KR101663585B1 - Access management system for enterprise informtaion system using Big-data analysis based on work action and method thereof - Google Patents

Access management system for enterprise informtaion system using Big-data analysis based on work action and method thereof Download PDF

Info

Publication number
KR101663585B1
KR101663585B1 KR1020160021970A KR20160021970A KR101663585B1 KR 101663585 B1 KR101663585 B1 KR 101663585B1 KR 1020160021970 A KR1020160021970 A KR 1020160021970A KR 20160021970 A KR20160021970 A KR 20160021970A KR 101663585 B1 KR101663585 B1 KR 101663585B1
Authority
KR
South Korea
Prior art keywords
action
user
pattern information
behavior
pattern
Prior art date
Application number
KR1020160021970A
Other languages
Korean (ko)
Inventor
김경배
서정민
Original Assignee
서원대학교산학협력단
주식회사 디커뮤니케이션즈
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 서원대학교산학협력단, 주식회사 디커뮤니케이션즈 filed Critical 서원대학교산학협력단
Priority to KR1020160021970A priority Critical patent/KR101663585B1/en
Application granted granted Critical
Publication of KR101663585B1 publication Critical patent/KR101663585B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Social Psychology (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

An information system access control system and method thereof using a big data analysis technique based on a business activity of an enterprise are disclosed. An access control system for performing access control of a user who wishes to access a resource of the company includes an action pattern DB that stores action pattern information that can occur in the company, a log that collects an action to access the resource by the user A user pattern module for extracting user-based pattern information corresponding to the user, which is specified based on the action and is part of the behavior pattern information, from the DB to make the user-pattern information in-memory; And a control module for determining, based on the reference pattern information, whether the user action set including the next action of the action is a normal action.

Description

[0001] The present invention relates to an information access control system and a method thereof, and more particularly,

The present invention relates to an information system access control system and method using a big data analysis technique based on a business activity of an enterprise, and analyzes the behavior of a company member who wants to access an enterprise information system (or a corporate resource) The present invention relates to a system and a method for effectively and quickly determining whether an action of a user is a normal action or an illegal act.

Recently, the development and generalization of computer and network systems have enabled many information resources of companies to be physically and logically connected, making it easier to access information resources. However, this situation has resulted in many adverse effects such as illegal access and release of resources such as information systems and data files in enterprises or organizations.

There have been various methods for solving such problems. Traditionally, access to resources is restricted according to the access rights set for each member (user) in advance. However, this case does not prevent illegal actions from being performed within the access rights, and fails to operate normally when the authentication of access rights is disabled.

In order to solve such a problem, a method of analyzing an abnormal pattern based on an action has been known. An example of such an example is disclosed in Korean Patent No. 10-150448, "Detection of abnormal access using normal behavior profile" There is a bar.

However, the above-described known technique is an abnormal behavior detection technique using a statistical method. In this method, the abnormal behavior is determined based on the data obtained from the past experience as a statistical value. However, the past statistical information It is difficult to detect all illegal activities by themselves.

In addition, when information on past normal activities is enormous, it is unreasonable to carry out judgment of illegal acts in real time, and if the real time property is low, there can be a fatal problem in access control.

Korean Registered Patent Registration No. 10-150448, "Detection of abnormal access using normal behavior profile"

SUMMARY OF THE INVENTION Accordingly, the present invention has been made in view of the above problems, and it is an object of the present invention to provide a method and apparatus for collecting patterns of behaviors that may occur in an enterprise, A system capable of predicting information capable of judging whether or not a normal action (an illegal act) of an action or a series of actions including the action is prepared in advance and making it in-memory, thereby increasing real- And to provide such a method.

Also, it is possible to distinguish the behavior pattern according to the characteristic of the company in advance, and to use the required behavior pattern among the behavior patterns classified by the user in a limited manner to judge whether the user's behavior is normal or not in a more accurate and quick manner And to provide such a method.

It is another object of the present invention to provide a system and method for efficiently determining whether a continuous user action is normal even when the user's action is defined by continuous user actions.

In addition, among the actions that the user can perform according to the type of business or characteristics of the company, it is treated as a normal action within a limited frequency, while in the case where the action is repeated beyond this frequency, However, in such a case, when it is judged whether a normal action or an illegal act is simply performed for each action, there is a problem that it can be judged whether a wrong normal action is performed. Therefore, it is a further object of the present invention to provide a system and method for effectively determining whether or not a normal action is determined according to the occurrence frequency.

In order to solve the above technical problem, an access control system for performing access control of a user who wishes to access a resource of a company includes a behavior pattern DB for storing behavior pattern information that can occur in the company, A log collection module for collecting an action of the user, a log collection module for extracting user-based pattern information corresponding to the user, which is specified based on the action and is part of the behavior pattern information, from the DB, A pattern module, and a control module for determining, based on the user reference pattern information, whether the user action set including the next action of the action is a normal action.

The behavior pattern DB includes a normal behavior pattern DB storing normal behavior pattern information classified as normal behavior in the company and an illegal behavior pattern DB storing illegal behavior pattern information classified as illegal behavior, If the plurality of actions included in the user action set correspond to the normal action pattern and the plurality of actions occur consecutively, if the user action set is defined as an illegal behavior pattern stored in the illegal behavior pattern DB, It can be judged as an act.

The behavior pattern DB includes a normal behavior pattern DB storing normal behavior pattern information classified as normal behavior in the company and an illegal behavior pattern DB storing illegal behavior pattern information classified as illegal behavior, When the action included in the user action set does not correspond to the normal action pattern and does not correspond to the illegal action pattern, it is determined that the action is abnormal and the result of the determination of whether the user action set is normal or the normal action And determine whether the action is normal according to the determination result.

Wherein the behavior pattern DB includes behavior pattern information of the corporation of the business group or behavior pattern information of the corporation of the corporation, and the user pattern module includes behavior pattern information corresponding to the job group of the user or the position of the user, Group behavior pattern information or activity pattern information for each position, and can specify the user reference pattern information.

The user pattern module may extract the action pattern information corresponding to the action and corresponding to the link action predicted to be performed after the action as the user reference pattern information.

The user pattern module may release the in-memorized user reference pattern information according to whether the next action after the action corresponds to the predicted action or in-memory the new user reference pattern information, And maintains the memorized user reference pattern information.

The control module determines whether each of the actions is normal if the user action set includes a plurality of consecutive actions, and if the predetermined number or more of consecutive actions are determined to be abnormal, It is possible to determine whether the user action set is illegal based on the ratio of the abnormal behavior action that is determined to be abnormal.

The control module determines whether or not each of the plurality of actions is normal when the user performs a plurality of independent actions, and judges whether or not the action that the occurrence frequency of the abnormal behavior exceeds the preset allowable frequency It can be judged as an act.

The control module may attenuate the occurrence frequency of an action determined to be abnormal by a predetermined value when a predetermined attenuation event occurs.

According to an aspect of the present invention, there is provided an access control system for performing access control of a user who wants to access a resource of an enterprise, A behavior pattern DB, a log collection module for collecting an action to access the resource by a user, and a control module for determining whether or not the action is a normal action for a plurality of actions collected by the log collection module, The control module determines whether each of the actions is normal, and if it is determined that a predetermined number or more of consecutive actions are an abnormal behavior, and the abnormal behavior is an action that does not correspond to both a normal behavior pattern and an illegal behavior pattern Based on a ratio of an abnormal behavior action judged to be abnormal behavior among the plurality of actions, It is determined whether or not at least one of a plurality of the illegal action.

According to an aspect of the present invention, there is provided an access control system for performing access control of a user who wants to access a resource of an enterprise, A behavior pattern DB, a log collection module for collecting an action to access the resource by a user, and a control module for determining whether or not the action is a normal action for a plurality of actions collected by the log collection module, The control module determines whether each of the plurality of actions is normal, and determines that the action is an illegal action for an action in which the occurrence frequency of the abnormal behavior exceeds a preset allowable frequency.

According to an aspect of the present invention, there is provided an access control method for performing access control of a user who wants to access a resource of an enterprise, the method comprising: storing an action pattern information that an access control system can cause in the enterprise; Collecting an action to access the resource by a user, extracting from the stored information user-based pattern information corresponding to the user, the access control system being specified based on the action and being part of the behavior pattern information, - memory (In-Memory); and determining, based on the user-based pattern information in-memoryed by the access control system, whether the user action set comprising the next action of the action is a normal action .

In order to solve the above technical problem, an access control method for performing access control of a user who wants to access a resource of an enterprise stores an action pattern information that an access control system can cause in the enterprise, Collecting an action that the access control system wants to access the resource by a user, and determining whether the access control system is a normal action for a plurality of actions to be collected Wherein the step of determining whether the plurality of actions to be collected by the access control system is a normal action includes the steps of: determining whether each of the actions is normal; determining whether a predetermined number or more of consecutive actions are abnormal; The act is an action that does not correspond to both the normal behavior pattern and the illegal behavior pattern - And determining whether at least one of the plurality of actions is illegal based on a ratio of abnormal actions determined to be abnormal among the plurality of actions.

In order to solve the above technical problem, an access control method for performing access control of a user who wants to access a resource of an enterprise includes storing an action pattern information that an access control system can cause in the enterprise, The method comprising the steps of: storing a behavior pattern; collecting an action of the access control system to access the resource by a user; and determining whether the access control system is a normal action for a plurality of actions to be collected Wherein the step of determining whether the plurality of actions to be collected by the access control system is a normal action includes determining whether each of the plurality of actions is normal or not, And judging that the action exceeding the frequency is an illegal act.

The above method can be performed by a program installed in the data processing apparatus.

According to the technical idea of the present invention, it is possible to limit the user reference pattern, which is a criterion for judging whether or not the user behavior is normal, to a predetermined level, to pre-memorize the pattern, By judging, it is possible to improve the real-time property which is very important in access control.

In addition, according to the characteristic of the company, it is possible to distinguish the behavior patterns in advance according to the occupation group and the position, and to use the required behavior patterns among the behavior patterns classified by the users in a limited manner, .

Further, even when the user's action is defined by continuous user action, it is possible to judge whether the user is normal or not by comprehensively considering the entire user action, There is an effect.

In addition, it is defined that there is an abnormal behavior that needs to be judged according to the frequency of occurrence, and it is effective to determine whether or not the abnormal behavior is effectively performed.

BRIEF DESCRIPTION OF THE DRAWINGS A brief description of each drawing is provided to more fully understand the drawings recited in the description of the invention.
1 shows a schematic system configuration for implementing an information system access control method using a big data analysis technique based on a business activity according to an embodiment of the present invention.
2 shows a schematic configuration of an information system access control system using a big data analysis technique based on a business activity according to an embodiment of the present invention.
3 is a view for explaining examples of user actions according to an embodiment of the present invention.
4 is a view for explaining an example of a behavior pattern DB according to an embodiment of the present invention.
FIG. 5 is a diagram for explaining whether a normal behavior is determined in the case of using an illegal behavior DB according to an embodiment of the present invention.
6 is a diagram for explaining a concept of in-memorying a user reference pattern according to an embodiment of the present invention.
FIG. 7 is a diagram for explaining a concept of determining whether a user action set by continuous action is normal according to an embodiment of the present invention.
FIG. 8 is a diagram for explaining the occurrence frequency and the attenuation rule of the abnormal behavior according to the embodiment of the present invention.

In order to fully understand the present invention, operational advantages of the present invention, and objects achieved by the practice of the present invention, reference should be made to the accompanying drawings and the accompanying drawings which illustrate preferred embodiments of the present invention.

In the present specification, when one component 'transmits' data to another component, the component may transmit the data directly to the other component or may transmit the data through at least one other component To the other component. Conversely, when one element 'directly transmits' data to another element, it means that the data is transmitted to the other element without passing through another element in the element.

Also, the terms first, second, etc. may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise.

Also, in this specification, the terms " comprises " or " having ", and the like, specify that the presence of stated features, integers, But do not preclude the presence or addition of other features, numbers, steps, operations, components, parts, or combinations thereof.

Hereinafter, the present invention will be described in detail with reference to the embodiments of the present invention with reference to the accompanying drawings. Like reference symbols in the drawings denote like elements.

1 shows a schematic system configuration for implementing an information system access control method using a big data analysis technique based on a business activity according to an embodiment of the present invention.

Referring to FIG. 1, an information system access control system (hereinafter, referred to as an 'access control system') 100 using a business-activity-based big data analysis technique may be implemented to implement the technical idea of the present invention.

The access control system 100 may be a system for implementing access control of an information system of the enterprise, that is, a resource (information resource), provided in a predetermined company.

The resource may be meant to include any type of hardware, data, and / or software that needs to be controlled by system resources, information, and / or access provided to the enterprise.

For example, the resource may be hardware of the terminal 200 used by members of a specific company or information provided in the terminal 200, and may be a common resource (for example, a corporation Server solution, enterprise solution, database, etc. 300).

It is needless to say that the access control system 100 can perform predetermined user authentication separately from the technical idea of the present invention. To this end, the access control system 100 may further include a user DB (not shown). And can perform authentication of the user using information provided in the user DB (not shown). It is possible to make it impossible to access the resources of the company when the authentication of the user fails. The access control system 100 according to the technical idea of the present invention judges the legitimacy of the user's behavior based on the behavior of the user who wants to access the resources of the company so that effective access control is performed Can be done.

When the authentication of the user is performed, the user can be specified. Then, the access control system 100 can confirm the user's job group information (for example, a business unit, a charge service, a business process, etc.) of the user through the user DB. Also, the access control system 100 may check the position information of the user (for example, the job of the position (or position), the access right by position, etc.) in the enterprise.

Using the thus-confirmed information, the access control system 100 according to the technical idea of the present invention can limit the customized action pattern information to the user, It is possible to quickly determine whether a user action set that is a set of each action or a set of actions is normal.

This behavior-based access control, unlike the conventional way in which the access rights to a specific system or specific information are selectively controlled for each user, is also applied to a user who has access to a company's resources such as a specific system or specific information This means that differentiated access control can be performed according to the user's actions. In addition, when the user performs a continuous action (action), each action is normal, but when continuous action is performed, it is possible to detect the case of illegal action.

To this end, the access control system 100 may use a behavior pattern DB that can be generated in a business activity of a corporation. The behavior pattern information included in the behavior pattern DB may be information obtained by digitizing an action of users issuing in a business activity of the corporation.

Such behavior pattern information can be stored in any data form as long as it can express each action (or action) performed by the user. For example, a data structure capable of defining the behavior may be defined according to the type of the behavior and the object of the behavior, and each behavior may be defined through the data structure. Or a predetermined coordinate system, and each action through the coordinate system may be defined as a coordinate in a multidimensional coordinate system. Alternatively, the behavior pattern information may be defined as a text-based rule-set, and an analysis protocol comparable to the behavior pattern information may be applied to an action performed by the user on the resource. The action pattern information may be information that defines whether an action is a normal action or an illegal action as described later, but it may be information that defines whether a series of consecutive actions is a normal action or an illegal action.

Such actions may include, for example, executing a particular program, accessing specific information, changing file names, changing or deleting information, accessing a particular network, connecting to a particular hardware, connecting a particular device, Can mean each unit action that can be taken.

These actions may be a meaningful action that can determine the normal action or the illegal action that each of the actions requires or wants to be blocked by the company, but it is necessary to perform a plurality of actions successively in order to determine whether the action is normal It may be an act. Such a plurality of consecutive significant actions may constitute one user action set.

Of course, as will be described later, a plurality of actions independent of each other and performed within a predetermined time may constitute a user action set.

In any case, according to the technical idea of the present invention, an object to be normally determined may be an action itself or a user action set including a plurality of actions.

As described above, if each action or a plurality of actions of the user can be defined as a behavior pattern in a predetermined manner, access control can be performed based on the behavior pattern.

According to the technical idea of the present invention, the behavior pattern defined in the access control system 100 may include an illegal behavior pattern as well as a normal behavior pattern regarded as a normal behavior of the user.

That is, in the above-described prior arts and the like, normal behavior patterns are previously defined in order to perform behavior-based access control, and when the user behavior is performed, the normal behavior pattern and the user behavior are prepared in a predetermined manner, Or whether it is illegal or not. However, according to the technical idea of the present invention, the illegal behavior pattern can be defined in advance apart from the normal behavior pattern. That is, the behavior pattern DB may include a normal behavior pattern DB and an illegal behavior pattern DB.

If an illegal behavior pattern is defined in advance, it is possible to detect a behavior type that can not be detected only by normal behavior (for example, a combination of consecutive normal activities) It is necessary to define the normal behavior pattern itself very vigorously and thoroughly, so that the access control is effective. However, due to the scope and environment of the business activity of the company, There is an effect of solving the problem that it is practically difficult to define. In addition, by defining the illegal behavior pattern as the normal behavior pattern, it is possible to reduce the false detection probability that the normal action is judged to be illegal act, and the illegal behavior pattern can be defined more clearly than the normal action, It is effective.

According to the technical idea of the present invention, when the access control system 100 determines that an action or a set of user actions is performed, the access control system 100 may block the user from accessing the resource .

Meanwhile, according to the technical idea of the present invention, there is a case where any one action of the user does not correspond to an illegal behavior pattern nor correspond to a normal behavior pattern. This case will be defined as an abnormal behavior in this specification. In such a case, it may be impossible to determine whether the action is illegal or not. Such an abnormal behavior may be determined by a subsequent user action whether the entire action or the entire set of user actions including the action is a normal action or an illegal action.

In addition, when the abnormal behavior is detected, the access control system 100 does not block access immediately in response to the request for the action, and may perform blocking when the subsequent user actions are additionally performed. For example, if a certain activity occurs in a business enterprise once or twice, it can be regarded as a normal business activity. However, if it occurs too frequently within a predetermined time, there may be an operation that can be regarded as an abnormal activity.

In such a case, it may be practically difficult to define whether the act itself is normal or illegal.

Therefore, in the technical idea of the present invention, when it is not easy to determine whether a specific action is normal action or illegal action, the action is treated as an abnormal behavior, and if such abnormal behavior is performed, It may be judged whether it was an act or a normal act. Of course, in this case, if at least one subsequent user action is performed and an illegal action is determined through the corresponding user action, access to the resource may be blocked.

By defining the abnormal behavior (i.e., a pattern that does not correspond to both the normal behavior pattern and the illegal behavior pattern), it is possible to determine whether the normal action is consecutive action for a specific resource or a normal action considering all of a plurality of actions within a predetermined time Can be achieved.

On the other hand, real - time control can be very important in access control. If you are not sure whether you want to allow or deny access in real time, you may not be able to control it after it has already been illegal.

Particularly, in the behavior-based access control, the judgment result of the normal behavior may be changed even if the same action is performed depending on the time at which the user's action is performed or in what situation (for example, Since it is possible to reduce the false positives by defining the behavior pattern for the first half in the behavior pattern database as much as possible, the amount of information to be compared in determining the normal behavior may be very large.

Even in such an environment, the technical idea of the present invention can provide a technical idea for providing real time performance. This technical idea can predict an action (hereinafter referred to as a linked action) that may occur in the future when the user performs a specific action, and can specify in advance the action pattern information on the linked action. In addition, specific behavior pattern information may be pre-loaded into the main memory of the access control system 100 by in-memory. The behavior pattern information to be pre-memorized in this way will be defined in this specification as the user reference pattern information.

The user-based pattern information may vary depending on who the user is. This is because the business activities of the enterprise may be different from the scheduled tasks or behaviors for the users, and the scheduled task actions and the actions other than the task actions may be defined in advance as the action pattern information.

It should be noted that the user-based pattern information may vary depending on the action performed by the user. There may be cases in which a user can perform a specific action and depending on the particular action, the sequential action may be limited to some extent. For example, when a user performs an action of connecting a removable storage device to a specific terminal, actions to be performed next to the action may be predicted in a predetermined manner. For example, it may be an operation of copying information in a specific terminal with a mobile storage device, an operation of modifying, deleting or modifying information of the mobile storage device itself, an operation of moving or copying information existing in the mobile storage device to a specific terminal . In the case where a linked action is predicted, behavior pattern information related to such a linked action, that is, user-based pattern information is specified in advance, and when the user's next action is performed when the specified user- It is possible to judge whether or not a normal action is performed quickly.

Of course, if the normal action is not determined through the next action, the in-memoryized user-based pattern information may be released (i.e., no longer maintained on the main memory) or the new user- Memory, and may maintain the in-memoryized user-based pattern information as is. For example, in the case of releasing the user-based pattern information, there is a case where an unrelated action is performed without performing a predicted coordinated action, and the irrelevant action is a general-purpose action, so that it may be meaningless to predict a next action. In addition, when the new user-based pattern information is to be in-memory, the predicted coordinated action is not performed, but the next action is a specific action suitable for in-memoryization (i.e., ). ≪ / RTI >

In addition, in the case where the user-based pattern information is maintained as it is, it may be a case where a predicted cooperative action is performed, and it may be impossible to determine whether the cooperative action is normal only with the original action and the cooperative action. In this case, even if the user-based pattern information is maintained, more limited behavior pattern information among the user-based pattern information may be specified in advance as action pattern information to be used for the normal action when the next action is performed. This is because it is possible to predict a more limited action by predicting the next action through both the original action and the linked action.

As a result, according to the technical idea of the present invention, the real-time performance can be improved through the prediction of such a linked action and the in-memoryization of a behavior pattern corresponding to the predicted linked action. In addition, when the repeated prediction is performed (that is, when a future action is predicted through a plurality of existing actions), the action to be predicted can be further defined. In this case, More real-time can be increased.

In addition, the prediction of the linked action may be performed by a big data analysis technique for analyzing a series of actions having a high degree of correlation through an enormous amount of action pattern information corresponding to actions of a plurality of users performed in the company. Of course, clustering, data mining, and / or various other large data analysis techniques known in the art can be applied to analyze a series of highly correlated actions.

Of course, it may not be possible to predict a linked action for all actions of the user, and only when the next action is likely to be limited to some degree by predicting the linked action, the above-described in- to be.

Also, as described above, the user-based pattern information to be in-memory can be specified by action pattern information corresponding to a user-by-user group, action pattern information corresponding to the position of the user, and / The task group, position, and / or time-based action pattern information may include both normal behavior pattern information and illegal behavior pattern information as described above.

The access control system 100 for implementing such a technical idea will be described with reference to FIG.

2 shows a schematic configuration of an information system access control system using a big data analysis technique based on a business activity according to an embodiment of the present invention.

2, the access control system 100 according to the technical idea of the present invention includes a control module 110, a behavior pattern DB 120, a log collection module 130, and a user pattern module 140 .

Herein, a module may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, each of the above configurations may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and may be a code physically connected to one another or a specific type of hardware May be easily deduced to the average expert in the field of the present invention. Thus, each of the above configurations refers to a combination of hardware and software that performs the functions defined herein, and does not mean a specific physical configuration.

1 and 2, a plurality of physical devices are connected through a wired / wireless network and are organically coupled to the access control system 100, Of course. For example, the behavior pattern DB 120 may be implemented as a physical device separate from other components of the access control system 100.

The control module 110 may be configured in accordance with the teachings of the present invention to include other configurations (e.g., the behavior pattern DB 120, the log collection module 130, and / or the user pattern module) included in the access control system 100 (E. G., Network 140).

The behavior pattern DB 120 may store behavior pattern information that can occur in the enterprise. Each action pattern information may correspond to any one action performed by the user, correspond to a plurality of actions, and may be information defining the action, as described above.

As described above, the behavior pattern DB 120 may include information on normal behavior patterns and information on illegal behavior patterns among the behavior patterns that may occur in the enterprise.

In addition, the behavior pattern DB 120 may include behavior pattern information of the business group of the company, action pattern information of each company, and / or action pattern information of each time group according to characteristics of the company.

An example of the behavior pattern DB 120 will be described with reference to FIG.

4 is a view for explaining an example of a behavior pattern DB according to an embodiment of the present invention.

Referring to FIG. 4, the behavior pattern DB 120 according to the embodiment of the present invention divides business activity pattern information of a company into occupational groups, positions (top), and / or time Can be managed. This is because the patterns of normal behavior that are determined as a result of analysis of planned or normal behavior in a company by job category, position, and / or time may vary. Also, according to an implementation example, a behavior pattern may be classified and managed for each system.

For example, if the behavior pattern information is defined for each job group, the normal behavior may be different for each department member who works in the same department, for each department, or for each business process of the department. Therefore, the same act may be judged to be a normal act in a certain occupation group, and it may be necessary to judge that it is illegal in another occupation group.

For example, when behavior pattern information is defined according to a position, the normal behavior scheduled according to position or position may be different, and the right of access may also be given differently. Therefore, behavior pattern information may be defined for each position.

For example, when the behavior pattern information is defined for each hour, the predetermined normal behavior may be different for each user on holidays or vacations, and the normal behavior scheduled on the basis of the commute time or the business trip may be different. In addition, if the break time is set in the company, the normal behavior may be different depending on whether it is break time or business hours.

As the behavior pattern is defined according to various criteria, the possibility of false detection of the normal action may be reduced, and the action pattern to be compared when the actual action or the user action set is performed may be reduced. . In particular, when access control is performed based on the business activities of a company, it may be very effective to separately define the behavior pattern by occupation group, position, and / or time.

In addition, although not shown in FIG. 4, the action pattern information by occupation group, position, and / or time frame may include an illegal behavior pattern as well as a normal behavior pattern. Since the effect of separately defining the illegal behavior pattern as well as the normal behavior pattern has been described above, the detailed description will be omitted.

In addition, the normal behavior pattern can be defined by collecting actions that are performed by a plurality of users in the enterprise, and the illegal behavior pattern can be initially determined by extracting patterns defined as illegal behavior among the normal behavior patterns, . In accordance with the technical idea of the present invention, when the action or the user action set of the user is determined to be a normal action or an illegal act, the action pattern information corresponding to the determined action is added to the normal action pattern information or the illegal action pattern information It is needless to say that data upgrading can be performed.

The log collection module 130 may collect information about an action that the user wishes to access the resource. The action may be an action performed by the user on the user terminal 200 used by the user or an action of accessing other resources of the company using the user terminal 200. [ In order for the log collection module 130 to collect information about the action, a predetermined software code for transmitting information about the action to the log collection module 130 is installed in the hardware corresponding to the enterprise resource Of course. An example of resources collected by the log collection module 130 and controlled or allowed to be accessed according to the technical idea of the present invention will be described with reference to FIG.

3 is a view for explaining examples of user actions according to an embodiment of the present invention.

Referring to FIG. 3, the log collection module 130 may include, for example, an application program, a storage device, a document, a system program, a network, a website, a file system, and / You can gather information about time.

For example, the log collection module 130 may collect information about the installation, deletion, and / or execution of various application programs used by the company as information about an action, can do. Also, the log collection module 130 may collect information on various storage devices of an enterprise. For example, the log collection module 130 may collect information on a user action performed on a storage device using an optical storage device (CD) Information can also be collected.

The log collecting module 130 may include information such as HWP, DOC, XLS, PPT, PDF, JPG, PNG, and the like as information related to various document files stored by a user in an application program such as a word processor It is also possible to collect access information on the data composed of extensions.

In addition, the log collection module 130 may collect information on access to files related to the OS, that is, information on user actions related to the system program, and may collect information related to the network, for example, Access information about various communication-related programs using the protocol located at the terminal, and user actions regarding access and use of protocols capable of transmitting and receiving files such as FTP, Telnet, SMTP, and HTTP. It is also possible to collect information relating to the web site, for example, internet access information (access pages, etc.), and collect information on user actions related to access to file system information such as various files and folders (directories) You may. In addition, the log collection module 130 may collect information on user actions on On / Off, Sleep Mode, etc. of the enterprise system, and may collect information on the time when each action is performed .

Information on various user actions may be collected by the log collection module 130 as needed in the above-mentioned exception.

In this way, information on various actions of the user can be collected by the log collecting module 130, and when the user performs a predetermined action, the user pattern module 140 generates user-based pattern information based on the action Can be specified from the behavior pattern DB 120. The user reference pattern information may be in-memoryized. That is, the access control system 100 can be loaded on the main memory to increase the real time performance. Of course, the user-based pattern information may not be able to be limited in the case of a given action (an unspecific or general-purpose action that can not predict the next action), in which case the access control system 100 may perform in- It may not be performed.

Such an example will be described with reference to Fig.

6 is a diagram for explaining a concept of in-memorying a user reference pattern according to an embodiment of the present invention.

Referring to FIG. 6, when a predetermined action is performed by the user (S110), the user pattern module 140 can predict a linking action (S120). Of course, when the predetermined action itself is illegal, the access is blocked. Act pattern information corresponding to the link action can be extracted from the behavior pattern DB 120 (S130). That is, the user-based pattern information can be extracted. Of course, such user-based pattern information may be specified only when the next action, that is, the linked action, can be predicted according to the action performed by the user. Then, the extracted user-basis pattern information may be in-memory (S140). For example, when an action of mounting a removable storage medium is performed as described above, if a characteristic action that is highly correlated with the action, that is, a next action can be predicted, is performed, And to extract action pattern information related to the linkage action from a plurality of action pattern information stored in the action pattern DB 120. [ The extracted user reference pattern information may be in-memory. It is needless to say that various known big data analysis techniques such as clustering, correlation analysis, and data mining can be applied to the prediction of such linked actions.

In addition, when the predicted cooperative action is actually performed as described above, the control module 110 can determine whether the cooperative action is normal or not if the cooperative action can be determined based on the original action and the cooperative action . If it is not possible to determine whether a normal action is performed even if the predicted coordinated action is performed, the user-based pattern information may be maintained or only the limited user-based pattern information may be maintained in the main memory in the pre-loaded user-based pattern information. That is, in such a case, the next linked action may be more specifically predicted by the original action and the predicted cooperative action.

If the predicted coordinated action is not performed, it is possible to release the in-memoryized user-based pattern information or to in-memory the new user-based pattern information as described above.

When the user-based pattern information is specified in advance and is in-memoryized, the time delay is insignificant even if the prediction of the linked action fails. On the other hand, when the prediction is correct, Can be very large, so that the real-time performance can still be improved.

Referring again to FIG. 2, the control module 110 determines whether the user action, or the normal action of the user action set including the action and the next action, based on the in-memorized user basis pattern information, It can be judged. That is, it is possible to judge whether the next user action is normal action or illegal action, or it may be determined whether the action is illegal or normal action for a plurality of actions including the next user action. This may be because the user's action of determining whether or not the user is normally performing may be determined based on only one single action, but may be determined based on a set of a plurality of actions (i.e., a set) It is because. Therefore, the user action set to be judged as a normal action may be one of the next action, only the previous action and the next action, and may include the next action and an action to be taken in the future. For example, the user action set may be a collection of actions that occur consecutively for a particular resource, or a set of independent actions that occur within a certain time period.

As described above, the control module 110 can determine whether the user has performed a normal operation using both the normal behavior pattern and the illegal behavior pattern for each user included in the user reference pattern information.

For example, when a plurality of unit actions are included in the user action set, it may be determined whether each unit action is normal, and finally, whether the user action set is normal or not. The control module 110 may determine that the action corresponding to the normal action pattern is a normal action. And the action corresponding to the pattern of illegal act can be judged as illegal act.

According to an example, when there are a plurality of consecutive actions, each action may be defined as a normal action, but an illegal action may be defined when two actions as a normal action occur consecutively. In this case, it may be necessary that the illegal behavior pattern be defined separately. For example, a first action to display specific information is a normal action, and a second action to activate a specific device may also be a normal action. However, if the first action and the second action occur consecutively, it may be defined as an illegal behavior pattern. Therefore, the control module 110 determines whether or not a normal action has been performed each time an action is performed. That is, the control module 110 does not terminate the determination of normal action, It can also be changed.

The method of determining whether or not the user action set includes a plurality of actions as described above may be as shown in FIG.

FIG. 5 is a diagram for explaining whether a normal behavior is determined in the case of using an illegal behavior DB according to an embodiment of the present invention.

Referring to FIG. 5A, when a plurality of user actions are successively performed as described above, each action (e.g., A1, A2, A3, A4) may be a normal action.

However, if certain actions (e.g., A2, A3) occur consecutively, the actions may be actions corresponding to an illegal behavior pattern. In this case, the access control system 100 may reject or block the request corresponding to the action A3.

According to another embodiment, as shown in FIG. 5B, it is determined that the action A1 is a normal action, the action A2 is a normal action, and A3 is an abnormal behavior. The abnormal behavior may be, for example, an act that does not correspond to a pattern of normal behavior and does not correspond to an illegal act. A4 can also be judged to be abnormal. And if A5 is performed, it can be determined whether the user action set including A3 and / or A4 is illegal. For example, if A3, A4, and A5 correspond to an illegal behavior pattern, consecutive actions of A3, A4, and A5 may be a user action set, and the user action set may be defined as illegal action . In this case, A3 and A4 are not illegal in themselves, but may be considered illegal as an action included in the user action set. Or A4 and A5 are judged to be an illegal act by the user action set, the abnormal operation A3 may be determined as a normal operation, and A4 and A5 may be determined as illegal operation. Depending on the implementation, there may be a case where A5 itself is illegal, and in this case, all of the preceding actions or some preceding actions may be judged to be illegal (or normal).

As described above, according to the technical idea of the present invention, when a plurality of actions are included, an action that is not determined according to a subsequent action even if the action itself is not determined as a normal action or an illegal act is later judged as a part of illegal act or illegal act It may be necessary to judge it as a normal activity.

On the other hand, when the user action set includes a plurality of unit actions, a method for determining whether or not the specific action to be included in the user action set or the user action set is normal may include determining whether the abnormal behavior is a ratio included in the user action set, It depends on continuity of action. The reason for this is that an action considered to be abnormal may be an action that can not judge a normal action or an illegal act by itself, and the fact that a large proportion of such abnormal activities are highly likely to be unintended behavior have. Or consecutive abnormal behaviors are likely to be unintended behavior by the manager.

Such an example will be described with reference to FIGS. 7 and 8. FIG.

FIG. 7 is a diagram for explaining a concept of determining whether a user action set by continuous action is normal according to an embodiment of the present invention. 8 is a view for explaining the occurrence frequency and the attenuation rule of an abnormal behavior according to the embodiment of the present invention.

7A, when the user action set includes a plurality of consecutive actions (e.g., A1 to A6), the control module 110 determines whether the plurality of actions (e.g., A1 to A6) It is possible to judge whether each of them is normal. As shown in FIG. 7A, A1, A2, and A3 may be determined to be normal actions, and A4, A5, and A6 may be determined to be abnormal. If the abnormal operation is performed consecutively for a predetermined number of times as in this case, the control module 110 judges that the entire user action set or a part (i.e., A4, A5, A6) of the user action set is illegal can do.

(For example, A2, A4, A5, A6) of the plurality of actions (for example, A1 to A6) %, Or 70%, etc.), the control module 110 may determine that the user action set is illegal. In this case, when the user action set is determined to be illegal, the control module 110 blocks access to the action when the action is requested . It is a matter of course that the above ratio can be appropriately set by the manager who manages access control of the enterprise.

As a result, the technical idea of the present invention defines the notion of abnormal behavior as well as normal behavior and illegal behavior, so that even if it is difficult to define normal or illegal acts in the business of the enterprise, There is an effect that can be.

Meanwhile, as described above, the determination of whether or not the user action is normal may be performed according to the ratio of the abnormal actions, as described above, although the user action set that can include the continuous actions for the specific resource or the plurality of actions to be performed within a predetermined time, A determination as to whether or not a normal action is performed may be performed according to the allowable frequency.

For example, it is common that a certain action is performed statistically three times within a certain reference time, and if the action is performed more than that, it may not be planned by the enterprise and may be blocked.

In this case, the specific action itself may be a behavior pattern that is difficult to be defined as a normal action or an illegal act. That is, it may be an abnormal behavior.

In this case, as shown in FIG. 8, a plurality of actions (for example, A1 to AN) may be performed within the predetermined reference time. In this case, the control module 110 can determine whether each action is normal or not, and can check the occurrence count whenever the abnormal action is performed. For example, when the allowable frequency is 3, when the control module 110 performs an action (abnormal behavior) exceeding the allowable frequency, it can determine that all the same actions after the action are illegal. That is, until A2, A4, and A5, the abnormal behavior is not an illegal act, but an action occurring thereafter may be treated as an illegal act. Of course, the frequency of such anomalous activity may be applied to the same activity, but the frequency of the activity may also be set for all of the different activities. That is, an allowable frequency of the total abnormal behavior that can be performed within a predetermined time may be set, and access control may be performed accordingly.

On the other hand, when the access control is performed according to the frequency of the abnormal activity, there may be a risk that irrational access control can be performed when the abnormal activity is concentrated in a specific region. For example, if two unusual activities occur two times before the day before work, and two unusual activities occur on the morning of the next day, the abnormal day 2 on the previous day and the abnormal day 2 on the following day may be allowed have. However, for example, in a case where a predetermined time unit (for example, 12 hours, etc.) is used as a reference, the second abnormal behavior on the following day may be treated as an abnormal behavior exceeding the allowable frequency.

This problem may be solved in such a way as to set the criterion for resetting the allowable frequency appropriately, but resetting the allowable frequency to a certain criterion may not be desirable because it excessively permits abnormal activity. Therefore, according to the technical idea of the present invention, such a problem can be solved by using a predetermined damping rule.

For example, when the predetermined attenuation event occurs, the control module 110 may attenuate the frequency of the abnormal behavior. Specifically, the abnormal behavior that occurred the longest ago may be treated as a normal behavior or treated as a non-existent behavior. Alternatively, only the value of the frequency of occurrence may be attenuated (or subtracted) by a specific value (e.g., 1, 2, etc.).

The attenuation event may be a passage of a specific reference time point, a time lapse from the oldest abnormal behavior, or a specific event occurring in the enterprise or a particular resource (e.g., system power-off, system check, etc.).

By using these damping rules to rationally adjust the occurrence frequency of abnormal behavior, it is possible to overestimate problems that cause uncomfortable work and unexpected behaviors by stipulating unforeseen behaviors as illegal acts It is possible to appropriately control the risk at the time of occurrence.

In the case of performing behavior-based access control as in the technical idea of the present invention, it may not be easy to completely separate normal activity or illegal activity. Accordingly, when a user who is judged to be illegal and has been blocked from accessing a predetermined resource does not actually act illegally, the user can request access to the resource again through payment of a predetermined additional authentication or approval authority .

The access control method according to the embodiment of the present invention can be implemented as a computer-readable code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored.

Examples of the computer-readable recording medium include magnetic media such as a hard disk, a floppy disk and a magnetic tape, optical media such as CD-ROM and DVD, and optical disks such as a floppy disk Hard-wired devices specifically configured to store and execute program instructions such as magneto-optical media and ROMs, RAMs, flash memories, etc. The media also include program instructions, data Or a transmission medium such as a metal wire or a waveguide including a carrier wave for transmitting a signal for designating a structure, etc. Also, a computer-readable recording medium may be distributed over a network-connected computer system, The code can be stored and executed.

Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a device, e.g., a computer, that processes information electronically using an interpreter or the like.

The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims. Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

Claims (9)

1. An access control system for performing access control of a user who wishes to access resources of an enterprise,
A behavior pattern DB for storing behavior pattern information that can occur in the company;
A log collection module for collecting actions to access the resource by a user;
A user pattern module for extracting user-based pattern information corresponding to the user, which is specified on the basis of an action performed by a user and is part of the behavior pattern information, from the DB and in-memory;
And a control module for determining, based on the user basis pattern information, whether the user action set including the next action of the action is a normal action,
Wherein the user pattern module comprises:
Extracting behavior pattern information corresponding to the action and corresponding to a linkage action expected to be performed after the action as user reference pattern information,
Memorized user basis pattern information according to whether the next action after the action corresponds to the predicted linked action or to in-memory new user basis pattern information, or to in-memory user basis And the pattern information is maintained,
The behavior pattern DB includes:
A normal behavior pattern DB storing normal behavior pattern information classified as normal behavior in the company; And
An illegal behavior pattern DB storing illegal behavior pattern information classified as illegal behavior,
The control module includes:
If the plurality of actions occur consecutively even if each of the plurality of actions included in the user action set corresponds to a normal action pattern, if the action action is defined as an illegal action pattern stored in the illegal action pattern database, An Information System Access Control System Using Big Data Analysis Techniques Based on Business Behaviors Judged by Illegal Activities.
delete 1. An access control system for performing access control of a user who wishes to access resources of an enterprise,
A behavior pattern DB for storing behavior pattern information that can occur in the company;
A log collection module for collecting actions to access the resource by a user;
A user pattern module for extracting user-based pattern information corresponding to the user, which is specified on the basis of an action performed by a user and is part of the behavior pattern information, from the DB and in-memory;
And a control module for determining, based on the user basis pattern information, whether the user action set including the next action of the action is a normal action,
Wherein the user pattern module comprises:
Extracting behavior pattern information corresponding to the action and corresponding to a linkage action expected to be performed after the action as user reference pattern information,
Memorized user basis pattern information according to whether the next action after the action corresponds to the predicted linked action or to in-memory new user basis pattern information, or to in-memory user basis And the pattern information is maintained,
The behavior pattern DB includes:
A normal behavior pattern DB storing normal behavior pattern information classified as normal behavior in the company; And
An illegal behavior pattern DB storing illegal behavior pattern information classified as illegal behavior,
The control module includes:
If the action included in the user action set does not correspond to the normal action pattern and does not correspond to the illegal action pattern, the action is determined to be an abnormal action, and if the result of the determination of the normal action of the user action set or the normal Information system access control system using a big data analysis technique based on a business activity of a company that determines whether the action is normal or not according to a result of determination.
1. An access control system for performing access control of a user who wishes to access resources of an enterprise,
A behavior pattern DB for storing behavior pattern information that can occur in the company;
A log collection module for collecting actions to access the resource by a user;
A user pattern module for extracting user-based pattern information corresponding to the user, which is specified on the basis of an action performed by a user and is part of the behavior pattern information, from the DB and in-memory;
And a control module for determining, based on the user basis pattern information, whether the user action set including the next action of the action is a normal action,
Wherein the user pattern module comprises:
Extracting behavior pattern information corresponding to the action and corresponding to a linkage action expected to be performed after the action as user reference pattern information,
Memorized user basis pattern information according to whether the next action after the action corresponds to the predicted linked action or to in-memory new user basis pattern information, or to in-memory user basis And the pattern information is maintained,
The behavior pattern DB includes:
Information on behavior pattern of the business by the business group; or
A behavior pattern information for each of the corporations,
Wherein the user pattern module comprises:
Based on the behavior pattern information of the user or the action pattern information corresponding to the position of the user, and extracting the action pattern information from the action pattern information by the action group or the action pattern information by the action group, Information System Access Control System Using.
1. An access control system for performing access control of a user who wishes to access resources of an enterprise,
A behavior pattern DB for storing behavior pattern information that can occur in the company;
A log collection module for collecting actions to access the resource by a user;
A user pattern module for extracting user-based pattern information corresponding to the user, which is specified on the basis of an action performed by a user and is part of the behavior pattern information, from the DB and in-memory;
And a control module for determining, based on the user basis pattern information, whether the user action set including the next action of the action is a normal action,
Wherein the user pattern module comprises:
Extracting behavior pattern information corresponding to the action and corresponding to a linkage action expected to be performed after the action as user reference pattern information,
Memorized user basis pattern information according to whether the next action after the action corresponds to the predicted linked action or to in-memory new user basis pattern information, or to in-memory user basis And the pattern information is maintained,
The control module includes:
If the user action set includes a plurality of consecutive actions,
Determining whether each of the plurality of actions is normal or not; determining whether a predetermined number or more of consecutive actions are abnormal, or determining, based on a ratio of abnormal actions determined to be abnormal among the plurality of actions, An Information System Access Control System Using a Big Data Analysis Method Based on the Business Behavior of a Company to Determine Whether a User Is Illegal.
1. An access control system for performing access control of a user who wishes to access resources of an enterprise,
A behavior pattern DB for storing behavior pattern information that can occur in the company;
A log collection module for collecting actions to access the resource by a user;
A user pattern module for extracting user-based pattern information corresponding to the user, which is specified on the basis of an action performed by a user and is part of the behavior pattern information, from the DB and in-memory;
And a control module for determining, based on the user basis pattern information, whether the user action set including the next action of the action is a normal action,
Wherein the user pattern module comprises:
Extracting behavior pattern information corresponding to the action and corresponding to a linkage action expected to be performed after the action as user reference pattern information,
Memorized user basis pattern information according to whether the next action after the action corresponds to the predicted linked action or to in-memory new user basis pattern information, or to in-memory user basis And the pattern information is maintained,
The control module includes:
If the user performs a plurality of independent actions,
An information system using a business activity based big data analysis technique for determining whether each of the plurality of actions is normal or not and an illegal action for an action for which an occurrence frequency of an abnormal behavior exceeds a preset allowable frequency, Access control system.
7. The apparatus of claim 6,
Wherein the occurrence frequency of the action determined as the abnormal behavior is attenuated by a predetermined value when a predetermined attenuation event is generated.
A method of access control for performing access control of a user who wishes to access resources of a company,
Storing an action pattern information that an access control system can cause in the enterprise;
Collecting actions for the access control system to access the resource by a user;
The access control system extracts the user reference pattern information corresponding to the user, which is a part of the behavior pattern information, from the stored behavior pattern information based on an action performed by the user, and converts the extracted user pattern information into an in-memory step; And
Determining whether a user action set including a next action of the action is a normal action based on the user reference pattern information in which the access control system is in-memory,
Wherein said in-memory step comprises:
Extracting behavior pattern information corresponding to the action and corresponding to a linkage action expected to be performed after the action as user reference pattern information,
The access control method includes:
Memorized user basis pattern information according to whether the next action after the action corresponds to the predicted linked action or to in-memory new user basis pattern information, or to in-memory user basis Further comprising the step of maintaining pattern information,
Wherein determining whether a user action set that includes a next action of the action is a normal action comprises:
If the plurality of actions included in the user action set correspond to the normal action pattern and the plurality of actions occur consecutively, if the user action set is defined as an illegal behavior pattern stored in the illegal behavior pattern DB, Information System Access Control Method Using Big Data Analysis Technique Based on Business Behavior.
A computer program installed in a data processing apparatus and recorded on a computer-readable recording medium for carrying out the method according to claim 8.
KR1020160021970A 2016-02-24 2016-02-24 Access management system for enterprise informtaion system using Big-data analysis based on work action and method thereof KR101663585B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160021970A KR101663585B1 (en) 2016-02-24 2016-02-24 Access management system for enterprise informtaion system using Big-data analysis based on work action and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160021970A KR101663585B1 (en) 2016-02-24 2016-02-24 Access management system for enterprise informtaion system using Big-data analysis based on work action and method thereof

Publications (1)

Publication Number Publication Date
KR101663585B1 true KR101663585B1 (en) 2016-10-10

Family

ID=57146017

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160021970A KR101663585B1 (en) 2016-02-24 2016-02-24 Access management system for enterprise informtaion system using Big-data analysis based on work action and method thereof

Country Status (1)

Country Link
KR (1) KR101663585B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102393183B1 (en) 2021-09-29 2022-05-02 (주)로그스택 Method, device and system for managing and processing log data of corporate server

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR0150448B1 (en) 1989-10-10 1998-10-15 로버트 엘. 맥도날드 Control and hydraulic system for a liftcrane
KR100918272B1 (en) * 2008-09-18 2009-09-21 주식회사 이글루시큐리티 A security control system and method thereof using the identification of a specific person
KR20140035146A (en) * 2012-09-13 2014-03-21 (주)아크원소프트 Apparatus and method for information security
KR101501669B1 (en) * 2013-12-24 2015-03-12 한국인터넷진흥원 Behavior detection system for detecting abnormal behavior
KR20150053070A (en) * 2013-11-07 2015-05-15 유넷시스템주식회사 Unusual action decision system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR0150448B1 (en) 1989-10-10 1998-10-15 로버트 엘. 맥도날드 Control and hydraulic system for a liftcrane
KR100918272B1 (en) * 2008-09-18 2009-09-21 주식회사 이글루시큐리티 A security control system and method thereof using the identification of a specific person
KR20140035146A (en) * 2012-09-13 2014-03-21 (주)아크원소프트 Apparatus and method for information security
KR20150053070A (en) * 2013-11-07 2015-05-15 유넷시스템주식회사 Unusual action decision system
KR101501669B1 (en) * 2013-12-24 2015-03-12 한국인터넷진흥원 Behavior detection system for detecting abnormal behavior

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102393183B1 (en) 2021-09-29 2022-05-02 (주)로그스택 Method, device and system for managing and processing log data of corporate server

Similar Documents

Publication Publication Date Title
CN102932323B (en) To the automatic analysis of related accidents safe in computer network
US9703978B2 (en) Transforming policies to enforce control in an information management system
US9558193B2 (en) Detecting behavioral patterns and anomalies using activity data
US9531595B2 (en) Intelligent policy deployment
US11416631B2 (en) Dynamic monitoring of movement of data
KR101663585B1 (en) Access management system for enterprise informtaion system using Big-data analysis based on work action and method thereof
KR102488337B1 (en) Method and apparatus for managing digital information using digital forensic
KR20230174954A (en) Method for managing externally imported files, apparatus for the same, computer program for the same, and recording medium storing computer program thereof

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant