated in steps 3203, 3204, and 3208 described above to the process trust level dependency 2602 or the process. Search for records included in the confidentiality level dependency 2603.

Further, the security level correction program 116 has file security for each corresponding record, as in step 3208 described above, having a record having IDs included in the process trust level dependency 2602 as file ID 301, domain ID 401, and constant file ID 2701. A search is performed from the level table 300, the domain security level table 400, and the constant file security level table 2700, and the minimum values of these file trust level 303, domain trust level 403, and constant file trust level 2702 are calculated.

Further, the security level correction program 116 refers to the process security level table 500, and updates the value of the process trust level 502 of the record whose process ID 501 matches the process ID 2601 with the above-mentioned minimum value.

The security level correction program 116 performs the same processing for the process confidentiality level dependent destination 2603, calculates the maximum value of each confidentiality level, updates the file confidentiality level value of the corresponding record, and also processes the process security level table 500. Is updated (steps 3209, 3210).

FIG. 25 is a diagram showing an example of the security level batch correction screen 3300 in the second embodiment. The security level batch correction screen 3300 includes a target designation screen 3310 and a security level designation screen 3320.

Of these, the target designation screen 3310 includes a file path designation section 3311, a hash value designation section 3312, and a domain designation section 3313.

Further, the security level designation screen 3320 includes a trust level designation unit 3321, a confidentiality level designation unit 3322, a protection level designation unit 3323, a confirmation button 3324, and a reset button 3325.

In the security level batch correction process shown in FIG. 24 above, the system administrator 153 connects to the server 140 from the management terminal 150 via the network 160, calls the management screen display program 144, and operates from the input / output unit 152. I do.

When the target of the security level correction by the system administrator 153 is a file, the file path and hash value of the security level correction target file are input to either or both of the file path specification unit 3311 and the hash value specification unit 3312. The Rukoto.

After that, the system administrator 153 sets the values of the file trust level 303, the file confidentiality level 304, and the file protection level 305 newly set in the file to the trust level specification unit 3321, the confidentiality level specification unit 3322, and the protection level specification unit, respectively. Input to 3323 and press the confirm button 3324.

By the above operation, the above-mentioned security level batch correction process is started.

Further, when the target of the security level correction by the system administrator 153 is a domain, the domain name of the security level correction target is input to the domain designation unit 3313. After that, the system administrator 153 sets the values of the domain trust level 403, the domain confidentiality level 404, and the domain protection level 405 newly set in the domain to the trust level designation unit 3321, the confidentiality level designation unit 3322, and the protection level designation unit, respectively. Input to 3323 and press the confirm button 3324.

By the above operation, the above-mentioned security level batch correction process is started.

When the operation is stopped in the middle, the system administrator 153 presses the reset button 3325.

In addition to the above-described first embodiment, the white list management system 10 in the second embodiment described above holds the dependency between the security levels, and collectively collects the related security levels based on the dependency when the security level is corrected. It is possible to correct it.

−−− Example 3−−−
In the above-mentioned Example 1, the security level is automatically calculated, but it is assumed that the system administrator needs to correct the security level due to a change in the security policy or an update of threat information. Will be done. As mentioned above, the security level of files, domains, and processes is calculated based on the security level of related files, domains, and processes. Therefore, in order to maintain consistency between these, the security level to be corrected All other security levels calculated based on should also be corrected. At this time, since it is assumed that the target of the security level to be corrected becomes enormous, the system administrator cannot grasp the influence of the correction, and there is a possibility that an unexpected adverse effect may occur.

As a means to solve this problem, the dependency between the security level of each file, domain, and process is saved in accordance with the security level calculation, and if the security level correction is required later, it is based on the dependency. It is conceivable to simulate the effect of the correction and present it to assist the system administrator's judgment so that the optimum correction method can be selected. Hereinafter, an example of a mode for carrying out this method will be described as Example 3.

<Function configuration example>
FIG. 26 is a diagram showing a functional configuration example of the white list management system 10 in the third embodiment. The white list management system 10 in the third embodiment has a plurality of programs installed on the terminals 100_1 to N and operating on the terminals 100_1 to N, a plurality of data stored in the terminals 100_1 to N, a server 140, and a management terminal 150. , Network 160. Such terminals 100_1 to N, the server 140, and the management terminal 150 are communicably connected via the network 160.

The terminals 100_1 to N described above are computer devices used by the user 101. Further, the terminals 100_1 to N include a memory 110, a storage device 120, a communication unit 130, and an input / output unit 131. In this case, the user 101 operates the terminals 100_1 to N via the input / output unit 131.

Further, the server 140 is a server device including a memory 141 and a communication unit 142. Further, the management terminal 150 is an information processing device including a communication unit 151 and an input / output unit 152. The system administrator 153 operates the management terminal 150 via the input / output unit 152, and operates the server 140 via the network 160.

Subsequently, the function provided by the white list management system 10 in the third embodiment will be described. Here, the functions realized by executing appropriate programs provided in the terminals 100_1 to N and the server 140 will be described.

In terminals 100_1 to N, the access trial acquisition program 111, the accessability determination program 112, the security level update program 113, the accessability result return program 114, the security level dependency update program 115, the security level correction program 116, and the simulation. The information acquisition program 117 is executed.

Further, in terminals 100_1 to N, file security level 121, domain security level 122, process security level 123, permitted communication method 124, file security level dependency 125, process security level dependency 126, and constant file security level 127. Is retained as data.

Further, on the server 140, the security level correction instruction program 143, the management screen display program 144, and the security level correction simulation program 145 are executed.

Of these, the access trial acquisition program 111, the accessability determination program 112, the security level update program 113, the accessability result return program 114, the security level dependency update program 115, and the security level correction program 116 are the above-described second embodiment. It is a program similar to.

On the other hand, the simulation information acquisition program 117 provides the information required for the security level correction simulation based on the request from the security level correction simulation program 145 to the file security level table 121, the domain security level 122, and the file security level dependency. It is a program that obtains and returns from table 125 and constant file security level table 127.

Further, the file security level 121, the domain security level 122, the process security level 123, the permitted communication method 124, the file security level dependency 125, the process security level dependency 126, and the constant file security level 127 are described in the above-described second embodiment. It is the same information as.

Further, the security level correction simulation program 145 is a program that performs security level correction simulation and information collection necessary for that purpose based on a request from the system administrator 153.

<Flow example: Security level correction support processing>
FIG. 27 is a flow chart showing an example of the security level correction support process in the third embodiment. Hereinafter, the security level correction support processing method will be described based on FIG. 27.

In this case, the system administrator 153 shall transmit the security level correction instruction information to the server 140 via the management terminal 150. This security level correction instruction information includes information on the file or domain subject to security level correction, the security level correction value, and the instruction content.

The management screen display program 144 of the server 140 receives the security level correction instruction information from the management terminal 150 described above (step 4501).

Further, the management screen display program 144 refers to the above-mentioned security level correction instruction information, and determines whether or not the instruction content indicates "search" or "reset" (step 4502).

As a result of the above determination, when the instruction content is "search" or "reset" (step 4502: Yes), the management screen display program 144 transmits the security level correction instruction information to the security level correction simulation program 145. , Proceed to step 4504. On the other hand, in other cases (step 4502: No), the management screen display program 144 advances the process to step 4503.

The management screen display program 144 in step 4503 refers to the above-mentioned security level correction instruction information, and determines whether or not the instruction content is "temporary reflection" (step 4503).

As a result of this determination, when the instruction content is "temporarily reflected" (step 4503: Yes), the management screen display program 144 transmits the above-mentioned security level correction instruction information to the security level correction simulation program 145, and performs processing. Proceed to step 4505. On the other hand, in other cases (step 4503: No), the management screen display program 144 transmits the above-mentioned security level correction instruction information to the security level correction instruction program 143, and proceeds to the process in step 4506.

Further, the security level correction simulation program 145 in step 4504 transmits the above-mentioned security level correction instruction information to the simulation information acquisition program 117 (step 4504). This simulated information acquisition program 117 refers to the file security level dependency table 2500, and refers to all the files and domains having a dependency relationship with the file or domain to be security level corrected, which is included in the above-mentioned security level correction instruction information. Get an ID. Specifically, the following processing is performed.

That is, the simulated information acquisition program 117 searches the file security level dependency table 2500 using the file ID 2501 as a key, starting from the correction target file or domain ID of the above-mentioned security level correction instruction information, and searches the file of the corresponding record. The process of acquiring the ID stored in the trust level dependent destination 2502, the file confidentiality level dependent destination 2503, and the file protection level dependent destination 2504 is recursively repeated.

Further, the simulated information acquisition program 117 starts from the ID of the correction target file or domain of the above-mentioned security level correction instruction information, and sets the file trust level dependent destination 2502, the confidential level dependent destination 2503, and the file protection level dependent destination 2504 as the starting point. The process of searching the file security level dependency table 2500 as a key and acquiring the ID stored in the file ID 2501 of the corresponding record is recursively repeated.

Next, the simulated information acquisition program 117 refers to the file security level table 300, the domain security level table 400, the file security level dependency table 125, and the constant file security level table 127, and refers to the acquired file and domain. All the records matching the IDs are acquired, used as security level correction simulation information, and transmitted to the security level correction simulation program 145.

On the other hand, the security level correction simulation program 145 receives the security level correction simulation information (step 4504), holds the security level correction simulation information in the storage device, and transmits a copy thereof to the management screen display program 144. If the security level correction simulation information is already held, the security level correction simulation program 145 overwrites the security level correction simulation program with new information.

Further, the security level correction simulation program 145 in step 4505 executes the same process as in step 3208 in FIG. 24 based on the above-mentioned security level correction instruction information, and updates the held security level correction simulation information. .. Further, the security level correction simulation program 145 holds the updated security level correction simulation information, and transmits a copy thereof to the management screen display program 144 (step 4505).

Further, the security level correction instruction program 143 in step 4506 transmits the transmitted security level correction instruction information to the security level correction program 116 (step 4506). The security level correction program 116 in this case shall execute the security level batch correction process 3200.

Further, the management screen display program 144 in step 4507 generates a security level correction support screen 4700 based on the transmitted security level correction simulation information and transmits it to the management terminal 150 (step 4507). Details of the security level correction support screen 4700 will be described later with reference to FIG. 28.

FIG. 28 is a diagram showing an example of the security level correction support screen 4700 in the third embodiment. The security level correction support screen 4700 includes a target designation screen 4710, a dependency display screen 4720, and a security level designation screen 4730.

Of these, the target designation screen 4710 includes a file path designation section 4711, a hash value designation section 4712, a domain designation section 4713, and a search button 4714.

In addition, the dependency display screen displays the dependency of the security level of the file and the domain in a graph format.

Further, the security level designation screen 4730 includes a trust level designation unit 4731, a confidentiality level designation unit 4732, a protection level designation unit 4733, a confirmation button 4734, a temporary reflection button 4735, and a reset button 4736.

In the security level batch correction process shown in FIG. 27 above, the system administrator 153 connects to the server 140 from the management terminal 150 via the network 160, calls the management screen display program 144, and inputs / outputs the unit 152. The operation shall be performed from.

When the target of the security level correction by the system administrator 153 is a file, the system administrator 153 sends the file of the security level correction target file to either or both of the file path specification unit 4711 and the hash value specification unit 4712. Enter the path and hash value and press the search button 4714.

Then, the above-mentioned steps 4504 and 4507 are executed, and the server 140 collects the information related to the file or domain specified on the above-mentioned target specification screen 4710 from the terminals 100_1 to N, and collects the information from the terminals 100_1 to the dependency display screen. Display on 4720.

The dependency display screen 4720 displays the information collected by the server 140 as a directed graph with files or domains as nodes and their security level dependencies as edges.

Of these, the node displays the file path, hash value, and domain name that can identify the above file or domain. In addition, the node displays the security level of the file or domain. If the file or domain is registered in a plurality of terminals, the number of terminals in which the information is registered is displayed.

The system administrator 153 can specify the above-mentioned nodes to be corrected for the security level by clicking the screen or the like.

In addition, the system administrator 153 inputs the security level value newly set for the above-mentioned security level correction target into the trust level designation unit 4731, the confidentiality level designation unit 4732, and the protection level designation unit 4733, and the temporary reflection button 4735. When is pressed, steps 4505 and 4507 described above are executed. As a result, the dependency display screen 4720 is updated.

Further, when the system administrator 153 presses the confirm button 4734, the above-mentioned step 4506 is executed, and the above-mentioned security level batch correction process 3200 is executed at the terminals 100_1 to N. On the other hand, when the system administrator 153 presses the reset button 4736, the same process as when the search button 4714 is pressed is executed.

In addition to the above-mentioned Example 2, the white list management system 10 in the third embodiment shown above simulates the influence of the correction based on the dependency between the security levels at the time of the security level correction, thereby managing the correction. It makes it possible to support the judgment of a person.

Although the best mode for carrying out the present invention has been specifically described above, the present invention is not limited to this, and various modifications can be made without departing from the gist thereof.

According to this embodiment, it is possible to reduce the operating cost of updating the white list while achieving both security against cyber attacks and convenience for users and the like.

The description herein reveals at least the following: That is, in the white list management system of the present embodiment, the security level update unit compares the security level information of the predetermined access subject and each target resource, and the security level is lower among the resources. The security level information of the resource may be used to update the security level information of other resources.

According to this, it is possible to update the security level information about the resource according to the relationship between the subject and the target of the access between the resources, accurately considering the effect of the security level deterioration that can be expected due to the access.

Further, in the whitelist management system of the present embodiment, the security level storage unit holds the security level information regarding the file which is the resource, and the accessability determination unit includes the files related to the predetermined access. Based on the security level information of the resource, the propriety of the predetermined access is determined by a predetermined algorithm, and the security level update unit determines the security level of the file related to the predetermined access or the resource whose access target is the file. The information may be updated by a predetermined algorithm.

According to this, depending on the relationship between the subject and target of access between resources including the file, the security related to the file or related resources is accurately taken into consideration based on the effect of the security level reduction that can be expected due to the access. Level information can be updated.

Further, in the whitelist management system of the present embodiment, the security level storage unit holds the security level information regarding the domain which is the resource, and the accessability determination unit includes each of the domains related to a predetermined access. Based on the security level information of the resource, the propriety of the predetermined access is determined by a predetermined algorithm, and the security level update unit obtains the security level information of the resource whose access target is the domain related to the predetermined access. It may be updated by a predetermined algorithm.

According to this, depending on the relationship between the subject and target of access between resources including the domain, the security related to the resource for which the domain is the access target is accurately taken into consideration based on the effect of the security level deterioration that can be expected due to the access. Level information can be updated.

Further, in the whitelist management system of the present embodiment, the security level storage unit holds the security level information regarding the process which is the resource, and the accessability determination unit includes the process related to a predetermined access. Based on the security level information of the resource, the propriety of the predetermined access is determined by a predetermined algorithm, and the security level update unit updates the security level information of the process related to the predetermined access by the predetermined algorithm. It may be a thing.

According to this, security level information about resources related to the process is accurately taken into consideration according to the relationship between the subject and target of access between resources including the process, and the effect of the security level deterioration that can be expected due to the access. Can be updated.

Further, in the white list management system of the present embodiment, the security level dependency storage unit that holds the dependency information that defines the dependency of the security level information between each resource, and the subject and the target for each predetermined access. A security level dependency update unit that updates the dependency information based on the resource relationship may be further provided.

According to this, it becomes possible to appropriately manage the dependency of the security level between resources according to the access related to the resource.

Further, the white list management system of the present embodiment may further include a security level correction unit that updates the security level information based on the dependency information.

According to this, it is possible to appropriately manage the update of the security level information associated with the access related to the resource based on the security level dependency between the resources.

Further, the white list management system of the present embodiment may further include a security level correction simulating unit that simulates the update processing of the security level information based on the dependency information.

According to this, it is possible to present the influence of updating the security level information to a predetermined administrator or the like as a simulation result. As a result, the work efficiency of managers and the like will be improved compared to the past, and the operating cost of updating the white list can be reduced.

Further, in the white list management system of the present embodiment, the security level correction simulation unit may display the result of the simulation on a predetermined device.

According to this, it is possible to present the influence of updating the security level information to a predetermined administrator or the like as a simulation result. As a result, the work efficiency of managers and the like will be improved compared to the past, and the operating cost of updating the white list can be reduced.

Further, in the white list management system of the present embodiment, a server device that manages the update processing of the security level information of the security level storage unit for each of a plurality of terminals including at least the security level storage unit and the accessability determination unit. May include.

According to this, it becomes possible to collectively update and manage the security level information on each terminal on the server side, and as a result, the work efficiency of the administrator of each terminal is improved compared to the past, and the operation of white list update is performed. The cost can be reduced.

10 White list management system 20 Security level storage 100 Terminal 101 User 110 Memory 111 Access trial acquisition program 112 Accessability judgment program 113 Security level update program 114 Accessability result return program 115 Security level dependency update program 116 Security level correction program 117 Simulated information acquisition program 120 Storage device 121 File security level 122 Domain security level 123 Process security level 124 Allowed communication method 125 File security level dependency 126 Process security level dependency 127 Constant file security level 130 Communication unit 140 Server 141 Memory 142 Communication Unit 143 Security level correction instruction program 144 Management screen display program 145 Security level correction simulation program 150 Management terminal 151 Communication unit 152 Input / output unit 153 System administrator 201 CPU
202 Memory 203 Storage device 204 Communication unit 205 Input unit 206 Output unit 207 Bus 300 File security level table 400 Domain security level table 500 Process security level table 600 Allowed communication method table 700 Access control processing 800 Process startup processing 900 Process startup process security Level update process 1000 Communication control process 1100 Communication process security level update process 1200 File read control process 1300 File read process security level update process 1400 File write control process 1500 File write file security level update process 2500 File security level dependency table 2600 Process security level dependency table 2700 Constant file security level table 2800 Process security level and dependency update process at process startup 3200 Security level batch correction process 3300 Security level batch correction screen 4500 Security level correction support process 4700 Security level correction support screen

Claims (10)

A security level storage unit that holds security level information that defines the security level of a predetermined event for each resource that can be the subject or target of access in a predetermined device.
A security level dependency storage unit that holds dependency information that defines the dependency of the security level information between each resource .
Based on the security level information of each resource related to the predetermined access, the access propriety determination unit that determines the propriety of the predetermined access by the predetermined algorithm, and the access propriety determination unit.
A security level update unit that updates the security level information based on the dependency of the security level information between the resources related to the predetermined access.
A white list management system characterized by being equipped with. The security level update unit
Between each resource to be mainly and subjected to the predetermined access, security level information lower resource security level, it is to update the security level information of other resources,
The white list management system according to claim 1. The security level storage unit is
Holds the security level information about the file that is the resource,
The accessability determination unit is
Based on the security level information of each resource including the file related to the predetermined access, the propriety of the predetermined access is determined by a predetermined algorithm.
The security level update unit
It updates the security level information of the file related to the predetermined access or the resource for which the file is accessed.
The white list management system according to claim 1. The security level storage unit is
Holds the security level information about the domain that is the resource,
The accessability determination unit is
Based on the security level information of each resource including the domain related to the predetermined access, the propriety of the predetermined access is determined by a predetermined algorithm.
The security level update unit
It updates the security level information of the resource whose access target is the domain related to the predetermined access.
The white list management system according to claim 1. The security level storage unit is
Holds the security level information about the resource process and
The accessability determination unit is
Based on the security level information of each resource including the process related to the predetermined access, the propriety of the predetermined access is determined by a predetermined algorithm.
The security level update unit
Is intended to update the security level information of the process related to the given access,
The white list management system according to claim 1. The white list management system according to claim 1, further comprising a security level dependency update unit that updates the dependency information based on the relationship between the subject and each target resource in a predetermined access. The white list management system according to claim 6, further comprising a security level correction simulating unit that simulates the update processing of the security level information based on the dependency information. The white list management system according to claim 7, wherein the security level correction simulation unit displays the result of the simulation on a predetermined device. It ’s a server device,
A plurality of terminals including at least the security level storage unit and the accessability determination unit are connected via a network .
A server device that executes update processing of the security level information in the terminal by giving a predetermined instruction to the terminal.
The white list management system according to claim 1, wherein the white list management system comprises. A security level storage unit that holds security level information that defines the security level of a predetermined event and a dependency that defines the dependency relationship of the security level information between each resource for each resource that can be the main body or target of access in the predetermined device. An information processing device equipped with a security level dependency storage unit that holds relationship information
Based on the security level information of each resource related to the predetermined access, the propriety of the predetermined access is determined by the predetermined algorithm.
The security level information is updated based on the dependency of the security level information among the resources related to the predetermined access.
A white list management method characterized by that.

Images