JP7294059B2 - Display system, program and display method - Google Patents

Description

The present invention relates to a display system, program, and display method.

In an ICT (Information and Communication Technology) system, a mechanism is provided for detecting an operation or the like corresponding to a policy violation for the purpose of avoiding ICT risks. For example, monitoring systems are known that record operation logs of business terminals, which are endpoints, in preparation for emergencies. Such operation logs often have a large amount of data, and may be stored for a long period of time, such as several years.

In such a monitoring system, the operation log occupies a storage area for a long period of time, and after a certain period of time has passed, the operation log is saved in an area that is difficult to access.

Techniques for calculating working hours using log data (see, for example, Patent Documents 1 and 2) and similar techniques for automatically creating a daily report (for example, Patent Document 3) are known.

JP 2007-193581 A JP 2006-195777 A JP 2008-097555 A

However, the technology described above does not assume the utilization of operation logs collected by the monitoring system.

Although the operation logs collected by the monitoring system are stored in storage areas and recording media, unless an event such as a security incident occurs that requires analysis of the operation logs (in other words, an emergency otherwise), it is often not used. In other words, system resources that store operation logs are wasted.

Therefore, the inventors focused on this point and thought that limited system resources could be effectively utilized if the accumulated operation logs could be used even when there is no emergency.

An object of the present invention in one aspect is to provide a system capable of performing both monitoring processing using an operation log stored for monitoring purposes and work analysis processing.

In one aspect, the display system may have an information processing terminal used by a user, a server, and an administrator terminal. The server has a first storage area, a work analysis information generation unit, a second storage area different from the first storage area, a reference information generation unit, an analysis unit, and a transmission unit. You can The first storage area may collect and record, from the information processing terminal, operation logs relating to operations performed at the information processing terminal. The work analysis information generation unit may generate work analysis information by analyzing operations performed on a file during a predetermined period based on the operation log. The work analysis information includes first information that distinguishes whether the operation time of the operation is within the working hours of the user, and whether the specified character string is included in the file name or content of the file. second information that distinguishes between The second storage area may record the work analysis information. The reference information generation unit may generate reference information based on the work analysis information in response to receiving an instruction to start analyzing the operation log from the administrator terminal. The analysis unit may output an analysis result of the operation log in response to receiving an instruction to analyze the operation log from the administrator terminal. The transmission unit may transmit the work analysis information to the information processing terminal, and transmit the reference information and the analysis result to the manager terminal. The information processing terminal may include a receiving section that receives the work analysis information from the server, and a display section that displays the work analysis information. The administrator terminal includes a receiving unit that receives the reference information and the analysis result, displays the reference information in response to reception of the reference information, and adds the reference information to the analysis result in response to reception of the analysis result. and a display for displaying the analysis result.

In one aspect, it is possible to provide a system capable of both monitoring processing using operation logs stored for monitoring purposes and work analysis processing.

1 is a diagram for explaining a business system according to one embodiment; FIG. FIG. 10 is a sequence diagram showing an operation example of the business system; It is a figure which shows an example of the work analysis result visualized and shared among employees. FIG. 10 is a diagram showing a display example of analysis processing results and reference data on a management terminal; 3 is a block diagram illustrating functional configuration examples of a monitoring server, a business terminal, and a management terminal according to one embodiment; FIG. FIG. 3 is a diagram showing an example of an operation log DB (database); It is a figure which shows an example of a work analysis result. FIG. 4 is a diagram showing an example of active window information; It is a figure which shows an example of an analysis processing result. It is a figure which shows an example of reference data. FIG. 10 is a diagram showing an example of an output window displayed on a business terminal; FIG. An example of the output window displayed on the work terminal used by the superior is shown. FIG. 10 is a diagram showing an example of a policy setting window displayed on the management terminal; It is a figure which shows an example of an after-hours dictionary table. It is a figure which shows an example of a risk keyword dictionary table. FIG. 10 is a diagram showing an example of a reference data window displayed on the management terminal; FIG. FIG. 10 is a diagram showing an example of an analysis processing result window displayed on the management terminal; 3 is a block diagram showing another functional configuration example of a monitoring server, a business terminal, and a management terminal according to one embodiment; FIG. FIG. 10 is a flow chart illustrating an operation example of generating a work analysis result and displaying an output window in a work cycle of a work terminal; FIG. FIG. 11 is a sequence diagram showing another operation example of the business system; 2 is a block diagram showing a hardware configuration example of a computer that implements functions of a monitoring server; FIG.

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, embodiments of the present invention will be described with reference to the drawings. However, the embodiments described below are merely examples, and are not intended to exclude various modifications and application of techniques not explicitly described below. For example, this embodiment can be modified in various ways without departing from the spirit of the embodiment. In the drawings used in the following description, parts with the same reference numerals represent the same or similar parts unless otherwise specified.

[1] One Embodiment [1-1] Configuration Example of Business System FIG. 1 is a diagram for explaining a business system 1 according to one embodiment, and FIG. It is a diagram. The business system 1 is a system for performing predetermined business in an organization such as a company or an organization, and is an example of an ICT system or a monitoring system. As shown in FIG. 1 , the business system 1 may illustratively include a monitoring server 2 , a plurality of business terminals 3 a and 3 b, and a management terminal 4 .

The business terminals 3a and 3b are computers such as PCs (Personal Computers) or servers used by employees of the organization in the business system 1, and are examples of information processing terminals used by users. In the description of one embodiment, the business terminal used by employee A who creates a file is referred to as a business terminal 3a, and the business terminal used by another employee, for example, employee B, who is the superior of employee A, is referred to as a business terminal 3a. It is written as terminal 3b. Hereinafter, when the business terminals 3a and 3b are not distinguished, they are simply referred to as "business terminal 3".

As illustrated in FIG. 2, each business terminal 3 acquires the file operation log 1a (process P1 ), to the monitoring server 2 .

In the business system 1, the monitoring server 2 is an information processing device or computer that collects operation logs of the business terminals 3, which are endpoints, in order to detect operations, etc. corresponding to policy violations for the purpose of avoiding ICT risks. An example.

The monitoring server 2 may be a virtual server (VM; Virtual Machine) or a physical server. Also, the functions of the monitoring server 2 may be implemented by one computer, or may be implemented by two or more computers. Furthermore, at least some of the functions of the monitoring server 2 may be implemented using HW (Hardware) resources and NW (Network) resources provided in the cloud environment.

Also, the monitoring server 2 may be connected to other devices such as one or both of the business terminal 3 and the management terminal 4 via a network so as to be able to communicate with each other. The network may include a WAN (Wide Area Network), a LAN (Local Area Network), or a combination thereof. A WAN may include the Internet.

The monitoring server 2 according to one embodiment makes effective use of the operation log by performing both the monitoring process and the work analysis process using the operation log stored for monitoring purposes.

As illustrated in FIG. 1, the monitoring server 2 according to one embodiment includes an operation log DB (Database) 21, a work analysis unit 22, work analysis data 23, a cause analysis unit 24, and an analysis screen generation unit 25. Prepare.

The operation log DB 21 is a DB for accumulating file operation logs 1a of operation contents performed by a plurality of business terminals 3. FIG. The monitoring server 2 may, for example, collect the file operation logs 1a from each of the plurality of business terminals 3 and store them in the operation log DB 21 .

The file operation log 1a is an example of the operation log, and may include, for example, the file name of the file to be operated, the type of operation, and the content of the operation. The content of the operation may include, for example, an input character string such as text input to the file. The file operation log 1a may also be referred to as a raw operation log, for example, a "raw log".

In the above description, an example in which the operation log acquired from the business terminal 3 is stored in the operation log DB 21 is used, but the area for storing the operation log is not limited to this. For example, after a predetermined period of time has passed since the operation log was acquired, the storage location may be changed to an external storage medium or a low-speed storage device for archiving.

As illustrated in FIG. 2, the monitoring server 2 collects the file operation logs 1a from the business terminals 3 (process P2) and stores them in the operation log DB 21. FIG. The processes P1 and P2 may be executed each time a file is operated on the business terminal 3 .

The work analysis unit 22 analyzes the operation log DB 21, generates the work analysis result 1b of the previous day or the previous time for each business terminal 3, and stores and accumulates it in the work analysis data 23 (see process P3 in FIG. 2). The work analysis result 1b is an example of work analysis information obtained by analyzing operations performed on files during a predetermined period (for example, a period of one day).

The work analysis result 1b may be referred to as an "output" which means a file "created" or "referenced" by the business terminal 3 (employee). "Creating" a file may include saving and updating the file. "Referring" to a file may include opening and duplicating (duplicating, copying) the file. In the following description, "create" and "reference" may be collectively referred to as "access".

The work analysis result 1b includes, for example, an overtime work flag indicating whether or not the file was operated outside business hours, and a risk keyword indicating whether or not the specified risk keyword is included in the file name. flags, or both. Note that the risk keyword flag may indicate whether or not the specified risk keyword is included in the content of the file in addition to or instead of the file name.

The overtime work flag is an example of first information that distinguishes whether or not the operation time of the operation performed on the file is within the working hours of the employee (user). Also, the risk keyword is an example of second information that distinguishes whether or not the designated character string is included in the file name or content of the file.

In this way, based on the file operation log 1a, the work analysis unit 22 obtains the work analysis result 1b for the predetermined period, which includes one or both of the overtime work flag and the risk keyword flag. is an example of a work analysis information generation unit that generates a

The work analysis result 1b may also include information on the number of times the file was saved and the time during which the file was operated (for example, the time during which the window was active).

The work analysis data 23 is a DB that accumulates the work analysis results 1b for each business terminal 3. FIG. The work analysis data 23 may be stored in the monitoring server 2 as a DB different from the operation log DB 21 .

The monitoring server 2 outputs the work analysis result 1b for each work terminal 3 accumulated in the work analysis data 23 to the work terminal 3 at a predetermined timing. For example, when the work analysis unit 22 generates the work analysis result 1b for the previous day after the date is changed, the monitoring server 2 transmits the work analysis result 1b for the previous day to the business terminal 3 designated as the destination.

As an example, when the designated range is the employee and his superior, the monitoring server 2 associates (associates) the work analysis result 1b of the business terminal 3a of employee A with the business terminal 3a and the business terminal 3a. and the business terminal 3b of the employee B who is the boss of the employee A. The monitoring server 2 also transmits the work analysis result 1b of the business terminal 3b of the employee B to the business terminal 3b.

The business terminal 3 receives the work analysis result 1b of the previous day from the monitoring server 2 after the date change (next day), for example, after activation or logon (login), and displays the received work analysis result 1b on an output device such as a monitor. (See process P4 in FIG. 2). As a result, the work analysis result 1b is presented to the employee.

Note that the process P3 may be executed, for example, each time the file operation log 1a is received from the business terminal 3 or the received file operation log 1a is stored in the operation log DB 21. FIG. Alternatively, the process P3 may be executed for the file operation log 1a relating to the operations performed on the previous day after the date change (next day) every predetermined period such as one day.

In addition, the process P4 may be performed when the business terminal 3 is activated (later) or logged on (later). For example, the monitoring server 2 may transmit the previous day's work analysis result 1b to the business terminal 3 when a request from the business terminal 3 is detected after the business terminal 3 is activated or logged on.

The process P4 is executed after the business terminal 3 is activated or logged on after the date is changed because the file operation log 1a acquired in the process P1 is sent from the business terminal 3 to the monitoring server 2 before the date is changed. In other words, it is assumed that business hours are during the daytime. Organizations, departments, or employees that use the business system 1, depending on the work content, work style, time (eg, season, busy season, off-season, normal season, etc.), region (eg, bases established in other countries), etc. , the execution timing of the process P4 may differ, for example, for each organization, department, or employee, and/or for each period.

In this way, the business terminal 3 can visualize (share) the previous day's or previous employee's output among employees within a specified range, including the employee and the employee's superior. can.

FIG. 3 is a diagram showing an example of work analysis results 1b visualized and shared among employees. As shown in FIG. 3, the work analysis result 1b may illustratively include a list of created files and a list of referenced files as the previous day's output for each employee.

The created file list includes, for example, the items of "output", "number of saves", "work time", "overtime work flag", and "risk keyword flag" indicating the output file name. may be included. The reference file list may include, for example, the items "output", "reference time", "overtime work flag", and "risk keyword flag".

In each of the creation file list and the reference file list, at least the contents of the "output" in the entries for which the "risk keyword flag" is enabled (on), such as "1", must be distinguished from other entries. may be indicated separately. In the example of FIG. 3, the file name of the "No. 2" entry in the reference file list may be highlighted. Examples of highlighting may include a color different from other characters (eg, red), a character width different from that of other characters (eg, bold), and the like. Also, items other than "output" ("risk keyword flag" in the example of FIG. 3) may be added to the target of highlighting. In addition to or instead of entries with "Risk keyword flag" enabled (ON), entries with "Overtime work flag" enabled (ON) are highlighted. may be

By visualizing the work analysis result 1b in this way, the employee can easily check the degree of completion of his/her own task, for example, before starting daily work. Therefore, it is possible to easily realize task management such as confirmation of leftover work and prevention of forgetting today's work, and also to visualize completed work, thereby giving employees a sense of accomplishment.

In addition, employees can share their work status, such as progress and results, with their superiors without being conscious of it. This eliminates the need for employees to report work status to their superiors, and also increases opportunities for superiors to communicate with employees, such as receiving praise from superiors, thereby satisfying employees' need for approval. can.

Furthermore, the boss can easily grasp the progress of the employee's work, and can easily talk to the employee about the progress and make an appropriate evaluation. For example, based on the contents of the output file and items such as work time and number of saves in the work analysis result 1b, if it is judged that the progress is small relative to the work time of the employee, the boss may ask can create a trigger. For this reason, it can lead to mental follow-up and problem solving for employees. As a result, it is possible to give the employee a sense of satisfaction, and to increase the employee's motivation for the next task.

As described above, according to the business system 1, the productivity and motivation of employees can be improved, and the mindset of employees can be improved.

In addition, the overtime work flag included in the work analysis result 1b allows the boss to grasp the output of the employee during non-business hours such as late at night (employee's non-working hours). As a result, the boss can follow up on employees, review work assignments, and improve working conditions that go against (violate) policies such as work style reform.

Returning to the description of FIG. 1, the management terminal 4 is a computer such as a PC or a server for managing the monitoring server 2 and the business terminal 3 in the business system 1. It is an example of a terminal.

In the event of an emergency, for example, when a security incident such as information leakage occurs, the system administrator may use the management terminal 4 to track files related to the security incident (eg, leaked files). Then, the system administrator may specify the file name of the file related to the security incident identified by the tracing work, and instruct the monitoring server 2 to execute the process of analyzing the cause of the security incident. The cause analysis process is a process of identifying a leak route, for example, a user, a date and time, a cause operation, etc., which is the source of the leaked file.

For this reason, for example, in the event of an emergency, the management terminal 4 instructs the monitoring server 2 to create the reference data 1d (analysis start notification; see process P5 in FIG. 2), A creation instruction (analysis instruction; see process P8 in FIG. 2) is transmitted.

The cause analysis unit 24 of the monitoring server 2 executes analysis processing for analyzing the cause of the security incident based on the operation log DB 21 (file operation log 1a) according to the analysis instruction received from the management terminal 4. FIG. Examples of security incident analysis processing include identification of the operation that caused the incident, identification of the user who performed the operation, identification of the date and time when the operation was performed, and the like.

For example, the cause analysis unit 24 uses the file name specified by the management terminal 4 to search the operation log DB 21 as a search target, and the business terminal 3 that operated the file with the specified file name, and the business terminal 3 Extract the contents of the operation by . Then, the cause analysis unit 24 analyzes the cause such as the outflow route based on the extracted information such as the business terminal 3 and the details of the operation (see process P9 in FIG. 2). The cause analysis processing by the cause analysis unit 24 may be realized by various known techniques.

The cause analysis unit 24 is an example of an analysis unit that outputs analysis results of the file operation log 1a in response to receiving an analysis instruction for the file operation log 1a from the management terminal 4. FIG.

The analysis screen generation unit 25 generates an analysis screen and outputs data of the generated screen to the management terminal 4 . The analysis screen displays the result of analysis processing by the cause analysis unit 24 (see analysis processing result 1c in FIG. 1) and the analysis result using the work analysis data 23 (see reference data 1d in FIG. 1). and a screen.

For example, from the work analysis data 23, the analysis screen generation unit 25 generates work analysis results related to one or both of accesses to files performed outside business hours and accesses to files containing risk keywords in their file names. 1b is extracted as reference data 1d. Reference data 1d is an example of reference information. Extraction (generation) of the reference data 1d corresponds to processing P6 in FIG.

In extracting the reference data 1d, the analysis screen generation unit 25 may extract, from the work analysis data 23, an entry in which one or both of the overtime work flag and the risk keyword flag are set to valid (ON), for example.

The analysis screen generation unit 25 is an example of a reference information generation unit that generates the reference data 1d based on the work analysis result 1b in response to receiving from the management terminal 4 an instruction to start analysis of the file operation log 1a.

In addition, the monitoring server 2 (for example, the work analysis result transmission unit 27 described later using FIG. 5) and the analysis screen generation unit 25 transmit the work analysis result 1b to the business terminal 3, and the reference data 1d and the analysis processing result 1c to the management terminal 4. FIG.

In this manner, the cause analysis unit 24 and the analysis screen generation unit 25 operate in response to a request from the management terminal 4, for example, in the event of an emergency such as a security incident.

When receiving the screen data of the reference data 1d from the monitoring server 2, the management terminal 4 displays the screen of the reference data 1d on an output device such as a monitor (see process P7 in FIG. 2). Further, when receiving the screen data of the analysis processing result 1c from the monitoring server 2, the management terminal 4 displays the screen of the analysis processing result 1c together with the screen of the reference data 1d on an output device such as a monitor (process P10 in FIG. 2). reference). Thereby, the analysis processing result 1c and the reference data 1d can be presented to the administrator.

As an example, the management terminal 4 displays the screen of the reference data 1d on the output device as shown in FIG. It may be included in the analysis instruction and transmitted to the monitoring server 2 (process P8). Then, the management terminal 4 may display the screen of the analysis processing result 1c (process P9) based on the file name included in the analysis instruction on the output device together with the screen of the reference data 1d (process P10). Note that the processes P7 to P10 (or the processes P5 to P10) may be repeatedly executed until the administrator completes identification of the cause.

Here, with reference to FIG. 4, an example of the flow from occurrence of a security incident to identification of the cause will be described. FIG. 4 is a diagram showing a display example of the analysis processing result 1c and the reference data 1d on the management terminal 4. As shown in FIG. In the example of FIG. 4, it is assumed that customer information is leaked as a security incident.

The management terminal 4 acquires reference data 1d illustrated in FIG. For example, assume that the system administrator focuses on the entry "No. 2" that includes the risk keyword "customer" and accesses "XX product customer list.txt" outside business hours. In this case, the management terminal 4 designates, for example, "XX product customer list.txt" (and user name "AD\matsushita"), issues an analysis instruction to the cause analysis unit 24, and Display the analysis processing result 1c. A display example at this time is shown in FIG.

In the analysis processing result 1c, the file on the file server is duplicated immediately after the access to "00 product customer list.txt" shown in the reference data 1d (see the first entry). Then, it is saved as "a.docx" on the desktop with the user name "AD\matsushita" (second entry). Based on this information, the system administrator believes that one of the possible causes (exfiltration route) is that the user name "AD\matsushita" causes "○○ product customer list.txt" on the file server to be "a.docx ” can be identified as being duplicated.

In this way, by using the reference data 1d as reference information for tracking security incidents, it is possible to obtain an appropriate analysis processing result 1c. Further, by changing the analysis instruction conditions (file name and user name) based on the reference data 1d, the analysis processing result 1c can be repeatedly verified.

Here, one of the causes of security incidents such as information leakage is that information is taken out by malicious employees. Employees refer to a large number of internal files in the course of their work, and the referenced files include personal information and confidential information.

Such reference behavior is difficult to grasp in daily work, and is often found during tracking work by system administrators after an actual security incident has occurred. In addition, it often takes a long time for system administrators to identify the cause of an outflow route or the like if there is no information such as a file name.

According to the business system 1 according to one embodiment, as illustrated in FIG. 4, the monitoring server 2 accesses a file having a file name including a predefined risk keyword and/or accesses the file outside business hours. You can list the employees who have accessed the As a result, when a security incident occurs, the system administrator can use the listed reference data 1d as a tracking material, facilitating early cause identification. That is, it is possible to shorten the time required to identify the cause of a security incident as much as possible.

Also, if there is a concern about security risks associated with file references by employees, it is important for not only system administrators but also supervisors to quickly grasp such risks.

According to the business system 1 according to one embodiment, as illustrated in FIG. 3, since the previous day's output of the employee A is shared with the employee B (supervisor), the boss is aware of the risk of information leakage by the employee. can be detected at an early stage, and security incidents can be prevented from occurring.

For example, a manager can see files viewed by employees the previous day, including files viewed or created outside of predefined working hours, and file name references containing risk keywords. Therefore, the boss can check or warn the employee before the security incident occurs, and the security incident can be prevented.

Also, for example, output visualization allows employees to see a record of access to risky files and access to files outside of working hours. This makes it possible to make employees aware that such access is risky and that file operations are being monitored, thereby preventing security incidents.

As described above, according to the business system 1 according to one embodiment, it is possible to detect the risk of information leakage in an employee's business at an early stage, and to shorten the time required to identify the cause when a security incident occurs.

In addition, since the operation log DB 21, which has conventionally been used only in emergencies, can be effectively utilized for output visualization (sharing), the storage resources of the storage area of the monitoring server 2 can be efficiently used. can be done. That is, the business system 1 can perform both monitoring processing and work analysis processing using the operation log DB 21 stored for monitoring purposes.

[1-2] Functional Configuration Examples of Monitoring Server, Business Terminal, and Management Terminal Next, functional configuration examples of each of the monitoring server 2, business terminal 3, and management terminal 4 will be described. FIG. 5 is a block diagram showing a functional configuration example of the monitoring server 2, business terminal 3, and management terminal 4 according to one embodiment.

[1-2-1] Functional Configuration Example of Monitoring Server As illustrated in FIG. , an analysis screen generation unit 25 may be provided. In addition to these, the monitoring server 2 may include an operation log collection unit 26, a work analysis result transmission unit 27, a reference data DB 28, and a policy application unit 29. Further, the analysis screen generator 25 may include a reference data generator 25a and a screen generator 25b.

The operation log DB 21 may be stored, for example, in the first storage area of at least one of the memory 10b and the storage unit 10c (see FIG. 21) included in the monitoring server 2. FIG. The work analysis data 23 may be stored, for example, in a second storage area different from the first storage area of at least one of the memory 10b and the storage unit 10c provided in the monitoring server 2. FIG. The reference data DB 28 may be stored, for example, in a third storage area of at least one of the memory 10b and the storage unit 10c included in the monitoring server 2. FIG.

FIG. 6 is a diagram showing an example of the operation log DB 21. As shown in FIG. As shown in FIG. 6, the operation log DB 21 may include, for example, items of "date and time", "terminal number", "user name", "operation", and "contents".

In the "date and time", the date and time when the file was operated on the business terminal 3 is recorded. "Terminal number" is an example of identification information for identifying the business terminal 3 that performed the file operation. An example of the terminal number is the asset management number of the business terminal 3 . An asset management number is a unique character string used to identify a device in the business system 1. FIG.

The "user name" records the account name of the user, such as an employee, who is logged on to the business terminal 3 that has performed the file operation.

"Operation" records the type of operation performed on the file. Examples of operations include processing such as reference, creation, deletion, movement, renaming (change of file name), input, and update.

"Content" records the details of the operation content for the file. The operation content may include the file name of the file to be operated (processed) and the storage location of the file. For example, the operation contents may include the details of the operation target and the operation contents, such as the name of the operated file, the source and destination of the movement, the name of the original file and the name of the file after renaming.

As illustrated in FIG. 5, the operation log collection unit 26 receives the file operation log 1a from each of the plurality of business terminals 3, and stores the received file operation log 1a in the operation log DB 21 item by item.

The work analysis unit 22 analyzes the operation log DB 21 , generates the work analysis result 1 b of the previous day or the previous time for each business terminal 3 , and saves and accumulates it in the work analysis data 23 .

FIG. 7 is a diagram showing an example of the work analysis result 1b. As shown in FIG. 7, the work analysis result 1b may illustratively include created file information 23a and reference file information 23b.

For example, from the operation log DB 21, the work analysis unit 22 extracts an entry whose “date and time” is the previous day for each business terminal 3, and selects either the created file information 23a or the reference file information 23b according to the contents of the “operation”. You can divide it into crabs. For example, the created file information 23a stores an entry whose "operation" is to create, for example save or update, and the referenced file information 23b stores an entry whose "operation" is to refer to, for example, reference, open or copy. may be

The contents of the created file information 23a are the same as the created file list illustrated in FIG. "Output" indicates the name of the created file. The "number of saves" is the count result of the number of times the file has been saved or updated. "Working time" is the result of totaling the time during which the window of the file was active. For example, the work analysis unit 22 may calculate the active time for each file based on the active window information shown in FIG.

As exemplified in FIG. 8, the active window information (not shown in FIG. 5) includes “date and time” when the window became active, “terminal number”, “user name”, “application”, and “window title”. ” may be included.

The work analysis unit 22 refers to the active window information and, for example, finds the time difference from the date and time when the window of a certain file becomes active to the date and time when the window of the next (another) file becomes active. It may be calculated as "work time" for a certain file. The "output" in the work analysis result 1b corresponds to the "window title" in the active window information.

The active window information may be, for example, part of the information within the operation log DB 21 . In other words, the business terminal 3 may transmit the file operation log 1a including the active window information to the monitoring server 2 and store it in the operation log DB 21 .

At least one of an overtime work flag and a risk keyword flag may be included in the created file information 23a.

For example, the work analysis unit 22 validates (for example, "1") the overtime work flag of the entry whose "date and time" in the operation log DB 21 is included in the specified overtime work time zone for the created file information 23a. ).

In addition, the work analysis unit 22 sets the risk keyword flag of the entry including the designated risk keyword in the file name of "output" to valid (for example, "1") in the creation file information 23a. good. In addition to or instead of comparing the output file name and the risk keyword, the work analysis unit 22 enables ( For example, it may be set to "1"). Judgment of whether or not risk keywords are included in the output file content (text) is performed, for example, by comparing each word obtained by executing natural language processing such as morphological analysis on the text and the risk keywords. may be done.

The work analysis unit 22 may acquire information on the specified overtime work hours and risk keywords from the management terminal 4 through the policy application unit 29 .

In addition to the items shown in FIG. 7, the created file information 23a may include the following information.

Created date and time: The date and time when the file was newly created, eg, the date and time when the application window was last activated.
Terminal number: asset management number of the business terminal 3 that created the file.
- User name: If the user name is registered as asset information, the name of the user of the business terminal 3 that created the file.
・File path: The full path of the created file.
Boss terminal number: the terminal number of the business terminal 3 used by the boss of the user of the business terminal 3 .

The contents of the reference file information 23b are the same as the reference file list illustrated in FIG. "Output" indicates the referenced file name. "Reference time" is the total result of the time during which the window of the file was active. Aggregation of active time is the same as in the created file information 23a.

In addition to the items shown in FIG. 7, the reference file information 23b may include the following information.

Viewed Date: The date and time the file was opened for viewing, eg, the date and time the application window was last activated.
- Terminal number: The asset management number of the business terminal 3 that opened the file.
- User name: If the user name is registered as asset information, the name of the user of the business terminal 3 who opened the file.
・File path: The full path of the opened file.
Boss terminal number: the terminal number of the business terminal 3 used by the boss of the user of the business terminal 3 .

The work analysis result transmission unit 27 reads the previous day's work analysis result 1b created by the work analysis unit 22 from the work analysis data 23, and transmits it to the work terminal 3 specified by the terminal number and boss terminal number.

The work analysis result transmission unit 27 acquires information such as whether or not to transmit the work analysis result 1b to the work terminal 3 of the superior and the transmission timing of the work analysis result 1b from the management terminal 4 through the policy application unit 29. good.

The cause analysis unit 24 creates an analysis processing result 1c illustrated in FIG. , to the analysis screen generation unit 25 .

The reference data generation unit 25 a of the analysis screen generation unit 25 generates reference data 1 d from the work analysis data 23 and stores the generated reference data 1 d in the reference data DB 28 .

The reference data DB 28 is a DB that stores reference data 1d illustrated in FIG. As shown in FIG. 10, the reference data 1d includes, for example, "No.", "Access date and time", "File name", "Risk keyword", "Terminal number", "User name", and " The item "user name" may be included.

For example, the reference data generation unit 25a generates the reference data 1d for unprocessed entries in the work analysis data 23 each time the work analysis data 23 is updated by the work analysis unit 22 or at predetermined intervals. you can Alternatively, the reference data generator 25 a may generate the reference data 1 d in response to the analysis start notification from the management terminal 4 .

The reference data 1d may include the following information in addition to the items shown in FIG.

- Type: create or reference. It indicates whether it is extracted from any of the created file information 23a and the reference file information 23b.
- File path: the full path of the created or opened file.
- Overtime work flag.
- Risk keyword flag.

The screen generation unit 25b generates a screen displaying the reference data 1d or a screen displaying the analysis processing result 1c in response to a request from the management terminal 4, and transmits information on the generated screen to the management terminal 4. do.

For example, upon receiving an analysis start notification from the management terminal 4, the screen generator 25b extracts (generates) the reference data 1d to be transmitted from the reference data DB 28, and generates screen data for displaying the extracted reference data 1d. , to the management terminal 4 .

Note that, for example, when the analysis start notification received from the management terminal 4 includes the specification of one or both of the access date and time range and the file name or the risk keyword, the screen generation unit 25b , the reference data 1d may be narrowed down.

In addition, the screen generation unit 25b acquires the analysis processing result 1c created by the cause analysis unit 24 in response to the analysis notification from the management terminal 4, generates screen data for displaying the acquired analysis processing result 1c, and manages it. Send to terminal 4.

When the policy application unit 29 receives policy-related information from the management terminal 4, the policy application unit 29 applies the policy according to the received information. For example, the policy application unit 29 outputs information on the time period of overtime work and risk keywords among the received information to the work analysis unit 22, and information on whether or not to transmit the work analysis result 1b to the boss and information on the transmission timing. It is transmitted to the work analysis result transmission unit 27 .

[1-2-2] Functional Configuration Example of Business Terminal As shown in FIG. may be provided. Note that the operation log acquisition unit 32 and the display control unit 33 may be realized by an application that operates on the OS of the business terminal 3 , for example, an application as an agent of the monitoring server 2 .

The file operation unit 31 performs operations (processes) such as reference, creation, deletion, movement, renaming, input, and updating of files. The file operation unit 31 may be implemented as one function of an OS (Operating System) executed by the business terminal 3, or may be implemented as various applications that operate on the OS.

The operation log acquisition unit 32 collects various information related to operations by the file operation unit 31 in each of the plurality of business terminals 3 , creates a file operation log 1 a , and transmits the file operation log 1 a to the monitoring server 2 . The file operation log 1a may include information on at least one operation of creating, moving, renaming, inputting, and updating files, for example.

The operation log acquisition unit 32 may transmit the file operation log 1a to the monitoring server 2 at a predetermined timing. As the predetermined timing, for example, various timings such as every time an operation is performed on the business terminal 3, every certain period of time, or at the time of a request from the monitoring server 2 can be cited.

The display unit 34 is a display device such as a monitor provided in the business terminal 3 . The display unit 34 may have an input function in addition to the display (output) function. As an example, the display unit 34 may be an input/output device having an input/output function, such as a touch panel.

The display control unit 33 is an example of a receiving unit that receives the work analysis result 1b from the monitoring server 2. Based on the work analysis result 1b received from the work analysis result transmitting unit 27 of the monitoring server 2, the display control unit 33 displays a display as illustrated in FIG. Then, the output window 300 is displayed on the display section 34 .

As illustrated in FIG. 11 , the output window 300 may include at least a created file list 310 , a referenced file list 320 , and a close button 330 for exiting the output window 300 .

The created file list 310 and the reference file list 320 are examples of the work analysis result 1b. The created file list 310 is a list of files created on the previous day by the business terminal 3, and may be created based on the created file information 23a, for example. The reference file list 320 is a list of files referenced by the business terminal 3 on the previous day, and may be created based on the reference file information 23b, for example.

If the file created and referenced the day before does not exist due to a holiday or after the vacation, the output window 300 displays that the file for the previous day does not exist, and then displays the most recent past (for example, a holiday or The work analysis result 1b (for the day before the vacation) may be displayed.

Also, an output window 301 may be displayed on the business terminal 3b used by the superior, as illustrated in FIG. The output window 301 may be provided with a tab 340 capable of switching display of work analysis results 1b of a plurality of work terminals 3a serving as subordinates. In the output window 301, the boss's own work analysis results 1b may also be displayed switchably with a tab 340, and the boss's own work analysis results 1b may be displayed in another output window 300 (see FIG. 11). may be displayed in

[1-2-3] Functional Configuration Example of Management Terminal As shown in FIG. A display control unit 45 and a display unit 46 may be provided. Note that the policy setting unit 42, the reference data acquisition unit 43, the analysis result acquisition unit 44, and the display control unit 45 may be realized by an application as an agent that operates on the OS of the management terminal 4, for example.

The memory unit 41 stores various information used for processing of the management terminal 4 . Information stored in the memory unit 41 will be described later. As the memory unit 41, one of a memory such as a volatile memory such as a DRAM and a nonvolatile memory such as a PM, and a storage unit such as a HDD (Hard Disk Drive) or SSD (Solid State Drive), or Both are included. DRAM is an abbreviation for Dynamic Random Access Memory, and PM is an abbreviation for Persistent Memory.

The policy setting unit 42 sets a policy for the business system 1 and distributes it to the monitoring server 2 . A policy may include, for example, various definitions relating to output visualization.

The reference data acquisition unit 43 acquires the reference data 1d from the monitoring server 2 in case of an emergency such as a security incident. For example, the reference data acquisition unit 43 transmits an analysis start notification to the monitoring server 2 in response to an operation by the system administrator, receives the reference data 1d from the monitoring server 2, for example, screen data for displaying the reference data 1d, Output to the display control unit 45 .

The analysis result acquisition unit 44 acquires the analysis processing result 1c from the monitoring server 2 . For example, the analysis result acquisition unit 44 transmits an analysis instruction including analysis conditions to the monitoring server 2 in response to an operation by the system administrator based on the reference data 1d, and the analysis processing result 1c from the monitoring server 2, for example, the analysis processing result The screen data for displaying 1c is received and output to the display control unit 45 .

The reference data acquisition unit 43 and the analysis result acquisition unit 44 are examples of a reception unit that receives the reference data 1 d and the analysis processing result 1 c from the monitoring server 2 . Note that the reference data acquisition unit 43 and the analysis result acquisition unit 44 may receive the reference data 1d and the analysis processing result 1c themselves from the monitoring server 2, respectively.

The display unit 46 is a display device such as a monitor provided in the management terminal 4 . The display unit 46 may have an input function in addition to the display (output) function. As an example, the display unit 46 may be an input/output device having an input/output function, such as a touch panel. For example, the display unit 46 displays the reference data 1d upon reception of the reference data 1d, and displays the analysis processing result 1c in addition to the reference data 1d upon reception of the analysis processing result 1c.

The display control section 45 performs various display controls on the display section 46 . Hereinafter, the policy setting unit 42, the reference data acquisition unit 43, and the analysis result acquisition unit 44 will be described with reference to screen examples displayed on the display unit 46 by the display control unit 45. FIG.

(Example of policy setting window)
FIG. 13 is a diagram showing an example of the policy setting window 400. As shown in FIG. Note that the policy setting window 400 illustrated in FIG. 13 is a screen focused on the “output visualization” policy (settings related to output visualization), which is at least part of the policies set by the policy setting unit 42. .

As illustrated in FIG. 13, policy settings window 400 may include radio button 401 to enable or disable employee output visualization. When the radio button 401 is set to be valid, under the "output visualization" policy, enable buttons 402 and 403 for overtime check and risk check, output timing, and output content selection fields 404 to 406 are selected. It becomes possible.

An overtime check validation button 402 is a button for setting whether to validate or invalidate determination and addition of an overtime work flag for the work analysis result 1b. When the activation button 402 is set to be valid, the overtime start time 402a and overtime end time 402b can be set. In the work analysis result 1b created by the monitoring server 2 according to this policy, the overtime work flag of the access performed within the set time range is set to ON.

A risk check validation button 403 is a button for setting whether to validate or invalidate determination and addition of a risk keyword flag for the work analysis result 1b. When the validation button 403 is set to valid, the risk keyword can be set (registered). In the work analysis result 1b created by the monitoring server 2 according to this policy, the risk keyword flag for access to files containing the registered risk keyword in the file name is set to ON. Risk keywords can be edited (for example, registered, deleted, modified, etc.) from a list screen (not shown) displayed by pressing the list button 403b, and the registered number 403a is updated according to the registration or deletion of risk keywords. be done.

It should be noted that activation buttons 402 and 403 for after-hours check and risk check can be set to disable both, enable only one of them, or enable both.

When the activation button 402 is activated, the policy setting unit 42 may create or update the after-hours dictionary table 41a based on the settings. Further, when the activation button 403 is set to be valid, the policy setting unit 42 may create or update the risk keyword dictionary table 41b based on the setting contents. For example, the policy setting unit 42 may store this information in the memory unit 41 and transmit it to the policy application unit 29 of the monitoring server 2 .

FIG. 14 is a diagram showing an example of the after-hours dictionary table 41a, and FIG. 15 is a diagram showing an example of the risk keyword dictionary table 41b.

As shown in FIG. 14, the overtime dictionary table 41a contains the "start time" and "end time" of the time period for overtime work (the overtime start time 402a and overtime end time 402b, respectively, in FIG. 13). ) may be included. In the overtime dictionary table 41a, a plurality of time periods for overtime work may be defined, such as "lunch break" from "12:00" to "13:00". For example, for the work analysis result 1b, the work analysis unit 22 of the monitoring server 2 determines that if the access date and time is within any one of a plurality of time zones for overtime work, You may set the work flag on.

One or more risk keywords registered from the list button 403b in FIG. 13 may be registered in the risk keyword dictionary table 41b, as illustrated in FIG. For the work analysis result 1b, for example, if the file name or file content contains one or more risk keywords, the work analysis unit 22 of the monitoring server 2 identifies the risk keyword of the access performed to the file. You may set the flag on.

Returning to the description of FIG. 13, the output timing selection column 404 is a selection column for specifying the timing for displaying the output window 300 or 301 on the business terminal 3 . In the selection field 404, for example, "at the time of the first startup on the next day" or "at the time of the next startup (at the time of the next logon)" can be selected. If "first startup on the next day" is selected, the output window 300 will be displayed at the first startup on the next day, and will not be displayed at restart or logoff/logon within the same day. If "at next startup (at next logon)" is selected, the output window 300 is displayed at logon after restarting within the same day or after logoff.

An employee (user) output content selection column 405 and a boss output content selection column 406 are selection columns for designating the content to be displayed in the output window 300 or 301 . In selection fields 405 and 406, for example, "only created file" or "created file and reference file" can be selected. When "only created files" is selected, only the created file list 310 is displayed in the output window 300 or 301 among the work analysis results 1b illustrated in FIG. 11 or 12 . When "creation file and reference file" is selected, both a creation file list 310 and a reference file list 320 are displayed in the output window 300 or 301 as illustrated in FIG. 11 or 12 .

The policy setting unit 42 may transmit the contents selected in the selection fields 404 to 406 to the policy application unit 29 of the monitoring server 2 .

(Example of reference data window)
FIG. 16 is a diagram showing an example of the reference data window 410. As shown in FIG. As shown in FIG. 16 , the display control unit 45 may cause the display unit 46 to display a reference data window 410 based on the screen data of the reference data 1d received from the reference data acquisition unit 43 .

As shown in FIG. 16, the reference data 1d includes, for example, "No.", "access date and time", "file name", "risk keyword", "terminal number", "user name", and " The item "user name" may be included.

In the reference data window 410, among the reference data 1d, there are entries with the overtime work flag set to ON, entries with the risk keyword flag set to ON, and entries with both flags set to ON. Each may be distinguished and displayed.

For example, when any entry displayed in the reference data 1d of the reference data window 410 is selected by the system administrator operating the management terminal 4, the reference data acquisition unit 43 acquires the information of the selected entry. may be notified to the analysis result acquisition unit 44 . For example, the reference data acquisition unit 43 notifies the analysis result acquisition unit 44 of information on at least the file name of the selected entry, so that the analysis result acquisition unit 44 receives an analysis instruction that is included in the analysis condition including the file name. It can be transmitted to the monitoring server 2 .

(An example of the analysis processing result window)
FIG. 17 is a diagram showing an example of the analysis processing result window 420. As shown in FIG. As shown in FIG. 17 , the display control unit 45 may cause the display unit 46 to display an analysis processing result window 420 based on the screen data of the analysis processing result 1c received from the analysis result acquisition unit 44 .

As shown in FIG. 17, the analysis processing result 1c may include, for example, items of "date and time", "terminal number", "user name", "operation", and "content".

For example, the display control unit 45 may cause the display unit 46 to display the reference data window 410 and the analysis processing result window 420 side by side, or may display the contents of the reference data window 410 and the analysis processing result window 420 identically. may be displayed in the window of

Further, when the reference data window 410 and the analysis processing result window 420 are displayed on the display unit 46, and the entry of the reference data 1d in the reference data window 410 is selected, the analysis processing result 1c of the analysis processing result window 420 is displayed. May be updated. As an example, the analysis result acquisition unit 44 transmits an analysis instruction (re-instruction) including the file name of the entry selected in the reference data 1d to the monitoring server 2, and the analysis processing result related to the re-instruction received from the monitoring server 2 is 1c may be output to the display control unit 45 . For example, the display control unit 45 may replace the contents of the analysis processing result 1c in the analysis processing result window 420 with the analysis processing result 1c related to the re-instruction, or replace the analysis processing result 1c related to the re-instruction with the analysis processing result 1c. You may add to the analysis process result 1c of the window 420. FIG.

[1-3] Other Functional Configuration Examples of Monitoring Server, Business Terminal, and Management Terminal Next, another configuration example of the business system 1 according to one embodiment will be described. Hereinafter, the business system 1, monitoring server 2, business terminal 3, and management terminal 4 according to other configuration examples will be referred to as business system 1A, monitoring server 2A, business terminal 3A, and management terminal 4A, respectively.

FIG. 18 is a block diagram showing another functional configuration example of the monitoring server 2A, business terminal 3A, and management terminal 4A according to one embodiment. In the following description of FIG. 18, configurations denoted by the same reference numerals as in the functional configuration example illustrated in FIG. 5 may be the same as the configuration illustrated in FIG. 5 unless otherwise specified.

As illustrated in FIG. 18, the business terminal 3A is different from the business terminal 3 illustrated in FIG. 33A functions differently.

The operation log acquisition unit 32A may output the acquired file operation log 1a to the work analysis unit 35 in addition to the functions of the operation log acquisition unit 32 illustrated in FIG.

The work analysis unit 35 substantially corresponds to the function of the work analysis unit 22 of the monitoring server 2 illustrated in FIG. For example, based on the file operation log 1a acquired by the operation log acquisition unit 32A, the work analysis unit 35 may generate the work analysis result 1b of its own business terminal 3A using the same method as the work analysis unit 22.

In addition, the work analysis unit 35 saves the generated work analysis result 1b in the work analysis data 36, and at a predetermined timing, for example, at the timing of termination or logoff of the business terminal 3A, the work accumulated in the work analysis data 36 You may transmit the analysis result 1b to the monitoring server 2. FIG.

The work analysis unit 35 adds an overtime work flag and a risk keyword flag to the work analysis result 1b based on information in the overtime dictionary table 41a and the risk keyword dictionary table 41b received from the policy setting unit 42A of the management terminal 4A. You can

In addition to the functions of the display control unit 33 illustrated in FIG. 5, the display control unit 33A displays an output window 300 on the display unit 34 at the output timing specified by the policy received from the policy setting unit 42A of the management terminal 4A. Or 301 may be displayed. For example, the display control unit 33A extracts the previous day's or previous work analysis result 1b from the work analysis unit 35, and displays one or both of the created file list 310 and the reference file list 320 based on the policy received from the policy setting unit 42A. Screen data to be displayed may be generated.

Further, when the user of business terminal 3A is the boss, display control unit 33A receives from monitoring server 2A a work analysis in which the terminal number of own business terminal 3A is set as the boss terminal number by other business terminal 3A. Result 1b may be received. The display control unit 33A may generate screen data for the output window 301 based on the received work analysis result 1b.

In the business terminal 3A, the boss terminal number of the business terminal 3A can be set as a property of an application as an agent running on the OS of the business terminal 3A. For this reason, the display control unit 33A may transmit the work analysis result 1b to, for example, the business terminal 3A of the boss designated as the boss terminal number on the own business terminal 3A.

Further, when the work analysis result 1b used for creating the screen data of the output window 300 or 301 cannot be obtained from the work analysis data 36, the display control unit 33A does not obtain the work analysis result from the monitoring server 2A as in the example of FIG. 1b may be obtained.

FIG. 19 is a flowchart for explaining an operation example of generating the work analysis result 1b and displaying the output window 300 in a business cycle (period) from activation or logon to termination or logoff of the business terminal 3A.

As illustrated in FIG. 19, after the business terminal 3A is activated or logged on, the display control unit 33A displays an output window 300 or 301 relating to the previous day's or previous work on the display unit 34 based on the policy received from the management terminal 4A. display (step S1).

When a file is opened or newly created in the business terminal 3A, the operation log acquisition section 32A generates the file operation log 1a. The work analysis unit 35 creates or updates an entry of the work analysis result 1b in the work analysis data 36 based on the file operation log 1a.

For example, as indicated by symbol A in FIG. 19, the work analysis unit 35 adds the file "Book1.xlsx" newly created by the user of the business terminal 3A to update the file to the created file information 23a. In addition, the work analysis unit 35 refers to the file "sales promotion material.pptx" created the day before, which the user opened for updating, and "2018 sales promotion material.pptx" opened for reference, as the reference file information 23b. Add to

The work analysis unit 35 sums the time during which the window of the application that creates the file added to the work analysis result 1b is active for each file, and updates the work time of each file (see symbol B). The work analysis unit 35 also updates the work time (and the number of saves) for each file in the following codes C to F as well.

Also, when the user updates and saves "sales promotion material.pptx", the work analysis unit 35 copies the information of each item of the reference file information 23b regarding the file from the reference file information 23b to the created file information 23a. (see symbol C). In this case, the work analysis unit 35 updates the work time and the number of saves of the file on the created file information 23a, and stops updating the work time and the like of the file on the reference file information 23b.

Further, when the user saves "Book1.xlsx", the work analysis unit 35 adds "1" to the save count of the corresponding file in the created file information 23a (see symbol D).

Also, when the user changes the file name of "Book1.xlsx" to "PJ schedule.xlsx", the work analysis unit 35 changes the file name of the corresponding file in the creation file information 23a (see symbol E). . In this case, the work analysis unit 35 inherits the information of each item of the created file information 23a, including the work time and the number of saves before the file name change, and uses it for the created file information 23a after the file name change.

In the business terminal 3A, when the application is terminated and an operation to terminate or log off the business terminal 3A occurs (step S4), the work analysis unit 35 confirms the work analysis result 1b for the day (see symbol F), and performs work analysis. The result 1b is transmitted to the monitoring server 2A (step S5).

After transmitting the work analysis result 1b, the business terminal 3A is terminated or logged off (step S6), and the process is terminated.

Note that in the example shown in FIG. 19, since attention is paid to the transition of the file working time and the number of times of saving, the illustration of the overtime work flag and the risk keyword flag of the created file information 23a and the reference file information 23b is omitted. . The work analysis unit 35 may determine and set the overtime work flag and the risk keyword flag in the process of creating or updating the work analysis result 1b indicated by symbols A to E. Alternatively, the work analysis unit 35 may determine and set the overtime work flag and the risk keyword flag at the timing when the output content indicated by symbol F is determined.

Returning to the description of FIG. 18, the monitoring server 2A is different from the monitoring server 2 illustrated in FIG. is different.

The work analysis result transmitting unit 27A transmits the work analysis result 1b transmitted from the work analysis unit 35 of the business terminal 3A and stored in the work analysis data 23 by the monitoring server 2A, for which the boss terminal number is specified. 1b is sent to the business terminal 3A with the boss terminal number. The transmission timing may be the timing requested by the business terminal 3A.

The management terminal 4A differs from the management terminal 4 illustrated in FIG. 5 in the function of the policy setting section 42A. The policy setting unit 42A transmits the policy to each business terminal 3A instead of (or in addition to) the monitoring server 2A.

An operation example of the business system 1A described above will be described with reference to the sequence diagram shown in FIG. As shown in FIG. 20, the operation of the business system 1A can be regarded as replacing the process P3 in the operation of the business system 1 illustrated in FIG. 2 with processes P11 and P12.

In processing P11, the work analysis unit 35 of the business terminal 3A performs work analysis processing based on the file operation log 1a acquired in processing P1, and saves the generated work analysis result 1b in the work analysis data 36. Further, the work analysis unit 35 transmits the unsent work analysis result 1b to the monitoring server 2A at a predetermined timing.

In process P12, the monitoring server 2A saves (stores) the work analysis result 1b received from each business terminal 3A in the work analysis data .

As described above, even if the work analysis result 1b is generated (extracted) by the business terminal 3A instead of the monitoring server 2A, the same effect as the business system 1 illustrated in FIG. 5 can be obtained.

[1-4] Hardware Configuration Example FIG. 21 is a block diagram showing an HW configuration example of the computer 10 that implements the functions of the monitoring server 2 or 2A. When multiple computers are used as HW resources for realizing the functions of the monitoring server 2 or 2A, each computer may have the HW configuration illustrated in FIG.

As shown in FIG. 21, the computer 10 has, as an example of HW configuration, 10f.

The processor 10a is an example of an arithmetic processing device that performs various controls and operations. The processor 10a may be communicatively connected to each block in the computer 10 via a bus 10i. Note that the processor 10a may be a multiprocessor including a plurality of processors, a multicore processor having a plurality of processor cores, or a configuration having a plurality of multicore processors.

Examples of the processor 10a include integrated circuits (ICs) such as CPUs, MPUs, GPUs, APUs, DSPs, ASICs, and FPGAs. A combination of two or more of these integrated circuits may be used as the processor 10a. CPU is an abbreviation for Central Processing Unit, and MPU is an abbreviation for Micro Processing Unit. GPU is an abbreviation for Graphics Processing Unit, and APU is an abbreviation for Accelerated Processing Unit. DSP is an abbreviation for Digital Signal Processor, ASIC is an abbreviation for Application Specific IC, and FPGA is an abbreviation for Field-Programmable Gate Array.

The memory 10b is an example of HW that stores information such as various data and programs. Examples of the memory 10b include one or both of a volatile memory such as a DRAM and a nonvolatile memory such as a PM.

The storage unit 10c is an example of HW that stores information such as various data and programs. Examples of the storage unit 10c include magnetic disk devices such as HDDs, semiconductor drive devices such as SSDs, and various storage devices such as nonvolatile memories. Examples of nonvolatile memory include flash memory, SCM (Storage Class Memory), ROM (Read Only Memory), and the like.

Further, the storage unit 10c may store a program 10g (program) that implements all or part of various functions of the computer 10. FIG. For example, the processor 10a of the monitoring server 2 or 2A develops the program 10g stored in the storage unit 10c in the memory 10b and executes it, thereby performing the functions of the monitoring server 2 or 2A illustrated in FIG. 5 or 18. realizable.

At least one of the memory 10b and the storage unit 10c may store the operation log DB 21, the work analysis data 23, and the reference data DB 28 shown in FIG. 5 or FIG.

The IF unit 10d is an example of a communication IF that controls connection and communication with a network. For example, the IF unit 10d may include an adapter conforming to LAN such as Ethernet (registered trademark) or optical communication such as FC (Fibre Channel). The adapter may support one or both of wireless and wired communication methods. For example, the program 10g may be downloaded from the network to the computer 10 via the communication IF and stored in the storage section 10c.

The I/O section 10e may include one or both of an input device and an output device. Input devices include, for example, a keyboard, a mouse, and a touch panel. Examples of output devices include monitors, projectors, and printers.

The reading unit 10f is an example of a reader that reads data and program information recorded on the recording medium 10h. The reading unit 10f may include a connection terminal or device to which the recording medium 10h can be connected or inserted. Examples of the reading unit 10f include an adapter conforming to USB (Universal Serial Bus), a drive device for accessing a recording disk, and a card reader for accessing flash memory such as an SD card. The recording medium 10h may store the program 10g, or the reading unit 10f may read the program 10g from the recording medium 10h and store it in the storage unit 10c.

Examples of the recording medium 10h include non-temporary computer-readable recording media such as magnetic/optical discs and flash memories. Examples of magnetic/optical discs include flexible discs, CDs (Compact Discs), DVDs (Digital Versatile Discs), Blu-ray discs, and HVDs (Holographic Versatile Discs). Examples of flash memories include semiconductor memories such as USB memories and SD cards.

The HW configuration of the computer 10 described above is an example. Therefore, HW in the computer 10 may be increased or decreased (for example, addition or deletion of arbitrary blocks), division, integration in arbitrary combinations, addition or deletion of buses, or the like may be performed as appropriate. For example, in the monitoring server 2 or 2A, at least one of the I/O unit 10e and the reading unit 10f may be omitted.

The functions of the business terminal 3 or 3A and the management terminal 4 or 4A, which are examples of the information processing device, may be implemented by the same HW configuration as the computer 10 described above.

For example, the processor 10a of the business terminal 3 or 3A implements the functions of the business terminal 3 or 3A shown in FIG. 5 or 18 by deploying the program 10g stored in the storage unit 10c in the memory 10b and executing it. can. Similarly, the processor 10a of the management terminal 4 or 4A performs the functions of the management terminal 4 or 4A shown in FIG. realizable.

The display section 34 of the business terminal 3 or 3A shown in FIG. 5 or 18 is an example of the I/O section 10e of the business terminal 3 or 3A. Moreover, the work analysis data 36 of the business terminal 3A shown in FIG. 18 may be stored in at least one of the memory 10b and the storage unit 10c of the business terminal 3A. Furthermore, the display section 46 of the management terminal 4 or 4A shown in FIG. 5 or 18 is an example of the I/O section 10e of the management terminal 4 or 4A.

[2] Others The technique according to the embodiment described above can be modified and changed as follows.

For example, functional blocks provided in the monitoring server 2, the business terminal 3 and the management terminal 4 shown in FIG. 5, and the monitoring server 2A, the business terminal 3A and the management terminal 4A shown in FIG. may be merged by a combination of , or may be divided respectively. Also, the monitoring server 2 or 2A shown in FIG. 5 or 18 may be configured to realize each processing function by a plurality of devices cooperating with each other via a network.

[3] Supplementary Note The following Supplementary Note will be disclosed with respect to the above embodiment.

(Appendix 1)
In a display system having an information processing terminal used by a user, a server, and an administrator terminal,
The server is
a first storage area for collecting and recording an operation log relating to operations performed at the information processing terminal from the information processing terminal;
Work analysis information obtained by analyzing operations performed on a file in a predetermined period based on the operation log, and distinguishing whether or not the operation time of the operation is within working hours of the user. a work analysis information generation unit that generates the work analysis information including one or both of information and second information that distinguishes whether or not the specified character string is included in the file name or content of the file;
a second storage area different from the first storage area for recording the work analysis information;
a reference information generating unit that generates reference information based on the work analysis information in response to receiving an instruction to start analyzing the operation log from the manager terminal;
an analysis unit that outputs an analysis result of the operation log in response to receiving an analysis instruction of the operation log from the administrator terminal;
a transmission unit that transmits the work analysis information to the information processing terminal and transmits the reference information and the analysis result to the administrator terminal;
The information processing terminal
a receiving unit that receives the work analysis information from the server;
a display unit that displays the work analysis information;
The administrator terminal
a receiving unit that receives the reference information and the analysis result;
a display unit that displays the reference information in response to reception of the reference information, and displays the analysis result in addition to the reference information in response to reception of the analysis result.

(Appendix 2)
Based on the first information included in the work analysis information, the reference information generation unit generates the file name of the file whose operation time is outside the working hours of the user, the operation time, and the usage of the file. generating said reference information including at least information about a person;
The display system of Claim 1.

(Appendix 3)
The reference information generation unit generates, based on the second information included in the work analysis information, the file name of a file containing the specified character string in its file name or content, the specified character string, and generating the reference information including at least information about the user who manipulated the file;
The display system according to Appendix 1 or Appendix 2.

(Appendix 4)
The work analysis information includes created file information including one or both of the first information and the second information about the file created by the information processing terminal, and the first information and the above information about the file referred to by the information processing terminal. and reference file information including one or both of the second information,
The display system according to any one of Appendices 1-3.

(Appendix 5)
wherein the transmission unit transmits the work analysis information of the information processing terminal to the information processing terminal and another information processing terminal associated with the information processing terminal;
The display system according to any one of Appendices 1-4.

(Appendix 6)
Collecting operation logs related to operations performed by the information processing terminal from the information processing terminal used by the user and recording them in a first storage area;
Work analysis information obtained by analyzing operations performed on a file in a predetermined period based on the operation log, and distinguishing whether or not the operation time of the operation is within working hours of the user. generating the work analysis information including one or both of information and second information that distinguishes whether the specified character string is included in the file name or content of the file;
recording the work analysis information in a second storage area different from the first storage area;
generating reference information based on the work analysis information in response to receiving an instruction to start analyzing the operation log from the manager terminal;
transmitting the reference information to the administrator terminal;
A program characterized by causing a computer to execute processing.

(Appendix 7)
After the transmission, in response to receiving an instruction to analyze the operation log from the administrator terminal, a result of analyzing the operation log is transmitted to the administrator terminal.
causing the computer to perform processing;
A program according to Appendix 6.

(Appendix 8)
A display method in a display system having an information processing terminal used by a user, a server, and an administrator terminal,
the server
Collecting from the information processing terminal an operation log relating to an operation performed at the information processing terminal and recording it in a first storage area;
Work analysis information obtained by analyzing operations performed on a file in a predetermined period based on the operation log, and distinguishing whether or not the operation time of the operation is within working hours of the user. generating the work analysis information including one or both of information and second information that distinguishes whether the specified character string is included in the file name or content of the file;
recording the work analysis information in a second storage area different from the first storage area;
transmitting the work analysis information to the information processing terminal;
The information processing terminal
receiving the work analysis information from the server;
displaying the work analysis information on the display unit;
the server
generating reference information based on the work analysis information in response to receiving an instruction to start analyzing the operation log from the manager terminal;
transmitting the reference information to the administrator terminal;
outputting an analysis result of the operation log in response to receiving an instruction to analyze the operation log from the administrator terminal;
transmitting the analysis result to the administrator terminal;
The administrator terminal
displaying the reference information on a display unit in response to receiving the reference information from the server;
displaying the analysis result on the display unit of the administrator terminal in addition to the reference information in response to receiving the analysis result from the server;
A display method characterized by

(Appendix 9)
In a display system having an information processing terminal used by a user, a server, and an administrator terminal,
The information processing terminal
Work analysis information obtained by analyzing operations performed on a file during a predetermined period based on an operation log relating to operations performed on the information processing terminal, wherein the operation time of the operation is within working hours of the user. and second information distinguishing whether or not the specified character string is included in the file name or content of the file. a work analysis information generation unit to generate;
a display unit that displays the work analysis information;
The server is
a first storage area for collecting and recording the operation log from the information processing terminal;
a second storage area different from the first storage area for collecting and recording the work analysis information from the information processing terminal;
a reference information generating unit that generates reference information based on the work analysis information in response to receiving an instruction to start analyzing the operation log from the manager terminal;
an analysis unit that outputs an analysis result of the operation log in response to receiving an analysis instruction of the operation log from the administrator terminal;
a transmission unit that transmits the reference information and the analysis result to the administrator terminal;
The administrator terminal
a receiving unit that receives the reference information and the analysis result;
a display unit that displays the reference information in response to reception of the reference information, and displays the analysis result in addition to the reference information in response to reception of the analysis result.

(Appendix 10)
Based on the first information included in the work analysis information, the reference information generation unit generates the file name of the file whose operation time is outside the working hours of the user, the operation time, and the usage of the file. generating said reference information including at least information about a person;
9. The display system of clause 9.

(Appendix 11)
The reference information generation unit generates, based on the second information included in the work analysis information, the file name of a file containing the specified character string in its file name or content, the specified character string, and generating the reference information including at least information about the user who manipulated the file;
11. The display system according to Appendix 9 or Appendix 10.

(Appendix 12)
The work analysis information includes created file information including one or both of the first information and the second information about the file created by the information processing terminal, and the first information and the above information about the file referred to by the information processing terminal. and reference file information including one or both of the second information,
The display system according to any one of appendices 9-11.

(Appendix 13)
wherein the transmission unit transmits the work analysis information collected from the information processing terminal to another information processing terminal associated with the information processing terminal;
The display system according to any one of appendices 9-12.

(Appendix 14)
Collecting operation logs related to operations performed by the information processing terminal from the information processing terminal used by the user and recording them in a first storage area;
Work analysis information generated by the information processing terminal based on the operation log and analyzing operations performed on a file during a predetermined period of time, wherein the operation time of the operation is the operation time of the operation performed by the user. one or both of first information distinguishing whether it is within working hours of the file, and second information distinguishing whether the specified character string is included in the file name or content of the file collecting said work analysis information;
recording the work analysis information in a second storage area different from the first storage area;
generating reference information based on the work analysis information in response to receiving an instruction to start analyzing the operation log from the manager terminal;
transmitting the reference information to the administrator terminal;
A program characterized by causing a computer to execute processing.

(Appendix 15)
After the transmission, in response to receiving an instruction to analyze the operation log from the administrator terminal, a result of analyzing the operation log is transmitted to the administrator terminal.
causing the computer to perform processing;
14. The program according to Appendix 14.

(Appendix 16)
A display method in a display system having an information processing terminal used by a user, a server, and an administrator terminal,
The information processing terminal
Work analysis information obtained by analyzing operations performed on a file during a predetermined period based on an operation log relating to operations performed on the information processing terminal, wherein the operation time of the operation is within working hours of the user. and second information distinguishing whether or not the specified character string is included in the file name or content of the file. generate and
displaying the work analysis information on the display unit;
the server
collecting the operation log from the information processing terminal and recording it in a first storage area;
collecting the work analysis information from the information processing terminal and recording it in a second storage area different from the first storage area;
generating reference information based on the work analysis information in response to receiving an instruction to start analyzing the operation log from the manager terminal;
transmitting the reference information to the administrator terminal;
outputting an analysis result of the operation log in response to receiving an instruction to analyze the operation log from the administrator terminal;
transmitting the analysis result to the administrator terminal;
The administrator terminal
displaying the reference information on a display unit in response to receiving the reference information from the server;
displaying the analysis result on the display unit of the administrator terminal in addition to the reference information in response to receiving the analysis result from the server;
A display method characterized by

1, 1A business system 1a file operation log 1b work analysis result 1c analysis processing result 1d reference data 10 computer 2, 2A monitoring server 21 operation log DB
22, 35 work analysis unit 23, 36 work analysis data 23a creation file information 23b reference file information 24 cause analysis unit 25 analysis screen generation unit 25a reference data generation unit 25b screen generation unit 26 operation log collection unit 27, 27A work analysis result Transmitter 28 Reference data DB
29 Policy application unit 3, 3a, 3b, 3A Business terminal 31 File operation unit 32 Operation log acquisition unit 33, 33A, 45 Display control unit 34, 46 Display unit 4, 4A Management terminal 41 Memory unit 41a After-hours dictionary table 41b Risk Keyword dictionary table 42, 42A Policy setting unit 43 Reference data acquisition unit 44 Analysis result acquisition unit

Claims (10)

In a display system having an information processing terminal used by a user, a server, and an administrator terminal,
The server is
a first storage area for collecting and recording an operation log relating to operations performed at the information processing terminal from the information processing terminal;
Work analysis information obtained by analyzing operations performed on a file in a predetermined period based on the operation log, and distinguishing whether or not the operation time of the operation is within working hours of the user. a work analysis information generation unit that generates the work analysis information including one or both of information and second information that distinguishes whether or not the specified character string is included in the file name or content of the file;
a second storage area different from the first storage area for recording the work analysis information;
a reference information generating unit that generates reference information based on the work analysis information in response to receiving an instruction to start analyzing the operation log from the manager terminal;
an analysis unit that outputs an analysis result of the operation log in response to receiving an analysis instruction of the operation log from the administrator terminal;
a transmission unit that transmits the work analysis information to the information processing terminal and transmits the reference information and the analysis result to the administrator terminal;
The information processing terminal
a receiving unit that receives the work analysis information from the server;
a display unit that displays the work analysis information;
The administrator terminal
a receiving unit that receives the reference information and the analysis result;
a display unit that displays the reference information in response to reception of the reference information, and displays the analysis result in addition to the reference information in response to reception of the analysis result. Based on the first information included in the work analysis information, the reference information generation unit generates the file name of the file whose operation time is outside the working hours of the user, the operation time, and the usage of the file. generating said reference information including at least information about a person;
The display system of Claim 1. The reference information generation unit generates, based on the second information included in the work analysis information, the file name of a file containing the specified character string in its file name or content, the specified character string, and generating the reference information including at least information about the user who manipulated the file;
3. A display system according to claim 1 or claim 2. The work analysis information includes created file information including one or both of the first information and the second information about the file created by the information processing terminal, and the first information and the above information about the file referred to by the information processing terminal. and reference file information including one or both of the second information,
The display system according to any one of claims 1-3. Collecting operation logs related to operations performed by the information processing terminal from the information processing terminal used by the user and recording them in a first storage area;
Work analysis information obtained by analyzing operations performed on a file in a predetermined period based on the operation log, and distinguishing whether or not the operation time of the operation is within working hours of the user. generating the work analysis information including one or both of information and second information that distinguishes whether the specified character string is included in the file name or content of the file;
recording the work analysis information in a second storage area different from the first storage area;
generating reference information based on the work analysis information in response to receiving an instruction to start analyzing the operation log from the manager terminal;
transmitting the reference information to the administrator terminal;
A program characterized by causing a computer to execute processing. After the transmission, in response to receiving an instruction to analyze the operation log from the administrator terminal, a result of analyzing the operation log is transmitted to the administrator terminal.
causing the computer to perform processing;
6. A program according to claim 5. A display method in a display system having an information processing terminal used by a user, a server, and an administrator terminal,
the server
Collecting from the information processing terminal an operation log relating to an operation performed at the information processing terminal and recording it in a first storage area;
Work analysis information obtained by analyzing operations performed on a file in a predetermined period based on the operation log, and distinguishing whether or not the operation time of the operation is within working hours of the user. generating the work analysis information including one or both of information and second information that distinguishes whether the specified character string is included in the file name or content of the file;
recording the work analysis information in a second storage area different from the first storage area;
transmitting the work analysis information to the information processing terminal;
The information processing terminal
receiving the work analysis information from the server;
displaying the work analysis information on the display unit;
the server
generating reference information based on the work analysis information in response to receiving an instruction to start analyzing the operation log from the manager terminal;
transmitting the reference information to the administrator terminal;
outputting an analysis result of the operation log in response to receiving an instruction to analyze the operation log from the administrator terminal;
transmitting the analysis result to the administrator terminal;
The administrator terminal
displaying the reference information on a display unit in response to receiving the reference information from the server;
displaying the analysis result on the display unit of the administrator terminal in addition to the reference information in response to receiving the analysis result from the server;
A display method characterized by In a display system having an information processing terminal used by a user, a server, and an administrator terminal,
The information processing terminal
Work analysis information obtained by analyzing operations performed on a file during a predetermined period based on an operation log relating to operations performed on the information processing terminal, wherein the operation time of the operation is within working hours of the user. and second information distinguishing whether or not the specified character string is included in the file name or content of the file. a work analysis information generation unit to generate;
a display unit that displays the work analysis information;
The server is
a first storage area for collecting and recording the operation log from the information processing terminal;
a second storage area different from the first storage area for collecting and recording the work analysis information from the information processing terminal;
a reference information generating unit that generates reference information based on the work analysis information in response to receiving an instruction to start analyzing the operation log from the manager terminal;
an analysis unit that outputs an analysis result of the operation log in response to receiving an analysis instruction of the operation log from the administrator terminal;
a transmission unit that transmits the reference information and the analysis result to the administrator terminal;
The administrator terminal
a receiving unit that receives the reference information and the analysis result;
a display unit that displays the reference information in response to reception of the reference information, and displays the analysis result in addition to the reference information in response to reception of the analysis result. Collecting operation logs related to operations performed by the information processing terminal from the information processing terminal used by the user and recording them in a first storage area;
Work analysis information generated by the information processing terminal based on the operation log and analyzing operations performed on a file during a predetermined period of time, wherein the operation time of the operation is the operation time of the operation performed by the user. one or both of first information distinguishing whether it is within working hours of the file, and second information distinguishing whether the specified character string is included in the file name or content of the file collecting said work analysis information;
recording the work analysis information in a second storage area different from the first storage area;
generating reference information based on the work analysis information in response to receiving an instruction to start analyzing the operation log from the manager terminal;
transmitting the reference information to the administrator terminal;
A program characterized by causing a computer to execute processing. A display method in a display system having an information processing terminal used by a user, a server, and an administrator terminal,
The information processing terminal
Work analysis information obtained by analyzing operations performed on a file during a predetermined period based on an operation log relating to operations performed on the information processing terminal, wherein the operation time of the operation is within working hours of the user. and second information distinguishing whether or not the specified character string is included in the file name or content of the file. generate and
displaying the work analysis information on the display unit;
the server
collecting the operation log from the information processing terminal and recording it in a first storage area;
collecting the work analysis information from the information processing terminal and recording it in a second storage area different from the first storage area;
generating reference information based on the work analysis information in response to receiving an instruction to start analyzing the operation log from the manager terminal;
transmitting the reference information to the administrator terminal;
outputting an analysis result of the operation log in response to receiving an instruction to analyze the operation log from the administrator terminal;
transmitting the analysis result to the administrator terminal;
The administrator terminal
displaying the reference information on a display unit in response to receiving the reference information from the server;
displaying the analysis result on the display unit of the administrator terminal in addition to the reference information in response to receiving the analysis result from the server;
A display method characterized by

Images