JP7300781B1 - Data management system, data management method, and data management program - Google Patents

Abstract

A data management system, a data management method, and a data management program are provided for encrypting sensitive data (logs, etc.) collected from devices, etc. and using the encrypted data efficiently. A data management system includes a key management server, a proxy server, and a storage area (database server). The key management server manages encryption keys. The proxy server includes: a sensitive data acquisition unit that acquires sensitive data including at least an event and the date and time of occurrence of the event as attribute items; and an encryption unit that encrypts with The storage area is a database that stores sensitive data encrypted by the encryption unit in a database format that can be accessed in predetermined data units, and files containing sensitive data that occurred within a predetermined period can be accessed in file units. a storage for storing in the [Selection drawing] Fig. 2

Description

The present disclosure relates to a data management system, data management method, and data management program.

In recent years, in the operation of information processing systems, logs of network devices such as server computers, firewalls, and routers have been collected. A log is data defined in a certain format in which information about an event that has occurred in a device or the like is associated with the date and time of occurrence of the event. For example, in the case of computers, there are access logs that record accesses, error logs that record errors in information processing, and debug logs that record program operations for the purpose of finding bugs. . With recent improvements in data processing, machine learning, etc., logs such as those described above can be used to investigate the cause of failures, detect security anomalies, predict failures and security anomalies, and perform follow-up investigations and analyses. It is hoped that technology will be developed to accurately perform

Collected logs are grouped into a single file for a certain period of time (for example, on a daily basis), and the file is stored in a local storage device or cloud storage. Log files, which record events that have occurred in devices, need to be encrypted because they contain information that can give clues to unauthorized access to the system and sensitive data related to security vulnerabilities. For example, Patent Literature 1 discloses an encryption device that encrypts collected log files and stores them in a storage.

In addition, it is desirable to store the collected logs in a database so that the desired information can be easily retrieved. For example, Patent Literature 2 discloses an encrypted database search device that speeds up the encrypted DB search process in a search system that searches encrypted documents stored in the encrypted DB.

Japanese Unexamined Patent Application Publication No. 2010-128901 JP-A-2005-134990

As described above, when logs are compiled into files at regular intervals and encrypted and saved on a file-by-file basis, the following procedure is taken to access the necessary log information. First, a period in which necessary log information is likely to be included is estimated, and a plurality of files corresponding to the log for that period are acquired from the storage device. Then, after decrypting those files, a search or the like is performed for each file or for a file in which the logs of each file are collected into one file. In this case, although security is ensured, there is a problem that it takes time and effort to utilize the log because encrypted files cannot be searched all at once.

The invention described in Patent Document 1 only encrypts log files and stores them in a storage, but does not store logs in a database. In addition, although the invention described in Patent Document 2 stores encrypted data in a database, the object of encryption is a general document, not a log collected from a network device or the like. In other words, when a failure occurs in a network device, logs are not efficiently used to investigate the cause, or to detect and predict security anomalies.

Considering the convenience of data usage, all logs may be stored in a database, but in order to store all the log data that continues to increase over time, a huge amount of storage capacity is required, which is costly. put away. In addition, most of the log data is normal data, and the abnormal data required for failure detection and anomaly prediction is small, so the actual benefit of storing all log data in the database is few.

The present invention has been made in view of such problems, and its object is to provide a technique for encrypting sensitive data collected from devices and the like and efficiently using the encrypted data.

In order to achieve the above object, a data management system according to the present disclosure is a data management system comprising a key management server, a proxy server, and a storage area, wherein the key management server manages encryption keys, and the proxy server , a sensitive data acquisition unit that acquires sensitive data including at least an event and the date and time of occurrence of the event as attribute items; and an attribute value corresponding to the attribute item of the sensitive data based on the encryption key. and the storage area stores the sensitive data encrypted by the encryption unit in an accessible database format in a predetermined data unit, and the date and time of occurrence is a predetermined period. and a storage that stores files containing sensitive data in an accessible manner in units of files.

Further, in order to achieve the above object, a data management method according to the present disclosure is a data management method in a system including a key management server, a proxy server, and a storage area, wherein the key management server manages encryption keys. a step in which the proxy server acquires sensitive data including at least an event and the date and time of occurrence of the event as attribute items; and a step in which the proxy server acquires attributes corresponding to the attribute items of the sensitive data based on the encryption key a step of encrypting a value in predetermined data units; a step of storing sensitive data encrypted in the encrypting step in a storage area in an accessible database format in predetermined data units; a step of storing files containing sensitive data whose date and time of occurrence are within a predetermined period so that they can be accessed on a file-by-file basis.

Further, in order to achieve the above object, a data management program according to the present disclosure is a data management program in a system comprising a key management server, a proxy server, and a storage area, wherein the key management server manages encryption keys. a step in which the proxy server acquires sensitive data including at least an event and the date and time of occurrence of the event as attribute items; and a step in which the proxy server acquires attributes corresponding to the attribute items of the sensitive data based on the encryption key a step of encrypting a value in predetermined data units; a step of storing sensitive data encrypted in the encrypting step in a storage area in an accessible database format in predetermined data units; a step of storing files containing sensitive data whose date and time of occurrence are within a predetermined period so that they can be accessed on a file-by-file basis.

ADVANTAGE OF THE INVENTION According to this invention, the sensitive data collected from the apparatus etc. can be encrypted and utilized efficiently. This makes it possible to store sensitive data such as logs in a form suitable for utilization while ensuring security. In addition, when a network equipment failure occurs, logs can be efficiently used to investigate the cause, or to detect and predict security anomalies.

1 is a diagram showing a configuration of a data management system 1; FIG. 4 is a conceptual diagram of processing according to the first embodiment; FIG. 2 is a functional block diagram showing an example of the functional configuration of a proxy server 2000; FIG. 3 is a functional block diagram showing an example of the functional configuration of a key management server 3000; FIG. 4 is a functional block diagram showing an example of the functional configuration of a database server 4000; FIG. It is the figure which showed an example of the data structure of sensitive data. 4 is a flowchart showing an example of processing according to the first embodiment; 2 is a block diagram showing the hardware configuration of a proxy server 2000; FIG. 3 is a functional block diagram showing an example of the functional configuration of a proxy server 2100; FIG. 3 is a functional block diagram showing an example of a functional configuration of a proxy server 2200; FIG. 2 is a diagram showing the configuration of a data management system 4; FIG. FIG. 10 is a conceptual diagram of processing according to the second embodiment; 3 is a functional block diagram showing an example of a functional configuration of a proxy server 2300; FIG. 4 is a functional block diagram showing an example of the functional configuration of a database server 4100; FIG. 9 is a flowchart showing an example of processing according to the second embodiment; 2 is a diagram showing the configuration of a data management system 5; FIG. FIG. 11 is a conceptual diagram of processing according to the third embodiment; 3 is a functional block diagram showing an example of a functional configuration of a proxy server 2400; FIG. 10 is a flowchart showing an example of processing according to the third embodiment;

Hereinafter, embodiments of the present disclosure will be described with reference to the drawings. In all the drawings for explaining the embodiments, common constituent elements are denoted by the same reference numerals, and repeated explanations are omitted. It should be noted that the following embodiments do not unduly limit the content of the present disclosure described in the claims. Also, not all the components shown in the embodiments are essential components of the present disclosure.

<Embodiment 1>
In this embodiment, the proxy server 2000 acquires sensitive data output from the network devices 1000-1, 1000-2, .

(Configuration of data management system 1)
FIG. 1 is a diagram showing the configuration of a data management system 1 according to this embodiment. A configuration of a data management system 1 according to the first embodiment will be described with reference to FIG.

, 1000-N (N is a natural number), a proxy server 2000, a key management server 3000, and a database server 4000. 1, network devices 1000-1, 1000-2, . . . , 1000-N, proxy server 2000, key management server 3000, and database server 4000 are communicably connected via network NW. The network NW is, for example, a WAN (Wide Area Network), a LAN (Local Area Network), an optical line network, an intranet, etc., but may be composed of any network.

In the following description, network devices 1000-1, 1000-2, .

The network device 1000 transmits logs output by these devices to the proxy server 2000 as sensitive data. The network device 1000 includes network connectable devices such as firewalls, routers, servers, and systems.

A log is data in which information about an event (occurrence) that has occurred is associated with the date and time of occurrence of the event and is defined in a certain format. A communication log that records communication with other devices, an access log that records access, an error log that records errors in information processing, and a record of program operations for the purpose of finding bugs. There is a debug log, etc. That is, the log is data that is continuously output from the device, and when accumulated, the amount of data becomes enormous with the passage of time.

The proxy server 2000 acquires the log as sensitive data from the network device 1000, and performs preprocessing as necessary to make it suitable for storage in the database (described later) and storage (described later) of the database server 4000. FIG. Next, the proxy server 2000 acquires the encryption key from the key management server 3000, encrypts the sensitive data (log), and saves it in the database of the database server 4000. FIG.

The key management server 3000 manages encryption keys for encrypting sensitive data. Key management server 3000 transmits to proxy server 2000 an encryption key that proxy server 2000 uses to encrypt sensitive data. Note that the key management server 3000 may be configured to be included in the proxy server 2000 . That is, the proxy server 2000 may have a function of managing encryption keys.

The database server 4000 functions as a storage server having storage areas. The database server 4000 has a database that stores data in table format as a storage area. A database is, for example, a hierarchical database, a network database, a relational database, a NoSQL (Not Only SQL) database, NewSQL, or the like. A database allows high-speed access to a table in units of predetermined data, and is used for daily use by users. The predetermined data unit is, for example, a table cell unit, a column unit, or a record unit. Note that the database may store the sensitive data in a form having relations, or in a document form or a graph form instead of the table form.

The database server 4000 also has a storage area for storing data in a file format, such as a CSV (Comma Separated Value) file or an XML file, which conforms to a certain format/format. The storage can be accessed on a file-by-file basis and is used for long-term storage and backup of data. Storage media used for storage are generally inexpensive compared to databases.

Database server 4000 stores sensitive data encrypted by proxy server 2000 in a database. In addition, among the data stored in the database for a certain period of time, the database server 4000 retains in the database sensitive data indicating an abnormality in a network device and sensitive data recorded before or after the relevant sensitive data in the database. of encrypted sensitive data from the database. At this time, the database server 4000 converts the encrypted sensitive data stored in the database into a file and stores it in the storage.

That is, all encrypted sensitive data are filed and stored in the storage of the database server 4000, so that a complete log file can be aggregated.

As described above, in the data management system 1, the database server 4000 stores sensitive data in databases and storages. For efficient use of data, it is desirable to store all data in a database with high-speed data access. Storing data in a database is difficult. Also, most of the logs are normal data, and there is little need for analysis to detect anomalies. Therefore, the data management system 1 according to the present embodiment leaves in the database only sensitive data that satisfies a predetermined condition and is useful for data utilization. And by storing all sensitive data in storage, it is possible to maximize the use of data while solving economic problems.

The functional configuration and processing of each server constituting the data management system 1 described above will be described below. Note that the functional blocks and processing blocks representing each functional configuration may be implemented by one or more devices, computer processors, or distributed groups of computer processors. For example, each function performed by the proxy server 2000, the key management server 3000, and the database server 4000 may be realized by a plurality of devices or may be realized by one device.

FIG. 2 is a conceptual diagram of processing according to the first embodiment. An outline of processing in the data management system 1 will be described with reference to FIG. In FIG. 2, solid-line arrows indicate the flow of processing, and broken-line arrows indicate the flow of data.

The data management system 1 according to the first embodiment stores sensitive data, which are logs of network devices, in a database. After a certain period of time has passed, the sensitive data other than the sensitive data indicating the abnormality and the sensitive data recorded before and after the relevant sensitive data are deleted from the database. Also, the predetermined sensitive data stored in the database, including the deleted sensitive data, is filed and stored in the storage.

(1) Sensitive Data Acquisition Step The network device 1000 transmits a log to the proxy server 2000, and the proxy server 2000 acquires from the network device 1000 sensitive data, which is a log related to the network device.

(2) Preprocessing Step After acquiring the sensitive data, the proxy server 2000 performs preprocessing as necessary. For example, as preprocessing as described later, the proxy server 2000 formats the sensitive data so as to correspond to the attribute items and attribute values previously determined by the system operator or the like.

Specifically, as preprocessing, the proxy server 2000 may parse the syntax of the acquired sensitive data to format the sensitive data. The log transmitted by the network device 1000 includes, for example, information (attribute values corresponding to attribute items) about events such as when (time), who (which device), what application, and what kind of operation was performed. . The proxy server 2000 analyzes the device name, date of occurrence (year/month/day), time of occurrence (time), location (IP address), application name, user ID, user name, operation details, etc. included in the sensitive data. Then, after associating each value as an attribute value corresponding to the attribute item, the format of the sensitive data may be arranged. In addition, the proxy server 2000 may preprocess the acquired sensitive data for each log, or preprocess a plurality of logs collectively. You can Further, as preprocessing, the proxy server 2000 may determine in which database the sensitive data is to be stored if there are multiple databases of the database server.

Also, the proxy server 2000, for example, in the (above) description of the date of occurrence, "2021/1/1", "2021.1.1", "2021-1-1", and "January 1, 2021" Although they all have the same meaning, they are written differently, so normalization may be performed to unify the expression method for attribute values with the same content.

An existing algorithm or the like may be used for the preprocessing as described above. It should be noted that it is not necessary for all devices to create logs in the same format, and the format may differ depending on the device. Also, the preprocessing described above is not an essential component of the proxy server 2000, and may be performed in another device.

(3) Encryption step The proxy server 2000 encrypts sensitive data using a predetermined encryption method. The predetermined encryption method is, for example, a homomorphic encryption method, a searchable encryption method such as an order preserving encryption method (OPE method: Order Preserving Encryption) or an ORE method (Order Revealing Encryption), AES (Advanced Encryption Standard), DES (Data Encryption Standard), SHA (Secure Hash Algorithm), MD5 (Message Digest Algorithm 5), and the like. Which encryption method is to be used for encryption may be set in advance by the system operator or the like according to the attribute value of the sensitive data.

The proxy server 2000 acquires a key for encrypting sensitive data from the key management server 3000, and encrypts each predetermined data unit. The proxy server 2000 performs preprocessing on the sensitive data as a predetermined data unit, and then encrypts each attribute value of the attribute item of one log (in units of cells when a plurality of logs are viewed as a table). can be changed. Alternatively, each attribute item (column unit) or one log (record unit) may be encrypted. Note that it is desirable to encrypt each attribute value of the attribute item of one log in order to enable efficient and high-speed retrieval of log information while it is encrypted.

Sensitive data encrypted in proxy server 2000 is sent to database server 4000 . The database server 4000 then stores the encrypted sensitive data in the database.

(4) File generation step The database server 4000 creates a file in an encrypted state of the sensitive data whose date and time of event occurrence is within a predetermined period, and stores the file in the storage. A "predetermined period" is, for example, a regular period such as 3 hours, 1 day, or 2 months from the start of system operation or the period in which the file was completed last time. It may be set as appropriate based on the volume of logs to be processed. Also, the starting time point of the calculation of the period is, for example, the time point when the sensitive data starts to be stored in the database, but the system operator or the like may set it as appropriate.

(5) Deletion step The database server 4000 deletes sensitive data that satisfies a predetermined condition from the database after a predetermined period of time has elapsed.

“After a predetermined period of time” may be set appropriately, for example, after 3 hours, after 1 day, after 2 months, etc., based on the storage capacity of the database server, the volume of logs generated from the system, and the like. Also, the starting time of the calculation of the period is, for example, the time when the sensitive data starts to be stored in the database or after the file generation is completed, but the system operator or the like may set it as appropriate.

Sensitive data that satisfies a "predetermined condition" may be set as appropriate, for example, "normal logs", "data excluding logs indicating anomalies", and "data excluding logs indicating equipment failures and security anomalies". A log indicating an anomaly is, for example, a log containing errors and/or warnings. Normally, logs indicating errors are clearly indicated as "Error", and logs indicating warnings are clearly indicated as "Warning", so the log may include these characters or flags. Further, a certain threshold may be set, and a log indicating a value equal to or higher than the threshold or a log indicating a value equal to or lower than the threshold may be regarded as an abnormality log. Normal logs refer to logs other than logs indicating anomalies.

Since most of the logs are data indicating that the state of the device is normal, log information indicating an abnormality is important for understanding the state of the device or analyzing the log. Therefore, it is desirable that the database server 4000, for example, leave logs indicating anomalies in a database that can be searched efficiently. In order to analyze logs and predict future anomalies, the database server 4000 desirably leaves logs before and after the log indicating an anomaly in the database in addition to the log indicating the anomaly. "Logs before and after" may be, for example, logs that are recorded temporally before and after (continuously) the log indicating the abnormality, or within a certain period of time before and after the log indicating the abnormality. It may be a log recorded (intermittently) on In other words, the "predetermined condition" is data to be deleted from the database, and may be, for example, something other than a log indicating an abnormality and its peripheral logs. Further, a predetermined condition may be appropriately set according to the network device 1000 .

The concept of processing in the first embodiment has been described above with reference to FIG. Stored. All sensitive data is then stored in storage as files. In general, it is possible to retrieve information from a database at high speed. Therefore, the data management system 1 of Embodiment 1 enables high-speed retrieval of sensitive data important for system management from the database. Become. Note that the data to be stored in the storage may not be all the sensitive data stored in the database, but may be sensitive data that satisfies a predetermined condition and is deleted from the database.

(Functional configuration of proxy server 2000)
FIG. 3 is a functional block diagram showing an example of the functional configuration of the proxy server 2000. As shown in FIG. An example of the functional configuration of the proxy server 2000 will be described with reference to FIG.

Proxy server 2000 includes communication unit 2010 , storage unit 2020 , and control unit 2030 .

The communication unit 2010 has a communication interface circuit for the proxy server 2000 to communicate with servers, devices, etc. via the network NW according to a predetermined communication protocol. The predetermined communication protocol is TCP/IP (Transmission Control Protocol/Internet Protocol) or the like. The communication unit 2010 sends the received data to the control unit 2030, and also sends the data received from the control unit 2030 to the server, the device, etc. via the network NW. Data may be exchanged with functional blocks other than the control unit 2030 .

The communication unit 2010 acquires sensitive data from the network device 1000 . Also, the communication unit 2010 transmits the encrypted sensitive data to the database server 4000 .

The storage unit 2020 includes memory devices such as RAM (Random Access Memory) and ROM (Read Only Memory), fixed disk devices such as hard disks, or portable storage devices such as flexible disks and optical disks. Further, the storage unit 2020 stores computer programs, encryption programs, keys, etc. used for various processes of the proxy server 2000 . The computer program may be installed in the storage unit 2020 from a computer-readable portable recording medium using a known setup program or the like. Portable recording media include, for example, CD-ROMs (Compact Disc Read Only Memory) and DVD-ROMs (Digital Versatile Disc Read Only Memory). The computer program may be installed from a predetermined server or the like.

The control unit 2030 is a processor such as a CPU (Central Processing Unit) that controls each function of the proxy server 2000 and operates based on a program stored in the storage unit 2020 in advance. A DSP (digital signal processor) or the like may be used as the control unit 2030 . Also, as the control unit 2030, a control circuit such as LSI (large scale integration), ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array), or the like may be used.

Also, the control unit 2030 has functions as a sensitive data acquisition unit 2031 and an encryption unit 2032 .

The sensitive data acquisition unit 2031 acquires sensitive data, which is a log, from the network device 1000 via the communication unit 2010 . Then, the preprocessing as described above is performed on the sensitive data in a preprocessing unit (not shown).

The encryption unit 2032 acquires an encryption key from the key management server 3000 via the communication unit 2010, and encrypts sensitive data in units of predetermined data. The predetermined data unit is, for example, each attribute value (cell unit) corresponding to the attribute item of sensitive data, each attribute item (column unit), or one log (record unit). The encryption unit 2032 uses, for example, a homomorphic encryption method, an order preserving encryption method (OPE method: Order Preserving Encryption), an ORE method (Order Revealing Encryption), or the like, according to the format of sensitive data (numbers, character strings, etc.). Encryption is performed using a cryptosystem such as searchable encryption, AES (Advanced Encryption Standard), DES (Data Encryption Standard), SHA (Secure Hash Algorithm), MD5 (Message Digest algorithm 5).

(Functional configuration of key management server 3000)
FIG. 4 is a functional block diagram showing an example of the functional configuration of the key management server 3000. As shown in FIG. An example of the functional configuration of the key management server 3000 will be described with reference to FIG.

The key management server 3000 includes a communication section 3010 , a storage section 3020 and a control section 3030 .

The communication unit 3010 has a communication interface circuit for the key management server 3000 to communicate with servers, devices, etc. via the network NW according to a predetermined communication protocol. The predetermined communication protocol is TCP/IP (Transmission Control Protocol/Internet Protocol) or the like. The communication unit 3010 sends the received data to the control unit 3030, and also sends the data received from the control unit 3030 to a server, a device, etc. via the network NW. Data may be exchanged with a functional block other than the control unit 3030 of .

Communication unit 3010 receives an inquiry from proxy server 2000 and transmits the corresponding key data to proxy server 2000 .

The storage unit 3020 includes memory devices such as RAM (Random Access Memory) and ROM (Read Only Memory), fixed disk devices such as hard disks, portable storage devices such as flexible disks and optical disks, and the like. Further, the storage unit 3020 stores computer programs, encryption programs, keys, etc. used for various processes of the proxy server 2000 . The computer program may be installed in the storage unit 3020 from a computer-readable portable recording medium using a known setup program or the like. Portable recording media include, for example, CD-ROMs (Compact Disc Read Only Memory) and DVD-ROMs (Digital Versatile Disc Read Only Memory). The computer program may be installed from a predetermined server or the like.

Storage unit 3020 stores key data for encrypting or decrypting sensitive data in proxy server 2000 .

The control unit 3030 is a processor such as a CPU (Central Processing Unit) that controls each function of the key management server 3000 and operates based on a program stored in advance in the storage unit 3020 . Note that a DSP (digital signal processor) or the like may be used as the control unit 3030 . Also, as the control unit 3030, a control circuit such as LSI (large scale integration), ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array), or the like may be used.

Also, the control unit 3030 has a function as a key management unit 3031 .

Key management unit 3031 transmits key data to proxy server 2000 via communication unit 3010 .

The key management unit 3031 manages encryption keys and decryption keys. The key management unit 3031 may generate a key according to the encryption method requested by the encryption unit 2032 of the proxy server 2000, for example. If the encryption method is, for example, a homomorphic encryption method (Paillier method) that allows addition and subtraction in the encrypted state (additive), a set of public key (encryption key) and private key (decryption key) is generated. .

In addition, the encryption method is an order preserving encryption method (OPE method) in which the size relationship of the ciphertext matches the size relationship of the corresponding plaintext, and a searchable encryption method that can judge whether the plaintext matches in the encrypted state. method, a common key is generated. As described above, the encryption key and the decryption key may be different keys such as a set of a public key and a private key, or may be the same key such as a common key. Note that the key generation algorithm is a well-known technique, so the explanation is omitted.

The key management unit 3031 causes the storage unit 3020, for example, to store the generated keys and parameters for key generation. The key management unit 3031 manages the generated key in association with which data (attribute item (column), etc.) is used for encryption among the encryption method and the sensitive data.

(Functional configuration of database server 4000)

FIG. 5 is a functional block diagram showing an example of the functional configuration of the database server 4000. As shown in FIG. An example of the functional configuration of the database server 4000 will be described with reference to FIG.

Database server 4000 includes communication unit 4010 , storage unit 4020 , and control unit 4030 .

The communication unit 4010 has a communication interface circuit for the database server 4000 to communicate with servers, devices, etc. via the network NW according to a predetermined communication protocol. The predetermined communication protocol is TCP/IP (Transmission Control Protocol/Internet Protocol) or the like. The communication unit 4010 sends the received data to the control unit 4030, and also sends the data received from the control unit 4030 to a server, a device, etc. via the network NW. Data may be exchanged with functional blocks other than the control unit 4030 .

The communication unit 4010 acquires encrypted sensitive data from the proxy server 2000 .

The storage unit 4020 includes memory devices such as RAM (Random Access Memory) and ROM (Read Only Memory), fixed disk devices such as hard disks, portable storage devices such as flexible disks and optical disks, and the like. The storage unit 4020 stores computer programs, encryption programs, keys, and the like used for various processes of the database server 4000 . The computer program may be installed in the storage unit 4020 from a computer-readable portable recording medium using a known setup program or the like. Portable recording media include, for example, CD-ROMs (Compact Disc Read Only Memory) and DVD-ROMs (Digital Versatile Disc Read Only Memory). The computer program may be installed from a predetermined server or the like.

The storage unit 4020 also functions as a database 4021 and a storage 4022 .

Database 4021 stores encrypted sensitive data obtained from proxy server 2000 in a table format. For example, encrypted sensitive data obtained from a proxy server during a predetermined period of time, logs indicating anomalies among sensitive data obtained before the predetermined period of time, and sensitive data of logs before and after the relevant log in terms of time and memorize. The sensitive data stored in the database 4021 that satisfies a predetermined condition is deleted from the database 4021 after a predetermined period of time has elapsed.

Storage 4022 stores data generated as a file format for the encrypted sensitive data obtained from proxy server 2000 .

The control unit 4030 is a processor such as a CPU (Central Processing Unit) that controls each function of the database server 4000 and operates based on a program stored in the storage unit 4020 in advance. A DSP (Digital Signal Processor) or the like may be used as the control unit 4030 . Further, as the control unit 4030, a control circuit such as LSI (Large Scale Integration), ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array), or the like may be used.

Also, the control unit 4030 has functions as a file generation unit 4031 and a deletion unit 4032 .

The file generation unit 4031 generates sensitive data (log ) is generated. The predetermined period is, for example, hourly, daily, weekly, or the like. Information related to the date and time of occurrence is added to the generated file. Here, the given information is, for example, a file name including the date and time when the log included in the file was generated. For example, if the date and time when the log to be filed occurred was April 2, 2022 at 10:12:32, a file showing the specified period including the time of occurrence, from April 1 to 7, 2022 The name "log_20220401_20220407" may be given. Then, the file generation unit 4031 stores the sensitive data in the storage 4022 .

It should be noted that the file generation unit 4031 may output the contents of the database 4021 as a dump file with information related to the date and time of occurrence added thereto at predetermined intervals. By using the dump file, it is possible to smoothly transfer (restore) the contents that have been stored in the database 4021 to a new database. Therefore, when it becomes necessary to refer to the content of the sensitive data stored in the storage 4022, it is possible to access smoothly.

Deletion unit 4032 deletes sensitive data that satisfies a predetermined condition from database 4021 after a predetermined period of time has elapsed.

"After a predetermined period of time" is, as described above, for example, after 3 hours, after 1 day, after 2 months, etc. can be set.

Sensitive data that satisfies the "predetermined condition" may be appropriately set, for example, data excluding normal logs, logs indicating anomalies, and data excluding logs indicating device failures and security anomalies, as described above. However, in sensitive data, since logs indicating failures and anomalies have important meaning, logs other than logs indicating failures and anomalies and logs before and after them in terms of time are stored in the database as sensitive data that meet predetermined conditions. This should be the data to be deleted.

Note that the functions of the file generation unit 4031 may be provided outside the database server 4000 . Also, the functions of the file generation unit 4031 may be provided outside the proxy server 2000 . This is because the data that the file generation unit 4031 acquires from the database 4021 is encrypted data, so there is no need to perform file generation processing in a secure and reliable environment.

FIG. 6 is a diagram showing an example of the data structure of sensitive data. Hereinafter, with reference to FIG. 6, the data structure of the sensitive data and the sensitive data satisfying the "predetermined condition" will be described.

As shown in FIG. 6, the sensitive data of this embodiment is a log output by a network device, and includes "device" (device name), "IP address" (location (IP address)), "date" (occurrence date (year, month, day)), "time" (time of occurrence (time)), "application" (application name), "user ID" (user ID), "user" (user name), "event" (event ( Log contents)), and attribute values (character strings or numerical values) of attribute items (columns) such as "flags" (flags indicating errors, warnings, etc.). Further, the sensitive data may include an identifier (“log ID” in FIG. 6) that uniquely identifies the log as an attribute item. Identifiers may be numbers, strings, or combinations thereof. Although predetermined attribute items are shown in FIG. 6 for simplification of explanation, in addition to these, attribute items (not shown) may be included in the sensitive data.

FIG. 6 shows an example of sensitive data. In an actual system, sensitive data output from a certain device for a certain period of time are collectively sent to a proxy server. The example of FIG. 6 shows examples of the devices "Router", "PC01", and "MAIL", but much of the sensitive data is normal data that does not indicate anomalies. Then, on the "Router" device, the network connection was interrupted at the time of "10:01:30", the warning was recorded as "warning", and the connection to the destination address was made at the time of "10:01:31". is not possible, and "error" is stored. Then, at the time of "10:02:00", the error is resolved, and a log indicating normal connection is stored. In this way, a log of warnings and errors is stored for a certain period of time due to an abnormality in the system, but the error will be resolved when a reset or restart is performed by the automatic system recovery processing, and the system will return to normal thereafter. log is stored.

In the device of "PC01" in FIG. 6, an error is stored from the time of "10:00:11". For example, if an unauthorized login is attempted, a user authentication error, etc. will be stored continuously. .

In the device of "MAIL" in FIG. 6, an error is stored at the time of "10:01:30", but it is also assumed that a single error is stored, such as when user authentication simply fails.

Proxy server 2000 acquires sensitive data such as that shown in FIG. 6 from network device 1000 and encrypts it in units of cells, and database server 4000 stores the encrypted sensitive data in a database. Then, in the database server 4000, after a certain period of time has elapsed, the sensitive data is stored in the storage as a file, and the sensitive data that satisfies a predetermined condition is deleted from the database. Sensitive data that satisfies a predetermined condition is, for example, sensitive data indicating abnormalities such as errors and warnings, and sensitive data other than data stored before and after that, but other conditions may be determined.

In FIG. 6, the "log IDs" of data indicating anomalies are 10000201 to 10000203, 10001071 to 10001075, and 10002301. Therefore, for example, if the system operator or the like sets in advance to leave 5 data before and after the data indicating an abnormality in the order of "log ID" as the data to be left in the database, the deletion unit 4032 of the database server 4000 writes 10000196 Leave the data up to ~10000208, 10001066~10001080, 10002296~10002306 in the database, and delete the other data. In addition, the file generation unit 4031 converts all sensitive data (sensitive data of 10000001 to 10002400 in the example of FIG. 6) into files and stores them in the storage.

7 is a flowchart illustrating an example of processing according to the first embodiment; FIG. With reference to FIG. 7, proxy server 2000 acquires a log output from network device 1000 as sensitive data, encrypts it, stores it in database 4021 of database server 4000, and after a certain period of time has elapsed, stores predetermined data in database server 4021. 4000 storage 4022 as a file and then deleting from the database 4021 sensitive data that satisfies a predetermined condition.

In step S<b>101 , the proxy server 2000 acquires sensitive data, which is a network device log, from the network device 1000 .

In step S102, the proxy server 2000 encrypts attribute values corresponding to attribute items of sensitive data in predetermined data units. At this time, an encryption key for encrypting the sensitive data is acquired from the key management server 3000, and the sensitive data is encrypted using the obtained encryption key.

In step S<b>103 , proxy server 2000 transmits the encrypted sensitive data to database server 4000 , and database server 4000 stores the sensitive data obtained from proxy server 2000 in database 4021 .

In step S<b>104 , the database server 4000 creates a file in which the sensitive data stored in the database 4021 is formatted in a predetermined file format after a predetermined period of time, and stores the file in the storage 4022 . In step S104, the sensitive data is filed in a state of being encrypted in a predetermined unit (cell unit, column unit, record unit).

In step S105, the database server 4000 deletes sensitive data that satisfies a predetermined condition from the database 4021 after a predetermined period of time has elapsed. After execution of step S105, the processing in the data management system 1 may be temporarily terminated, or the processing of acquiring the sensitive data and storing it in the database 4021 and the storage 4022 may be continued.

(Hardware configuration diagram)
FIG. 8 is a block diagram showing the hardware configuration of the proxy server 2000. As shown in FIG. Proxy server 2000 is implemented in computer 9001 . A computer 9001 includes a CPU 9002 , a main memory device 9003 , an auxiliary memory device 9004 and an interface 9005 .

The operation of each component of proxy server 2000 is stored in auxiliary storage device 9004 in the form of a program. The CPU 9002 reads out the program from the auxiliary storage device 9004, develops it in the main storage device 9003, and executes the above processing according to the program. Also, the CPU 9002 secures a storage area in the main storage device 9003 according to the program. Specifically, the program is a program that causes the computer 9001 to perform data processing.

Note that the auxiliary storage device 9004 is an example of a non-temporary tangible medium. Other examples of non-transitory tangible media include magnetic disks, magneto-optical disks, CD-ROMs, DVD-ROMs, semiconductor memories, etc. that are connected via the interface 9005 . Further, when this program is distributed to the computer 9001 via a network, the computer 9001 receiving the distribution may develop the program in the main storage device 9003 and execute the processing.

Also, the program may be for realizing part of the functions described above. Furthermore, the program may be a so-called difference file (difference program) that implements the above-described functions in combination with another program already stored in the auxiliary storage device 9004 . Note that the hardware configuration shown in FIG. 8 may be configured similarly to the key management server 3000 and the database server 4000 . Like the proxy server 2000 described above, the operation of each component in these devices is realized by the CPU according to the program stored in the auxiliary storage device.

(Explanation of effect)
As described above, the data management system according to this embodiment encrypts the log output by the network device using a predetermined encryption method and stores it in the database. After a predetermined period of time has elapsed, sensitive data satisfying a predetermined condition, for example, sensitive data other than sensitive data of logs such as error logs that report anomalies in the network device 1000 and peripheral logs are deleted from the database. In addition, all sensitive data including the sensitive data to be deleted from the database are filed and stored in the storage.

The data management system 1 according to this embodiment stores logs in a database format, thereby enabling high-speed searches. In addition, storing data in a database format is often costly, but only sensitive data related to logs that notify anomalies such as error logs and peripheral logs are stored in the database, and other data is filed for storage. , it is possible to search sensitive data that is highly necessary for system management at high speed while suppressing costs.

Furthermore, since the data management system 1 manages the encrypted database, information can be shared by a plurality of persons.

<Modification 1 of Embodiment 1>
The data management system 2 according to Modification 1 is different in that a proxy server 2100 is provided instead of the proxy server 2000 of the data management system 1 according to the first embodiment.

, 1000-N, the proxy server 2100 acquires, encrypts, and stores in the database and storage. The proxy server 2100 also has a function of performing machine learning using logs indicating anomalies such as errors and predicting anomalies from the logs of the network devices 1000-1, 1000-2, . . . , 1000-N.

The data management system 2 according to Modification 1 has the same configuration as the data management system 1 according to Embodiment 1 except that the proxy server 2000 (see FIG. 1) replaces the proxy server 2100 . Therefore, the description of the same parts as in the first embodiment will be omitted below.

(Functional configuration of proxy server 2100)
FIG. 9 is a functional block diagram showing an example of the functional configuration of the proxy server 2100. As shown in FIG. An example of the functional configuration of the proxy server 2100 will be described with reference to FIG.

Proxy server 2100 includes communication unit 2010 , storage unit 2020 , and control unit 2130 , and communication unit 2010 and storage unit 2020 have the same configuration as proxy server 2100 .

The control unit 2130 has functions as a sensitive data acquisition unit 2031 , an encryption unit 2032 and a learning unit 2133 . Note that the sensitive data acquisition unit 2031 and the encryption unit 2032 have the same configuration as that of the proxy server 2000 .

The learning unit 2133 uses, as training data, sensitive data stored in the database, such as sensitive data indicating an abnormality and sensitive data in a certain range before and after the error, from the log output by the network device 1000. Generates a model for machine learning to predict anomalies from the logs output by . The learning unit 2133 may store the generated model in the storage unit 2020, or may store it in an external storage device (not shown).

The learning unit 2133 may relearn and update the machine learning model for predicting anomalies each time the sensitive data in the database 2021 is updated. Also, the machine learning model may be re-learned and updated when a certain amount of sensitive data is collected or when a certain amount of time has passed. As for the machine learning method and model, known methods such as neural network, SVN (Support Vector Machine), decision tree learning, and Bayesian network may be used.

The learning unit 2133 may build a learning model from the sensitive data of a certain person and use it for anomaly prediction from the sensitive data of the person. It may be constructed and used for anomaly prediction from the sensitive data of those multiple persons.

The learning unit 2133 may also predict an abnormality from the log output by the network device 1000 . That is, using a machine learning model that has already been created by learning, the sensitive data, which is the log output by the network device 1000, is input. Based on this, it may be predicted whether an abnormality may occur in the near future.

(Explanation of effect)
As described above, the data management system according to Modification 1 has, in addition to the data management system according to Embodiment 1, a learning function for machine-learning device abnormalities from logs.

Such a learning function enables the proxy server to foresee anomaly before the network equipment notifies of the anomaly. Furthermore, in this modified example, since the sensitive data is managed in a database format, the information can be processed in real time, and since the data is encrypted, multiple persons can share the data. Therefore, when there is a sign that a prominent server has been attacked by a hacker, it becomes possible for other business operators to quickly grasp the fact and take countermeasures. Also, by predicting an abnormality in a network device in advance, it becomes possible to restart the network device in advance or switch to an alternative device, thereby preventing system failure.

In addition, in this modification, since machine learning is performed on sensitive data encrypted by an encryption method (for example, a homomorphic encryption method) that can be operated while encrypted, the risk of information leakage is low and security is high. .

<Modification 2 of Embodiment 1>
The data management system 3 according to Modification 2 is different in that it includes a proxy server 2200 instead of the proxy server 2000 of the data management system 1 according to the first embodiment.

, 1000-N, the proxy server 2200 acquires, encrypts, and stores in the database and storage. The proxy server 2200 also includes a reception unit that receives a search query for searching logs, which is sensitive data, and a search unit that searches sensitive data stored in the storage unit for data corresponding to the search query.

The configuration of the data management system 3 according to Modification 2 is similar to that of the data management system 1 according to the first embodiment, except that the proxy server 2000 replaces the proxy server 2200 . Therefore, the description of the same parts as in the first embodiment will be omitted below.

(Functional configuration of proxy server 2200)
FIG. 10 is a functional block diagram showing an example of the functional configuration of the proxy server 2200. As shown in FIG. An example of the functional configuration of the proxy server 2200 will be described with reference to FIG.

Proxy server 2200 includes communication unit 2010 , storage unit 2020 , and control unit 2230 . Communication unit 2010 and storage unit 2020 are the same as those of proxy server 2000 .

The control unit 2230 has functions as a sensitive data acquisition unit 2031 , an encryption unit 2032 , a reception unit 2234 and a search unit 2235 . Note that the sensitive data acquisition unit 2031 and the encryption unit 2032 have the same configuration as that of the proxy server 2000 .

The receiving unit 2234 receives a query for search processing for searching for a specific log from logs output by the network device 1000 . For example, to retrieve logs for a particular device, or retrieve logs for a particular error, obtain a query to perform such retrieval.

The search unit 2235 uses the query acquired by the reception unit 2234 to execute search processing on the database 4021 or the storage 4022 . For example, when searching the database 4021, the search unit 2235 uses the query and the encryption key obtained from the key management server 3000 to search the sensitive data stored in the database 4021 without decrypting it. I do. The search unit 2235, for example, encrypts the query with the same encryption key and encryption method as the sensitive data (log) to be searched, and obtains search results based on the encrypted query. This encrypts the query, so you can hide what you're searching for. Also, avoid decrypting sensitive data on the system and build a robust system for security.

Note that the method used for the search processing is not limited to the method described above, and an existing method may be used. Also, the proxy server 2200 decrypts the search result using the encryption key used to encrypt the query, and transmits the decrypted search result to the user terminal or the like that sent the query via a secure communication channel.

In addition, when the search unit 2235 executes search processing for files stored in the storage 4022, the search unit 2235 may include logs that satisfy the search conditions for files stored in the storage 4022. Identifies one or more files. If multiple files are identified, the logs contained in each file are integrated into one data set, and the search process is performed on the data set. A data set may be realized by integrating logs on memory, or may be realized by physically generating a file.

For example, since the files stored in the storage 4022 are given file names that can identify the date and time of log occurrence, files that may contain the search target log can be specified based on the log occurrence date and time. may Since the logs included in the specified file are encrypted in predetermined units, they can be searched based on the encrypted query. Note that if the file specified by the search unit 2235 is a dump file, the dump file can be smoothly restored to the same database format as the database 4021, so the search process based on the encrypted query becomes more efficient. target.

In addition, based on the query, the search unit 2235 executes search processing on the database 4021 while encrypting the sensitive data in predetermined data units, and finds that there is no sensitive data that satisfies the query conditions in the database 4021. Accordingly, the search processing may be executed with the storage 4022 as the target. The file stored in the storage 4022 is searched only when the database 4021 does not contain sensitive data that satisfies the query conditions, so the search efficiency can be improved.

(Explanation of effect)
As described above, the data management system according to Modification 2 has, in addition to the data management system according to Embodiment 1, the function of receiving queries and performing search/aggregation of sensitive data.

With such a search function, it is possible to search and aggregate sensitive data corresponding to a query while encrypting sensitive data without decrypting it. In addition, by using the dump file, it is possible to efficiently perform the process of retrieving the files stored in the storage in a database format. By searching for specific sensitive data, it is possible to grasp the state of network equipment, investigate the cause of system failure, predict anomaly alerts, and determine whether to update the firmware or restart. It is possible to improve the convenience of system management such as quick determination of such as.

<Embodiment 2>
In this embodiment, the proxy server 2000 acquires the sensitive data output by the network device 1000, encrypts the sensitive data, and stores it in the database and storage. This embodiment is the same as the first embodiment in that the sensitive data stored in the storage is in a file format. This differs from the first embodiment in that files containing data are encrypted. In addition, since the sensitive data is decrypted once, it is desirable from the viewpoint of security that the file is generated not by the database server but by the proxy server.

(Configuration of data management system 1)
FIG. 11 is a diagram showing the configuration of the data management system 4 according to this embodiment. The configuration of the data management system 4 according to the second embodiment will be described with reference to FIG.

, 1000-N (N is a natural number), a proxy server 2300, a key management server 3000, and a database server 4100. The proxy server 2300 and database server 4100 different from the first embodiment will be described below.

The proxy server 2300 acquires sensitive data stored in the database 4021 for a predetermined period of time after a predetermined period of time has elapsed, converts it into a file, and stores it in the storage. At this time, the proxy server 2300 does not generate a file with the encrypted sensitive data still encrypted, but decrypts the sensitive data once and then acquires the encryption key from the key management server 3000 again. This differs from the first embodiment in that files storing sensitive data are encrypted.

Database server 4100 stores sensitive data encrypted by proxy server 2300 in a database. After a predetermined period of time has passed, the database server 4100 converts the sensitive data stored during the predetermined period into a file format using the proxy server 2300 and stores the file format data in the storage 4122 . In addition, the subtlety data that satisfies a predetermined condition (the subtlety data other than the anomaly-indicating subtlety data and the subtlety data that precedes and follows it temporally) is deleted.

The functional configuration and processing of each server constituting the data management system 4 will be described below. Note that the functional blocks and processing blocks representing each functional configuration may be implemented by one or more devices, computer processors, or distributed groups of computer processors. For example, the functions performed by the proxy server 2300, the key management server 3000, and the database server 4100 may be realized by one device.

FIG. 12 is a conceptual diagram of processing according to the second embodiment. An outline of processing in the data management system 4 will be described with reference to FIG. In FIG. 12, solid-line arrows indicate the flow of processing, and broken-line arrows indicate the flow of data.

Embodiment 2 stores sensitive data, which is an encrypted log file of a communication device, in a database, deletes data that satisfies a predetermined condition after a certain period of time has elapsed, converts the sensitive data into a file, and stores the file in storage. At this time, the sensitive data is decrypted once to form a file, and the encryption key is used again to generate the encrypted file, which is different from the first embodiment.

In FIG. 12, (1) the sensitive data acquisition step, (2) the preprocessing step, and (3) the encryption step are the same as the processing in the first embodiment, so the description is omitted.

(4) File generation step The database server 4100 stores sensitive data in an encrypted file format in storage. The proxy server 2300 obtains an encryption key (a decryption key for decrypting sensitive data) from the key management server 3000, decrypts the sensitive data obtained from the database, and generates a file. By decrypting sensitive data within the proxy server, unauthorized access from the outside can be prevented and files can be generated safely. Then, an encryption key for encrypting the file is obtained from the key management server 3000, and the file is encrypted using the encryption key. At this time, it is desirable to use different encryption keys for the encryption key for file encryption and the encryption key used for storing in the database. Further, while the first embodiment stores encrypted sensitive data in a file, the second embodiment differs in that the file itself is encrypted with respect to the file composed of the decrypted sensitive data.

(5) Deletion step Since it is the same as the first embodiment, the description is omitted.

(Functional configuration of key management server 3000)
Since the configuration is the same as that of the key management server 3000 of the first embodiment, the description is omitted. If the proxy server 2300 uses an encryption key different from the encryption key used to store the sensitive data in the database when converting the sensitive data into a file, in addition to the key management server 3000 of the first embodiment, the file Manage keys when generating.

(Functional configuration of proxy server 2300)
FIG. 13 is a functional block diagram showing an example of the functional configuration of the proxy server 2300. As shown in FIG. An example of the functional configuration of the proxy server 2300 will be described with reference to FIG.

The control unit 2330 has functions as a sensitive data acquisition unit 2031 , an encryption unit 2032 , and a file generation unit 2336 . A sensitive data acquisition unit 2031 and an encryption unit 2032 are the same as in the first embodiment.

The file generation unit 2336 decrypts the encrypted sensitive data acquired from the database 4021, files the decrypted sensitive data, and generates a file. The storage 4122 stores encrypted files of the files generated by the file generation unit 2336 . More specifically, the file generation unit 2336 acquires the encryption key (decryption key for decrypting the sensitive data) from the key management server 3000 for the sensitive data stored in the database 4021, and decrypts the sensitive data. do. After constructing the decrypted sensitive data as a file, the file generation unit 2336 acquires the encryption key again from the key management server 3000, encrypts the file itself, and stores the encrypted file in the storage 4122. .

Note that the order of obtaining the encryption key for encrypting the file is not limited to the above. An encryption key for decrypting sensitive data and an encryption key for encrypting a file may be obtained from the key management server 3000 at any timing, and it is desirable that both encryption keys are different. In addition, it is desirable that the file to be generated is given a file name that can specify the date and time when the log included in the file occurred.

(Functional configuration of database server 4100)

FIG. 14 is a functional block diagram showing an example of the functional configuration of the database server 4100. As shown in FIG. An example of the functional configuration of the database server 4100 will be described with reference to FIG.

Database server 4100 includes communication unit 4010 , storage unit 4120 , and control unit 4130 . Communication unit 4010 is similar to database server 4000 .

The storage unit 4120 also functions as a database 4021 and a storage 4122 .

Storage 4122 stores data generated in file format by proxy server 2300 . The data generated in this file format is generated by decrypting the sensitive data once in the proxy server 2300, generating a file, and then obtaining an encryption key from the key management server 3000 to encrypt the file. data. Therefore, the storage 4122 stores encrypted files.

The control unit 4130 is a processor such as a CPU (Central Processing Unit) that controls each function of the database server 4100 and operates based on a program stored in the storage unit 4120 in advance. A DSP (digital signal processor) or the like may be used as the control unit 4130 . Also, as the control unit 4130, a control circuit such as LSI (large scale integration), ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array), or the like may be used.

Also, the control unit 4130 has a function as a deletion unit 4132 .

The deletion unit 4132 deletes sensitive data that satisfies a predetermined condition from the database 4021 after a predetermined period of time has elapsed. It has the same function as the first embodiment.

FIG. 15 is a flowchart illustrating an example of processing according to the second embodiment. Referring to FIG. 15, proxy server 2000 acquires a log output from network device 1000 as sensitive data, encrypts it, stores it in the database of database server 4100, and after a certain period of time has passed, sends predetermined data to database server 4100. The flow of storing as a file in the storage of is explained.

In step S<b>101 , the proxy server 2300 acquires sensitive data, which is the network device log, from the network device 1000 .

In step S102, proxy server 2300 encrypts the sensitive data. At this time, an encryption key for encrypting the sensitive data is acquired from the key management server 3000, and the sensitive data is encrypted using the obtained encryption key.

In step S103, the proxy server 2300 transmits the encrypted sensitive data to the database server 4100, and the database server 4100 stores the sensitive data acquired from the proxy server 2300 in the database.

In step S204, the proxy server 2300 decrypts all sensitive data stored in the database 4021 after a predetermined period of time has elapsed. Then, the decrypted sensitive data is configured as a file, and the file itself is encrypted to generate the encrypted file. Database server 4100 stores the encrypted file in storage.

In step S105, the database server 4100 deletes sensitive data that satisfies a predetermined condition from the database after a predetermined period of time has elapsed.

<Modification of Embodiment 2>
The data management system 4 according to the second embodiment may be provided with a learning unit to learn logs, as in the first modification of the first embodiment.

Further, as in Modification 2 of Embodiment 1, a query for searching may be acquired and logs may be searched. In this case, among the encrypted files stored in the storage, one or more files that may contain logs that satisfy the search conditions are identified, and the files are decrypted. If multiple files are identified, the logs contained in the decrypted files may be merged into a single dataset and searched based on queries in a secure environment.

(Explanation of effect)
As described above, the data management system according to the present embodiment encrypts log data output from network devices using a predetermined encryption method and stores the encrypted data in a database. After a predetermined period of time has elapsed, data that satisfies a predetermined condition, for example, data other than sensitive data such as an error log that informs the network device 1000 of anomalies and peripheral logs are deleted. Remember. At this time, the sensitive data stored in the database is decrypted in the proxy server, configured as a file containing the sensitive data, and then the file itself is encrypted and stored in the storage.

The data management system according to this embodiment is similar to the first embodiment in that it enables high-speed searches by storing logs in a database format. In addition, by encrypting the file itself, it is possible to decrypt all sensitive data in the file with one decryption of the file. Compared to the first embodiment in which all sensitive data in a file cannot be decrypted unless all sensitive data is decrypted, it is possible to easily decrypt all sensitive data. This provides an advantage over the first embodiment in that it is suitable for using and searching data in the decoding area. In addition, since sensitive data encrypted in the proxy server is decrypted and files are generated, unauthorized access can be prevented and files can be generated safely.

<Embodiment 3>
In this embodiment, the proxy server 2400 acquires sensitive data output from the network device 1000, encrypts it, and stores it in the database and storage. The proxy server 2400 differs from the first and second embodiments in that the encrypted sensitive data is stored in the database, and in parallel, a file is generated from the obtained sensitive data and stored in the storage.

(Configuration of data management system 5)
FIG. 16 is a diagram showing the configuration of the data management system 5 according to this embodiment. The configuration of the data management system 5 according to the third embodiment will be described with reference to FIG. 16 .

, 1000-N (N is a natural number), a proxy server 2400, a key management server 3000, and a database server 4100. 16, network devices 1000-1, 1000-2, . A specific example of the network NW is the same as in the first embodiment.

Points that are particularly different from the first embodiment will be described below. The proxy server 2400 acquires the log from the network device 1000 as sensitive data, performs preprocessing as necessary to make it suitable for storage in the database and storage of the database server 4100, encrypts the sensitive data, and then encrypts the sensitive data to the database server. 4100 database. At the same time, the proxy server 2400 generates a file of encrypted sensitive data, or generates a file storing sensitive data before encryption, encrypts it, and stores it in the storage of the database server 4100.

Database server 4100 stores sensitive data encrypted by proxy server 2400 in a database. At the same time, the proxy server 2400 stores in the storage a file generated by filing encrypted sensitive data or a file generated by encrypting a file of sensitive data before encryption. The database server 4100 differs from Embodiments 1 and 2 in that it stores sensitive data in a database and also stores files in a storage in parallel.

The functional configuration and processing of each server, etc., constituting the data management system 5 described above will be described below. Note that the functional blocks and processing blocks representing each functional configuration may be implemented by one or more devices, computer processors, or distributed groups of computer processors. For example, the functions performed by the proxy server 2400, the key management server 3000, and the database server 4100 may be realized by one device.

FIG. 17 is a conceptual diagram of processing according to the third embodiment. An outline of processing in the data management system 5 will be described with reference to FIG. In FIG. 17, solid-line arrows indicate the flow of processing, and broken-line arrows indicate the flow of data.

In the third embodiment, the proxy server 2400 encrypts the sensitive data, which is the log of the communication device, and stores it in the database. After converting the previous sensitive data into a file format, the encrypted file is stored in the storage. The database server 4100 differs from Embodiment 1 or Embodiment 2 in that it stores sensitive data in a database and also stores files in storage in parallel.

(1) Sensitive data acquisition step, (2) preprocessing step (not shown in FIG. 17), and (3) encryption step are the same as the processing in the first embodiment, so description thereof will be omitted.

(4) File generation step The proxy server 2400 stores the encrypted sensitive data in a file format in the storage, or encrypts the file storing the non-encrypted sensitive data, and stores the encrypted file in the storage. memorize to At this time, the sensitive data is stored in the database, and a file storing the sensitive data is stored in the storage in parallel. In Embodiments 1 and 2, the sensitive data is stored in the storage in a file format after the lapse of a predetermined period of time. They are different in terms of memorization.

(5) Deletion step Since it is the same as the first embodiment, the description is omitted.

(Functional configuration of proxy server 2400)
FIG. 18 is a functional block diagram showing an example of the functional configuration of the proxy server 2400. As shown in FIG. An example of the functional configuration of the proxy server 2400 will be described with reference to FIG.

The control unit 2430 has functions as a sensitive data acquisition unit 2031 , an encryption unit 2032 , and a file generation unit 2436 .

A sensitive data acquisition unit 2031 and an encryption unit 2032 are the same as in the first embodiment.

The file generation unit 2436 encrypts the file of the sensitive data acquired from the sensitive data acquisition unit 2031 and creates a file. Alternatively, the file generation unit 2436 converts the encrypted sensitive data acquired from the encryption unit 2032 into a file to generate a file. Then, the file generation unit 2436 stores the generated file in the storage. It is desirable that the file to be generated be given a file name that can specify the date and time when the log contained in the file was generated. Also, the file generation unit 2436 acquires an encryption key from the key management server 3000, for example, and encrypts the file.

The processing in which the file generation unit 2436 generates a file and the storage stores the file, and the processing in which the database stores the sensitive data encrypted by the encryption unit 2032 in a database format are performed in parallel. This embodiment differs from Embodiment 1 or 2 in that the process of storing the file generated by the file generating unit in the storage and the process of storing the sensitive data in the database are performed in parallel.

(Functional configuration of key management server 3000)
Since the configuration is the same as that of the key management server 3000 of the first embodiment, the description is omitted. When the proxy server 2300 encrypts a file and uses an encryption key different from the encryption key used for storing in the database, the file is generated in addition to the key management server 3000 of the first embodiment. to manage keys.

(Functional configuration of database server 4100)

The functional configuration of the database server 4100 is the same as the database server 4100 (see FIG. 14) in the second embodiment.

The storage unit 4120 has functions as a database 4021 and a storage 4122 .

The storage 4122 stores files generated by the file generation unit 2436 . That is, the storage 4122 stores a file generated by converting encrypted sensitive data into a file, or a file generated by encrypting a file containing unencrypted sensitive data.

The control unit 4130 has a function as a deletion unit 4132 .

The deletion unit 4132 deletes sensitive data that satisfies a predetermined condition from the database 4021 after a predetermined period of time has elapsed. It has the same function as the first embodiment.

FIG. 19 is a flowchart illustrating an example of processing according to the third embodiment. Referring to FIG. 19, proxy server 2400 acquires the log output from network device 1000 as sensitive data, encrypts it, and stores it in the database of database server 4100. At the same time, sensitive data in file format is stored in the storage. I will explain the flow to do.

In step S<b>101 , the proxy server 2400 acquires sensitive data, which is the network device log, from the network device 1000 .

In step S102, proxy server 2400 encrypts the sensitive data. At this time, an encryption key for encrypting the sensitive data is acquired from the key management server 3000, and the sensitive data is encrypted using the obtained encryption key.

In step S103, the proxy server 2400 transmits the encrypted sensitive data to the database server 4100, and the database server 4100 stores the sensitive data acquired from the proxy server 2400 in the database.

In step S204, the proxy server 2400 creates a sensitive data file. At this time, the encrypted sensitive data acquired from the encryption unit 2032 may be converted into a file to generate a file, or the file of the sensitive data acquired from the sensitive data acquisition unit 2031 may be encrypted into a file. may be generated.

In step S<b>205 , proxy server 2400 stores the sensitive data file in the storage of database server 4100 .

In step S106, the database server 4100 deletes sensitive data that satisfies a predetermined condition from the database after a predetermined period of time has elapsed.

<Modification of Embodiment 3>
The data management system 5 according to the third embodiment may be provided with a learning unit to learn logs as in the first modification of the first embodiment, or may be configured to learn the log as in the second modification of the first embodiment or the second embodiment. Alternatively, you can retrieve the search query and search the logs.

(Explanation of effect)
As described above, the data management system according to this embodiment encrypts the log output by the network device using a predetermined encryption method and stores it in the database. Further, in this data management system, the process of storing the encrypted sensitive data in the database and the process of storing the file in the storage are performed in parallel. The file to be stored in the storage may be generated by converting the encrypted sensitive data into a file, or may be a file obtained by converting the non-encrypted sensitive data into a file and encrypting the file itself.

Further, after a predetermined period of time has passed, sensitive data satisfying a predetermined condition, for example, sensitive data other than sensitive data of logs notifying an abnormality of the network device 1000 such as an error log and peripheral logs are deleted from the database.

The data management system according to this embodiment is similar to the first embodiment in that it enables high-speed searches by storing logs in a database format. In addition, by storing sensitive data files in the storage in parallel with the process of storing sensitive data in the database, all logs are always stored in the storage, and the structure is resistant to failures in the database server. be able to. In addition, since the sensitive data can be stored in the storage in a file format without decrypting the sensitive data stored in the database, the sensitive data can be efficiently and securely stored in the storage.

In Embodiments 1 to 3 and their modifications, the capacity that can be stored in the database 4021 is large, and there is no problem in storing all sensitive data in the database 4021 from the technical and economic viewpoints. In this case, the sensitive data may not be deleted from the database 4021 . Further, in this case, since the sensitive data are all stored in the database, it is not necessary to store the sensitive data in a file format in the storage.

Further, in the above-described embodiment, the log is described as data output from the device, but it is not limited to output from hardware such as a device. For example, sensing data (vibration, temperature, sound etc.).

Also, the log may record processes that occur in the system, applications, software, etc. as events. For example, by acquiring logs of employee operations on systems and software and analyzing the logs, it is possible to predict the possibility of information leaks based on employee fraudulent behavior. That is, in the present invention, a log is sensitive data including chronological data related to events occurring in hardware or software.

The above embodiment can be implemented in various other forms, and various omissions, replacements, and modifications can be made without departing from the scope of the invention. These embodiments and their modifications are intended to be included in the scope of the invention described in the claims and their equivalents as well as included in the scope and gist of the invention.

1, 2, 3, 4, 5 data management system, 2021 database, 2022 storage, 2031 sensitive data acquisition unit, 2032 encryption unit, 2133 learning unit, 2234 reception unit, 2235 search unit, 2336, 2436 file generation unit, 3031 Key management unit 4021 database 4022, 4122 storage 4031 file generation unit 4032, 4132 deletion unit 9001 computer.

Claims (15)

A data management system comprising a key management server, a proxy server, and a storage area,
The key management server manages encryption keys,
The proxy server
a sensitive data acquisition unit that acquires sensitive data including at least an event and the date and time of occurrence of the event as attribute items;
an encryption unit that encrypts attribute values corresponding to the attribute items of the sensitive data in units of predetermined data based on the encryption key;
a receiving unit that receives queries for search processing regarding the attribute values of the sensitive data;
a search unit that executes the search process,
The storage area is
a database that stores the sensitive data encrypted by the encryption unit in an accessible database format in units of the predetermined data;
a storage that stores files containing the sensitive data whose date and time of occurrence are within a predetermined period in an accessible manner in file units;
The search unit is
Based on the query, executing the search process for the database while encrypting the sensitive data in the predetermined data unit,
In response to the fact that there is no sensitive data that satisfies the query conditions in the database, the search processing is executed for the storage based on the information related to the date and time of occurrence given to the file stored in the storage. do,
Data management system. A data management system comprising a key management server, a proxy server, and a storage area,
The key management server manages encryption keys,
The proxy server
a sensitive data acquisition unit that acquires sensitive data including at least an event and the date and time of occurrence of the event as attribute items;
an encryption unit that encrypts attribute values corresponding to the attribute items of the sensitive data in units of predetermined data based on the encryption key;
a receiving unit that receives queries for search processing regarding the attribute values of the sensitive data;
a search unit that executes the search process,
The storage area is
a database that stores the sensitive data encrypted by the encryption unit in an accessible database format in units of the predetermined data;
a storage that stores files containing the sensitive data whose date and time of occurrence are within a predetermined period in an accessible manner in file units;
The search unit, based on the query,
When searching the database, executing the search process while encrypting the sensitive data in the predetermined data unit,
When searching the storage, specifying a file that satisfies the query conditions based on the information related to the date and time of occurrence;
When there are a plurality of the identified files, executing the search process for one data set that integrates the sensitive data contained in the plurality of files.
Data management system. A data management system comprising a key management server, a proxy server, and a storage area,
The key management server manages encryption keys,
The proxy server
a sensitive data acquisition unit that acquires sensitive data including at least an event and the date and time of occurrence of the event as attribute items;
an encryption unit that encrypts attribute values corresponding to the attribute items of the sensitive data in units of predetermined data based on the encryption key;
a receiving unit that receives queries for search processing regarding the attribute values of the sensitive data;
a search unit that executes the search process;
has
The storage area is
a database that stores the sensitive data encrypted by the encryption unit in an accessible database format in units of the predetermined data;
a storage that stores files containing the sensitive data whose date and time of occurrence are within a predetermined period in an accessible manner in file units;
The search unit, based on the query,
When searching the database, executing the search process while encrypting the sensitive data in the predetermined data unit,
When searching the storage, specifying a file that satisfies the query conditions based on the information related to the date and time of occurrence;
When the identified file is encrypted, decrypting the file and executing the search process for the decrypted file;
Data management system. A data management system comprising a key management server, a proxy server, and a storage area,
The key management server manages encryption keys,
The proxy server
a sensitive data acquisition unit that acquires sensitive data including at least an event and the date and time of occurrence of the event as attribute items;
an encryption unit that encrypts attribute values corresponding to the attribute items of the sensitive data in units of predetermined data based on the encryption key;
a receiving unit that receives queries for search processing regarding the attribute values of the sensitive data;
a search unit that executes the search process;
has
The storage area is
a database that stores the sensitive data encrypted by the encryption unit in an accessible database format in units of the predetermined data;
a storage that stores files containing the sensitive data whose date and time of occurrence are within a predetermined period in an accessible manner in file units;
The search unit, based on the query,
When searching the database, executing the search process while encrypting the sensitive data in the predetermined data unit,
When searching the storage, specifying a file that satisfies the query conditions based on the information related to the date and time of occurrence;
When the specified file is a dump file, the dump file is converted to the database format and the search process is executed.
Data management system. The proxy server further has a file generation unit that creates a file of the sensitive data whose date and time of occurrence is within a predetermined period, adds information related to the date and time of occurrence, and generates a file,
the storage stores the file generated by the file generation unit;
The data management system according to any one of claims 1 to 4. A process in which the file generation unit generates a file and the storage stores the file, and a process in which the database stores the sensitive data encrypted by the encryption unit in the database format are performed in parallel. 6. The data management system of claim 5. 7. The data management system according to claim 6, wherein said file generation unit encrypts said file of said sensitive data acquired from said sensitive data acquisition unit to generate said file. 7. The data management system according to claim 6, wherein said file generation unit converts said encrypted sensitive data acquired from said encryption unit into said file to generate said file. 6. The data management system according to claim 5, wherein said file generation unit decrypts said encrypted sensitive data acquired from said database, converts said decrypted sensitive data into said file, and generates said file. . 10. The data management system according to claim 9, wherein said storage stores files encrypted with respect to files generated by said file generation unit. A file generation unit that acquires the sensitive data whose date and time of occurrence is within a predetermined period from the database, converts it into a file, adds information related to the date and time of occurrence, and creates a file;
5. The data management system according to claim 1, wherein said storage stores said file generated by said file generation unit. 12. The data management system according to claim 11, wherein said file generator is provided outside said proxy server. 12. The data management system according to claim 11, wherein said file generated by said file generator is a dump file. A data management method in a system comprising a key management server, a proxy server, and a storage area,
the key management server managing encryption keys;
a step in which the proxy server acquires sensitive data including at least an event and the date and time of occurrence of the event as attribute items;
a step in which the proxy server encrypts attribute values corresponding to the attribute items of the sensitive data in predetermined data units based on the encryption key;
a step in which the proxy server receives a query for search processing regarding the attribute value of the sensitive data;
the proxy server executing the search process;
a step in which the database of the storage area stores the sensitive data encrypted in the encrypting step in a database format that can be accessed in units of the predetermined data;
a step in which the storage of the storage area stores files containing the sensitive data whose date and time of occurrence are within a predetermined period in an accessible manner on a file-by-file basis;
The proxy server, in the step of executing the search process,
Based on the query, executing the search process for the database while encrypting the sensitive data in the predetermined data unit,
In response to the fact that there is no sensitive data that satisfies the query conditions in the database, the search processing is executed for the storage based on the information related to the date and time of occurrence given to the file stored in the storage. do,
Data management method. A data management program in a system comprising a key management server, a proxy server, and a storage area,
the key management server managing encryption keys;
a step in which the proxy server acquires sensitive data including at least an event and the date and time of occurrence of the event as attribute items;
a step in which the proxy server encrypts attribute values corresponding to the attribute items of the sensitive data in predetermined data units based on the encryption key;
a step in which the proxy server receives a query for search processing regarding the attribute value of the sensitive data;
the proxy server executing the search process;
a step in which the database of the storage area stores the sensitive data encrypted in the encrypting step in a database format that can be accessed in units of the predetermined data;
a step in which the storage of the storage area stores files containing the sensitive data whose date and time of occurrence are within a predetermined period in an accessible manner on a file-by-file basis;
The proxy server, in the step of executing the search process,
Based on the query, executing the search process for the database while encrypting the sensitive data in the predetermined data unit,
In response to the fact that there is no sensitive data that satisfies the query conditions in the database, the search processing is executed for the storage based on the information related to the date and time of occurrence given to the file stored in the storage. do,
Data management program.

Images