KR101078375B1 - System for tracing user activity using operating system and method thereof - Google Patents

Abstract

The present invention relates to a user behavior tracking system and a user behavior tracking method for tracking a work activity of a user performed by logging in to a server and logging out using an operating system, and recording the work history in a log. According to the present invention, there is provided a user behavior tracking system comprising: a means for extracting an occurrence time, a user ID, and a user IP from an event information and recording the log in an event when a login and logout event of the user occurs; Means for extracting the input contents from the keyboard event information and recording them in a log, and extracting the button click and selection file information from the mouse event information and recording them in the log when an input event occurs by the login user; Means for receiving a port for FTP / Telnet communication and analyzing a packet coming into the port when an FTP / Telnet event occurs, and recording a log of user operations including a command; And a means for receiving a folder and a file to be tracked, and extracting a command, a target file, and file change information from the file change event information and recording the log when the file change event occurs.

Description

System behavior tracing user activity using operating system and method

The present invention registers an event to be tracked using the operating system with respect to the entire work performed by the user by logging in to the system and logging out, and when the event occurs, stores the work as a log to track user behavior. It relates to a user behavior tracking system and a user behavior tracking method.

The computer terminal handles all tasks under the control of the operating system from power on to power off. In this process, the user or the program becomes the execution subject of the computer terminal, and the operating system processes the work request of the execution subject and returns a result to the execution subject.

Recently, in order to track illegal behavior of a user in a computer terminal, researches for tracking various kinds of system objects such as processes, threads, messages, waitable objects, key inputs, file systems, disks, and networks have been conducted. These tracking systems allow users to track their systems while protecting the confidentiality of their data. As the necessity of such a system increases, the variety of security logs rapidly increases. This necessitates the need for computer security log management, including the generation, transmission, storage, analysis and processing of computer security logs. Logs have been used to solve problems, but recently they are used as useful data to optimize the efficiency of a system or network, to record user behavior, or to investigate malicious behavior. Periodic log reviews and analysis can help identify and resolve security incidents, policy violations, fraudulent behavior and operational issues immediately after they occur. Logs can also be very useful for auditing or forensic analysis by supporting the organization's internal investigations, establishing the foundation, and identifying operational flows and long-term problems.

In addition, in the case of a server computer serving a large number of access users, the law is regulated to systematically log management. Examples include the US Federal Information Security Management Resolution (FISMA), US Financial Institution Security Resolution (GLBA), and the US Medical Data Security Standard (HIPAA).

The present invention has been made in view of the above-described points, and the user session by tracking the log on / log off, keyboard and mouse operation history, FTP / Telnet operation history and file system operation history occurring in the process of using the user's computer terminal The purpose of this is to log all the work done in.

According to the user behavior tracking system using the operating system of the present invention for achieving the above object, whether to log each time the event to be tracked from the operating system to track the user behavior and processes performed from the user's login to logout A user behavior tracking system for determining and recording a log, the system comprising: means for extracting and recording an occurrence time, a user ID, and a user IP from an event information when a login and logout event of a user occurs; Means for extracting the input contents from the keyboard event information and recording them in a log, and extracting the button click and selection file information from the mouse event information and recording them in the log when an input event occurs by the login user; Means for receiving a port for FTP / Telnet communication and analyzing a packet coming into the port when an FTP / Telnet event occurs, and recording a log of user operations including a command; Means for receiving a folder and a file to be tracked, and if a file change event occurs, extracting a command, a target file, and file change information from the file change event information and recording the data into a log; And means for capturing a screen and recording the log when a specific event occurs.

delete

Preferably, when receiving a log inquiry request for the user session from the user login to logout, further comprising means for integrating the login / logout log, keyboard / mouse log, file change log to provide a time-sorted session log It is characterized by.

Further, when determining whether to record the log, the log recording is skipped if the occurrence event corresponds to the exception information compared with the exception information including the user, time, session, and event information.

In addition, the log stored by tracking the user's behavior is characterized in that it is provided by the login user's inquiry request.

Preferably, in order to be notified every time an event to be tracked is generated, event notification is pre-registered using a system function in the operating system, and when event occurrence is notified, event filtering is performed to determine whether to log.

Furthermore, the operating system is a Windows-based operating system, in which a system function is registered in the operating system and a message is notified each time an event occurs from the system function.

On the other hand, according to the user behavior tracking method using the operating system of the present invention, in order to track the user actions and processes performed from the user's login to logout, the log is determined after each event occurrence of the tracking target from the operating system to log In the user behavior tracking method of a computer terminal, (S21) When the computer terminal login and logout events occur, the step of extracting the occurrence time, the user ID, and the user IP from the event information to log; (S22) if an input event occurs by the login user, extracting the input content from the keyboard event information and recording the log, and extracting the button click and selection file information from the mouse event information and recording the log; (S23) receiving a port for FTP (File Transfer Protocol) / Telnet communication, and analyzing an incoming packet to the port when an FTP / Telnet event occurs in the port, and recording a log of user operations including a command; (S24) receiving a folder and a file of a tracking target, and if a file change event occurs, extracting a command, a target file, and file change information from the file change event information and recording the log; And (S25) characterized in that it comprises a step of capturing the screen and recording the log when a specific event occurs.

According to the present invention, it is possible to maintain the security of server resources by tracking and recording the user's work activity to the users accessing the server, and monitoring the work activity of the server through the recorded user log.

Hereinafter, with reference to the accompanying drawings looks at in detail the configuration of a preferred embodiment of the present invention.

<1. System configuration>

1 shows a schematic configuration of a user behavior tracking system 1 according to an embodiment of the present invention.

The user behavior tracking system 1 of the present invention may be used by the computer terminal 2 and the computer terminal 2 that record user behavior as a log in the process of providing a server service to a plurality of user terminals 2. And a user terminal 3 using a server resource by accessing a wireless network.

In the present invention, the wired and wireless networks typically include all communication networks capable of data communication using various protocols such as mobile communication networks, wired and wireless public networks such as the Internet, or dedicated networks.

Computer terminal 2 according to an embodiment of the present invention is provided with an operating system (for example, Windows) to provide a server function. The user may directly use the resources of the computer terminal 2 using the peripheral input device of the computer terminal 2, and may use the resources of the computer terminal 2 after remotely connecting using the user terminal 3. .

A log record program is installed in the computer terminal 2 to track all actions (including process actions) of the user during the session setup process from login to logout for users accessing local or remote access and for each event set as a tracking target. Save the log record. The log recording program is composed of a plurality of modules to track user behavior. Examples include user login / logout logging modules, keyboard and mouse logging modules, FTP / telnet logging modules, and file system logging modules. As a result, when querying the data stored in the log, at a glance, it is possible to check at a time when a user logged in from the computer terminal 2, what command was entered, what resource was used, what processing was performed, and when he logged out. Can be. That is, the storage of log records is for tracking the security and misconduct of server resources and is inquired from a user with proper authority.

Logging program gets tracked event and exception condition from administrator. When the event to be tracked is set, the log recording program registers with the operating system in advance by using a system function whenever the event occurs. An exception condition consists of a user account, user session, time, file target, etc., which exempts logging even if an event to be tracked occurs. When notified of the event message, the message structure is analyzed to filter whether it is an event to be tracked, and if it is not an exception condition, it is determined to be the event to be tracked and recorded in real time as a log file.

The user terminal 3 according to an embodiment of the present invention logs in directly to the computer terminal 2 or logs in as an FTP / telnet user using a wired or wireless network. The user action after the login is recorded in the log file in the computer terminal 2.

2 shows a schematic internal structure of a computer terminal 2 according to an embodiment of the present invention.

The computer terminal 2 is provided with an operating system 200, and the operating system 200 controls all processing of the computer terminal 2. Therefore, in order to track user behavior in the computer terminal 2, the user behavior to be tracked in advance is registered in the operating system 200, and an event message is notified when an event occurs from the user behavior to be tracked.

The computer terminal 2 according to the present invention collects and logs a user's login and logout events and logs the log / logout log recording unit 21, and collects and logs a keyboard input or mouse input event of a logged-in user. Input log recording means 22, FTP / Telnet logging means 23 which collects and logs command events of a File Transfer Protocol (FTP) / telnet login user, and changes (creates, modifies, deletes) a file of the login user. And file change log recording means 24 for collecting and recording the event.

Preferably, the apparatus may further include screen log recording means 25 for collecting and recording user screen capture information with respect to the events.

In addition, the events are classified according to each event type and recorded in a log, and may further include a session log providing means 26 for classifying and inquiring all events from a user's login to a logout in chronological order.

Detailed functions and operations of individual components of the computer terminal 2 for tracking user behavior using the operating system shown in FIG. 2 will be described through the user behavior tracking method described below.

<2. Method composition>

The user behavior tracking method using the operating system according to an embodiment of the present invention can be preferably realized through the construction of the system 1 described above.

3 illustrates a conceptual model of a user behavior tracking method according to an embodiment of the present invention.

The computer terminal 2 registers an event to be tracked using a system function in the operating system (S201). After the event is registered, an event message is automatically generated when a user action of a tracking target occurs.

When an event occurs, the computer terminal 2 analyzes the message structure to determine what kind of event the message is (S202). The event analysis process compares with the exception condition and skips logging if the exception condition is met.

If the event is a log recording target, the computer terminal 2 records the log by classifying the event type and stores the log (S203).

4 is a schematic functional sequence of a user behavior tracking method according to an embodiment of the present invention.

① First, the logging process performed by the login / logout log recording means 21 will be described as follows. For convenience of explanation, it is assumed that the Windows operating system. In the Windows server operating system, there is a logon module that manages user connections. When a user attempts to connect, the logon module is driven to provide the user with a login interface.

When a user attempts to connect, the logon module is initialized and the user is informed that the user is logged off. If you press the [Ctrl] + [Alt] + [Del] keys at the same time in the logoff state, the logon request state will be displayed and the authentication request screen will be displayed to the user. , The logon request status is immediately displayed, and the authentication request screen is displayed).

Enter the user name and password in the logon request screen and click the OK button to request authentication from the logon module. If the authentication succeeds according to the authentication request processing of the logon module, the user shell is activated and logged on. If the authentication fails, the user is logged off again. In addition to the user name and password, the logon module of the Windows server determines whether a user is connected based on the account lock status.

The logon control module extends the logon basic conditions of Windows server to strengthen the logon system of Windows server by controlling the logon of users who access the server in more detail according to various conditions such as date, time, day of the week, and connected client IP. Can be.

By using the module as described above, it is possible to obtain information on when and where a user logs on, and when the user logs off.

For this purpose, the login / logout log recording means 21 registers an event function that is generated when an event such as login, logoff, system shutdown, password change, etc. takes place, retrieves the event message, and retrieves detailed information from the message structure. Extract it and write it to a log file (S21).

(2) The logging process of keyboard input and mouse input performed by the input log recording means 22 will now be described.

In the above-described user logon process, when a user logs on to the computer terminal 2, a module for tracking a user's behavior is executed to compare whether the user is a tracked user. If the user to be tracked, the user login time is obtained, and if the user name, session ID, session name, and remote, the client IP and IP information of the computer terminal 2 are obtained. In order to generate unique session information, the session identifier (SID, Primary Key) is created with the hash function sha256 to generate a value distinguishing from other sessions using time, process ID, and session ID information.

User input event hooking is a global hooking that uses a hooking procedure in the form of a dynamic load library. The hook function executes with SetWindowsHookEx, which can track the user's keyboard and mouse input. You can find out which program you are running by getting the process ID, process name, and window title title when you type the keyboard and mouse. The acquired data is exchanged internally by communication through a message, and the log data is generated by comparing the exception policy through the process name, keyboard and screen logging, etc., in order to determine whether to record the acquired data in the log. Determine. Logs include keyboard logs that log the user's keyboard input and screen logs that log the user's screen through mouse input. The screen log captures the user's screen as a bitmap and saves it in JPG to minimize the file size. Considering the size of the screen log, you can log the front window in full screen or user screen.

When a user logs out, the operating system sends a shutdown signal to all processes to signal the user's logout. When this signal is received, the end time is obtained and logging is terminated.

With the above contents, the input log recording means 21 logs the data details entered by the user to be traced by accessing the computer terminal 2 (S22). As a result, the change history of a specific file and the user's behavior can be checked. Of course, even when the user logs on locally directly or logs on to the network remotely using the user terminal 3, all can be logged.

(3) The logging process of the FTP / telnet operation performed by the FTP / telnet log recording means 23 is explained as follows.

In the promiscuous mode, you can view all the packets of the network through the network interface by using the library that analyzes the packets. In this mode, the destination is the computer terminal (2) and enters the set port (port 21 for FTP service). Analyze the packet. Here, since the FTP service port can be changed, the service port is registered in advance and stored before use. In general, if you obtain a network interface provided by the library, set it to Promiscuous mode, and set a filter for the port, packets are passed to the callback. You can log the user's behavior through the FTP COMMANDS by looking at the data of the packets that have passed. For example, if "USER" is detected from a packet, the user name is classified. If "LIST" is detected, a list of files is detected. If "DELETE" is detected, the file is deleted.

As described above, the FTP / Telnet log recording means 23 stores details of operations, such as uploading or downloading, by a user connected to the FTP service in a log file (S23). Since the work history of the user who accesses the telnet service can be obtained in a similar manner, the description thereof is omitted.

④ The change logging process of the file system performed by the file change log recording means 24 is described as follows.

By obtaining the handle of a fixed drive and registering a file system change notification function (for example, ReadDirectoryChangesW) to the operating system, each time a file change event occurs, the file's work history is received as a structure. This structure contains files created, deleted, renamed, modified, updated, changed security attributes, resized, changed creation time, last access time changed, last write time changed, and property changed (read). , Hidden)) to keep track of file changes.

With the above contents, the file change log recording means 24 stores the change history working on the file as a log file (S24).

(5) The screen log recording means 25 captures user screen information on a specific event specified by the user and stores it as a log file (S25). Although the screen capture is shown when a mouse event occurs, it is also possible to capture and save a screen provided to a user at a specific key input or other event (for example, when logging in, changing a file, or executing a specific command after FTP connection). .

(6) The session log providing means 26 provides all events worked during the session setup up to the logout after the user logs on by the user request (S26). Session log file can be provided by saving session log file separately or by receiving the request from the user and receiving events from existing logs (login / logout log, input log, FTP / telnet log, file change log, screen capture log). It is possible to collect in real time and provide it to the user. When storing session log files, the same individual events can be stored redundantly.

<3. Screen example>

5 to 13 show screens of a log recording program installed in the computer terminal 2 according to one embodiment of the present invention to track and record user actions.

5 to 7 illustrate screens for which an administrator sets an environment. Referring to Fig. 5, as an environment setting screen of the log recording program, the administrator selects a log (keyboard log, screen log, FTP execution log, etc.) to be tracked. Corresponding user action events are recorded in the log file by the administrator's log selection. Also, screen capture setting information, keyboard event and mouse event to be monitored are set. If you set up a screen capture log, you can choose whether to capture the entire user's screen or only the top-level window the current user is working on. Of course, when capturing the uppermost window, only the execution window is captured in the entire user screen, thereby reducing the file size. In addition, the quality, resolution, size, storage path, etc. of the screen capture image may be set in consideration of the storage capacity of the file size of the capture screen.

Referring to FIG. 6. When an administrator registers a user account or process to be monitored and the registered user account logs in, it is tracked until logging out. In addition, the execution of the registered process is subject to tracking.

Referring to FIG. 7, an administrator may register a path of a file system to be traced and a file event (create, change, rename, delete) to be traced. That is, when the file change event of the tracking target is generated after the user of the tracking target logs in, the file change information is recorded in a log.

Referring to FIG. 8, as a screen for searching a session log, information on a session connected to or being connected to the computer terminal 2 is displayed in a top window, and when a specific session is selected, a work activity event of the user occurs in the bottom window. It is listed in order of window title, process name, and process ID.

Referring to FIG. 9, when the administrator sets the capturing of the user's entire screen when the file generation event occurs, the user's full screen is captured after the file creation event is detected after the user creates a "new text document.txt".

Referring to FIG. 10, when a user keyboard input is performed in the text file of FIG. 9, a log file in which user input data is recorded by detecting a keyboard event is illustrated. If you open the log file, you can see that the user presses the Hangul key, enters "question", presses the F2, End, and Backspce keys, and then enters "west" again.

Referring to FIG. 11, it can be seen from the file system log that the event is generated while a user moves a folder and works on a text file.

Referring to Fig. 12, a password policy of a user account is shown as a "password policy" screen.

Referring to FIG. 13, it can be seen that an "login policy" screen defines an account that is allowed to log in, a login allowed time, and the like, and allows a user to log in only when the defined content is met.

As described above, an embodiment of a user behavior tracking system and a user behavior tracking method using an operating system according to the present invention is configured. While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments. It goes without saying that various modifications and variations are possible within the scope of equivalence of the scope.

The following drawings, which are attached to this specification, illustrate preferred embodiments of the present invention, and together with the detailed description of the present invention serve to further understand the technical spirit of the present invention. It should not be construed as limited to.

1 is a schematic configuration diagram of a user behavior tracking system according to an embodiment of the present invention.

2 is a schematic internal structural diagram of a computer terminal according to an embodiment of the present invention.

3 is a schematic flowchart of a user behavior tracking method according to an embodiment of the present invention;

4 is a schematic functional flow diagram of a method of tracking user behavior according to one embodiment of the present invention.

5 to 13 is a screen capture of the computer terminal according to an embodiment of the present invention.

Claims (14)

In the user behavior tracking system to record the log after determining whether or not to log every time the event to be tracked from the operating system to track the user behavior and processes performed from the user's login to logout, A means for extracting an occurrence time, a user ID, and a user IP from the event information and logging them to the log when a login and logout event of the user occurs; Means for extracting the input contents from the keyboard event information and recording them in a log, and extracting the button click and selection file information from the mouse event information and recording them in the log when an input event occurs by the login user; Means for receiving a port for FTP / Telnet communication and analyzing a packet coming into the port when an FTP / Telnet event occurs, and recording a log of user operations including a command; Means for receiving a folder and a file to be tracked, and if a file change event occurs, extracting a command, a target file, and file change information from the file change event information and recording the data into a log; And Means of screen capture and logging to a specific event User behavior tracking system comprising a. delete The method of claim 1, And receiving a log inquiry request for the user session from the user login to the logout, and further comprising means for providing the log of logs arranged in chronological order by integrating the log / logout log, keyboard / mouse log, and file change log. User behavior tracking system. The method according to claim 1 or 3, And determining whether the log is recorded or not, if the occurrence event corresponds to the exception information in comparison with exception information including user, time, session, and event information. The method of claim 4, wherein The user behavior tracking system, characterized in that the log stored by tracking the user's behavior is provided by the request of the login user. The method of claim 5, In order to be notified every time an event to be tracked, user behavior tracking system to register the event notification in advance by using a system function in the operating system, and if the event occurrence is notified by performing event filtering to determine whether to log. The method of claim 6, The operating system is a Windows-based operating system, and a system function is registered in the operating system, and a user behavior tracking system characterized in that a message is notified each time an event occurs from the system function. In the user behavior tracking method of a computer terminal for recording a log after determining whether or not to log each time the event to be tracked from the operating system in order to track the user actions and processes performed from the user login to logout, (S21) when the computer terminal generates a login and logout event of the user, extracting an occurrence time, a user ID, and a user IP from the event information and recording the result in a log; (S22) if an input event occurs by the login user, extracting the input content from the keyboard event information and recording the log, and extracting the button click and selection file information from the mouse event information and recording the log; (S23) receiving a port for FTP (File Transfer Protocol) / Telnet communication, and analyzing an incoming packet to the port when an FTP / Telnet event occurs in the port, and recording a log of user operations including a command; (S24) receiving a folder and a file of a tracking target, and if a file change event occurs, extracting a command, a target file, and file change information from the file change event information and recording the log; And (S25) recording a screen by capturing a screen when a specific event occurs User behavior tracking method comprising a. delete The method of claim 8, (S26) when receiving a log inquiry request for the user session from the user login to logout, further comprising the step of providing a session log sorted in chronological order by integrating the login / logout log, keyboard / mouse log, file change log User behavior tracking method, characterized in that. The method of claim 8 or 10, And determining whether the log is recorded, and if the occurrence event corresponds to the exception information, comparing the exception information including the user, time, session, and event information, and omitting the log recording. The method of claim 11, The user behavior tracking method characterized in that the log stored by tracking the user's behavior is provided by the request for the login user's inquiry. The method of claim 12, In order to be notified every time an event to be tracked, user behavior tracking method comprising registering the event notification in advance by using a system function in the operating system, and performing event filtering to determine whether to record the log when the event occurrence is notified. The method of claim 13, An operating system is a Windows-based operating system, in which a system function is registered in the operating system and a message is notified each time an event occurs from the system function.

Images